node-red / node-red-docker

Repository for all things Node-RED and Docker related
Apache License 2.0
489 stars 387 forks source link

Add node-red user to dailout group #154

Open RaymondMouthaan opened 5 years ago

RaymondMouthaan commented 5 years ago

Add node-red user to dailout group by default instead of node-red group.

From Debian Wiki:

dialout: Full and direct access to serial ports. Members of this group can reconfigure the modem, dial anywhere, etc.

In current images, node-red user has it's own group node-red, which has no permissions to serial. To gain permission to serial, one needs to add --user node-red:dailout to the docker run command or equivalent in docker compose file.

We might want to add node-red user to the dailout group, so that above is no longer required and node-red has permission to serial by default.

However, current users might get permission issues with the persistent dir, because of current group.

Do all architectures have dailout group available? [ √ ] amd64/alpine [ √ ] arm32v6/alpine [ √ ] arm32v7/alpine [ √ ] arm64v8/alpine [ √ ] i386/alpine [ √ ] s390x/alpine

Proposal: create a feature branch for this change and do some tests.

dceejay commented 5 years ago

yes - create a dialout branch, etc

RaymondMouthaan commented 5 years ago

Test images & Manifest lists are available here

tms0 commented 5 years ago

There is already an existing option with docker or docker-compose 2.0 to add a user to a group, see https://docs.docker.com/engine/reference/run/#additional-groups

dceejay commented 5 years ago

Yes - very useful. The question is should we do it by default ? Or should we just document alternatives (like this)

tms0 commented 5 years ago

Can you really do it by default ? I'm not a docker expert, but how can you be sure that the dialout gid from the image will be the same than the host one ?

RaymondMouthaan commented 5 years ago

We can not be sure that the dialout gid on the host is the same as in the container. I've checked on Ubuntu installed on both Raspberry PI and Mac-Mini and they match the gid 20 with the one in the container.

dceejay commented 5 years ago

so the suggestion to do it via command line would be safer in that it would match by name ?

RaymondMouthaan commented 5 years ago

In case of node-red:node-red one always needs to supply node-red:dialout via command or docker-compose.yml if he/she wants to use serial. In case of node-red:dialout it works out of the box, unless there is a mismatch between dialout groupid on the host and container. Chances of a mismatch are rather small, since both Ubuntu and Alpine have dialout groupid set to 20. I assume on Raspbian (which is like Ubuntu based on Debian) the gid is the same, but maybe someone can verify this?

grep dialout /etc/group

So changing to group dialog might sound like a good idea ..

However when current users have set there persistence dir to 1000:1000 (most users have, I guess), changing the group node-red to dialout gives a Error: EACCES: permission denied.

Which basically means that all users will be affected by the change and need to chown the persistence dir:

chown -R 1000:20 <path_to_persistence_dir>

So in my opinion we leave as is (node-red:node-red) and for those that want to use serial, they just use --user node-red:dialog option or equivalent.

Or we add node-red users to both node-red group and dialout group, but this requires new dev images and tests :-)

New images are available at nodered/node-red-dev and they are tagged by *dialout.1* in these images node-red user is member of both node-red and dialout group. This works for current users with persistence dir set to 1000:1000.

@tms0 can you verify if serial works with these images?

tms0 commented 5 years ago

In my opinion, I prefer to let users do the mapping themself between things from the OS and things from the container.

But adding dialout as a secondary group seems acceptable to me, I will give it a try @RaymondMouthaan .

RaymondMouthaan commented 5 years ago

I have a solution in mind, but that requires significant changes to the node-red container. I've not yet got the time to create a experimental version to do so, but if it's ready I'll let you know 😌

janvda commented 4 years ago

FYI On my intel-nuc (Intel(R) Client Systems NUC6CAYS) running CentOS Linux 8 the dialout group has id 18 on the host and not 20 !

[root@nuc-jan ~]# grep dialout /etc/group
dialout:x:18:lirc
[root@nuc-jan ~]# 

[root@nuc-jan ~]# uname -a
Linux nuc-jan.borsbeek 4.18.0-193.6.3.el8_2.x86_64 #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@nuc-jan ~]# 

Note that I am not requesting this feature. Above information is just provided for consideration when making any changes.

emes commented 3 years ago

Just in case helpful for others...

They've merged the v2/v3 compose specs which brings back the services element group_add. This was in v2 and removed in v3 releases.

So if you install docker-compose 1.27.0+ and are running Docker Engine 19.03.0+

  node-red:
    devices:
      - /dev/whatever
    group_add:
      - dialout

instead of user: "node-red:dialout"

and node-red user will be in both groups:

bash-5.0$ whoami
node-red
bash-5.0$ groups
node-red dialout
kpm-at-hfi commented 3 years ago

Nice! Thanks for sharing @emes!