Running Headless Client in Ubuntu Docker Container on Synology NAS

Support / Troubleshooting
1

Howdy,

I have created a Docker container in the Synology Docker app in which I run Ubuntu. Logging into the Ubuntu container I successfully installed the Twingate Linux client.

From my admin console I created a service to be used in the headless client. I created a file, /twingate/twingate-service.json, in which I pasted the service key and endered the command:

root@ubuntu1:/twingate# sudo twingate setup --headless /twingate/twingate_service.json
Twingate Setup 1.0.77+70318 | 0.140.0
Copying service key
Setup is complete.
root@ubuntu1:/twingate#

But when starting Twingate I get:

root@ubuntu1:/twingate# sudo twingate start
Starting Twingate service in headless mode
Twingate has been started
Waiting for status…
not-running
root@ubuntu1:/twingate#

I also Puttyed into Synology DSM and entered the command:

roger@DS-Master:~$ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9d65df1331a3 twingate/connector:1 “/connectord” 19 hours ago Up 19 hours (healthy) twingate-Plymouth-Connector-1
3abebd0789f9 ubuntu:latest “/bin/bash” 20 hours ago Up 19 hours ubuntu1
46e04dacf2eb bitnami/prometheus:latest “/opt/bitnami/promet…” 7 days ago Up 47 hours 0.0.0.0:49153->9090/tcp Prometheus1
fef0579003bf grafana/grafana:latest “/run.sh” 7 days ago Up 47 hours 0.0.0.0:8080->3000/tcp Grafana
4daa5a42def8 pihole/pihole:latest “/s6-init” 2 weeks ago Up 47 hours (healthy) pihole-pihole1
roger@DS-Master:~$ sudo docker run --device /dev/net/tun --cap-add NET_ADMIN ubuntu
roger@DS-Master:~$

I’m figuring I am leaving something out but I don’t know what it is.

Ideas?

Thanks

Roger

2

I did set log level to debug: sudo twingate config log-level debug and tried to start Twingate again, which failed. Here’s the contents of /var/log/twingated.log

Failed to get OS name: failed to connect to DBus
Failed to get OS name: failed to connect to DBus
[2023-02-24T19:10:28.561279+0000] [INFO] [client] Starting Twingate Client 1.0.77+70318
[2023-02-24T19:10:28.561442+0000] [INFO] [client] Configured Headless client with a service key
[2023-02-24T19:10:28.561510+0000] [ERROR] [client] system_property_set: Read-only file system: fopen(/proc/sys/net/ipv4/conf/all/rp_filter)
[2023-02-24T19:10:28.561547+0000] [ERROR] [client] linux_cm_new: system_properties_config(all) failed
[2023-02-24T19:10:28.561634+0000] [ERROR] [client] nm_get_connection: Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory: dbus_bus_get(DBUS_BUS_SYSTEM)
[2023-02-24T19:10:28.561681+0000] [ERROR] [client] systemd_resolved_is_enabled: Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory: dbus_bus_get() failed
[2023-02-24T19:10:28.561742+0000] [ERROR] [client] linux_tun_new: No such file or directory: opening /dev/net/tun
[2023-02-24T19:10:28.561776+0000] [ERROR] [client] linux_cm_new: linux_tun_new
[2023-02-24T19:10:28.561813+0000] [ERROR] [client] manualconf_nameservers_restore: “backup_is_done == true” failed
[2023-02-24T19:10:28.561846+0000] [ERROR] [client] linux_cm_free: failed to restore nameservers
[2023-02-24T19:10:28.561884+0000] [FATAL] [client] Failed to initialize Network Controller

Hopefully this helps.

Roger

3

Hi Roger,

The errors in your log are indicative that the --device /dev/net/tun flag didn’t apply to the container.

I also see that it looks like you started the ubuntu container in the command you ran, but the active container appears to be called ubuntu1.

Can you try shutting down your currently running container, and then re-running the docker command but specifying ubuntu1 as the container rather than ubuntu, and seeing if you notice a difference in behaviour?

Thanks!

