Open RaymondMouthaan opened 5 years ago
yes - create a dialout branch, etc
Test images & Manifest lists are available here
There is already an existing option with docker or docker-compose 2.0 to add a user to a group, see https://docs.docker.com/engine/reference/run/#additional-groups
Yes - very useful. The question is should we do it by default ? Or should we just document alternatives (like this)
Can you really do it by default ? I'm not a docker expert, but how can you be sure that the dialout gid from the image will be the same than the host one ?
We can not be sure that the dialout
gid on the host is the same as in the container. I've checked on Ubuntu installed on both Raspberry PI and Mac-Mini and they match the gid 20
with the one in the container.
so the suggestion to do it via command line would be safer in that it would match by name ?
In case of node-red:node-red
one always needs to supply node-red:dialout
via command or docker-compose.yml if he/she wants to use serial.
In case of node-red:dialout
it works out of the box, unless there is a mismatch between dialout
groupid on the host and container. Chances of a mismatch are rather small, since both Ubuntu and Alpine have dialout
groupid set to 20
. I assume on Raspbian (which is like Ubuntu based on Debian) the gid is the same, but maybe someone can verify this?
grep dialout /etc/group
So changing to group dialog
might sound like a good idea ..
However when current users have set there persistence dir to 1000:1000
(most users have, I guess), changing the group node-red
to dialout
gives a Error: EACCES: permission denied
.
Which basically means that all users will be affected by the change and need to chown
the persistence dir:
chown -R 1000:20 <path_to_persistence_dir>
So in my opinion we leave as is (node-red:node-red
) and for those that want to use serial, they just use --user node-red:dialog
option or equivalent.
Or we add node-red
users to both node-red
group and dialout
group, but this requires new dev images and tests :-)
New images are available at nodered/node-red-dev and they are tagged by *dialout.1
* in these images node-red
user is member of both node-red
and dialout
group. This works for current users with persistence dir set to 1000:1000
.
@tms0 can you verify if serial works with these images?
In my opinion, I prefer to let users do the mapping themself between things from the OS and things from the container.
But adding dialout as a secondary group seems acceptable to me, I will give it a try @RaymondMouthaan .
I have a solution in mind, but that requires significant changes to the node-red container. I've not yet got the time to create a experimental version to do so, but if it's ready I'll let you know 😌
FYI On my intel-nuc (Intel(R) Client Systems NUC6CAYS) running CentOS Linux 8 the dialout group has id 18 on the host and not 20 !
[root@nuc-jan ~]# grep dialout /etc/group
dialout:x:18:lirc
[root@nuc-jan ~]#
[root@nuc-jan ~]# uname -a
Linux nuc-jan.borsbeek 4.18.0-193.6.3.el8_2.x86_64 #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@nuc-jan ~]#
Note that I am not requesting this feature. Above information is just provided for consideration when making any changes.
Just in case helpful for others...
They've merged the v2/v3 compose specs which brings back the services element group_add. This was in v2 and removed in v3 releases.
So if you install docker-compose 1.27.0+ and are running Docker Engine 19.03.0+
node-red:
devices:
- /dev/whatever
group_add:
- dialout
instead of user: "node-red:dialout"
and node-red user will be in both groups:
bash-5.0$ whoami
node-red
bash-5.0$ groups
node-red dialout
Nice! Thanks for sharing @emes!
Add
node-red
user todailout
group by default instead of node-red group.From Debian Wiki:
In current images, node-red user has it's own group
node-red
, which has no permissions to serial. To gain permission to serial, one needs to add --usernode-red:dailout
to the docker run command or equivalent in docker compose file.We might want to add
node-red
user to thedailout
group, so that above is no longer required and node-red has permission toserial
by default.However, current users might get permission issues with the persistent dir, because of current group.
Do all architectures have
dailout
group available? [ √ ] amd64/alpine [ √ ] arm32v6/alpine [ √ ] arm32v7/alpine [ √ ] arm64v8/alpine [ √ ] i386/alpine [ √ ] s390x/alpineProposal: create a feature branch for this change and do some tests.