-arthur

4

Hi Arthur,

I had tried using ubuntu1 before. However I did just stop the container and restarted it, thru the Synology Docker app, and then tried the docker command again with ubuntu1.

roger@DS-Master:~$ sudo docker run --device /dev/net/tun --cap-add NET_ADMIN ubuntu1
Password:
Unable to find image ‘ubuntu1:latest’ locally
docker: Error response from daemon: pull access denied for ubuntu1, repository does not exist or may require ‘docker login’: denied: requested access to the resource is denied.
See ‘docker run --help’.
roger@DS-Master:~$

When I reran the Docker command using ubuntu I got:

roger@DS-Master:~$ sudo docker run --device /dev/net/tun --cap-add NET_ADMIN ubuntu
roger@DS-Master:~$

I then changed the container name in the Synology app to ubuntu and successfully ran the Docker command.

In both cases the Twingate Start failed.

Is there a way to check the status of the --device /dev/net/tun flag?

I’m not starting/stopping the container using Docker terminal commands, The Synology Docker app is doing that.

Roger

5

Hello Roger,

The docker command you used will terminate right away as you are not running the container in the background or passing a tty.

You will need to run the command with several flags, specifically -dit for detached,interactive and a tty like below.

sudo docker run -dit --device /dev/net/tun --cap-add NET_ADMIN ubuntu

afterwards you can attach to it to run the twingate setup. If you already pushed a custom ubuntu image with twingate configured then just use that instead of ubuntu.

Reference:

You can use sudo docker inspect ubuntu1 to list the config of the existing container you have ubuntu1. You would want to see the below listed for Devices for the twingate client to work in a docker container.

   "Devices": [
                {
                    "PathOnHost": "/dev/net/tun",
                    "PathInContainer": "/dev/net/tun",
                    "CgroupPermissions": "rwm"
                }
and 

"CapAdd": [
                "NET_ADMIN"

Might also be worth running sudo docker ps -a to list out all the containers you have and clean up if you have a bunch of non running containers from the previous attempts.

Lastly, It doesn’t look like you can add the --device and --cap-add settings through the Synology DSM Docker app UI so it will most likely need to be done via cli with the run command.

6

Hey Steven,

I don’t know what you mean by the first sentence but I did try the commands you suggested.

I am SSHing into the Synology DSM to enter these commands.

I first cleaned up all of the Containers except for the Twingate Connector Container and the ubuntu Container in which I am running, or rather trying to start, the Tweingate client. So I started with command sudo docker ps followed by sudo docker run -dit --device /dev/net/tun --cap-add NET_ADMIN ubuntu and then sudo docker inspect ubuntu. Looking thru the results of the inspect "Devices": null,.

Results of the commands:

roger@DS-Master:~$ sudo docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9d65df1331a3 twingate/connector:1 “/connectord” 25 hours ago Exited (0) 2 minutes ago twingate-Plymouth-Connector-1
3abebd0789f9 ubuntu:latest “/bin/bash” 26 hours ago Up About an hour ubuntu
roger@DS-Master:~$ sudo docker run -dit --device /dev/net/tun --cap-add NET_ADMIN ubuntu
a490c23c112c4ac132c35a3e624b30eecbffedccdc4f7e04278f8e20634b7443
roger@DS-Master:~$ sudo docker inspect ubuntu
[
{
“Id”: “3abebd0789f9cbd57a73189783b3d8b6569706039aaf6e35c864b39d7438d0a9”,
“Created”: “2023-02-23T22:15:54.838615953Z”,
“Path”: “/bin/bash”,
“Args”: ,
“State”: {
“Status”: “running”,
“Running”: true,
“Paused”: false,
“Restarting”: false,
“OOMKilled”: false,
“Dead”: false,
“Pid”: 13941,
“ExitCode”: 0,
“Error”: “”,
“StartedAt”: “2023-02-24T23:18:04.035616729Z”,
“FinishedAt”: “2023-02-24T23:14:27.767774995Z”,
“StartedTs”: 1677280684,
“FinishedTs”: 1677280467
},
“Image”: “sha256:58db3edaf2be6e80f628796355b1bdeaf8bea1692b402f48b7e7b8d1ff100b02”,
“ResolvConfPath”: “/volume1/@docker/containers/3abebd0789f9cbd57a73189783b3d8b6569706039aaf6e35c864b39d7438d0a9/resolv.conf”,
“HostnamePath”: “/volume1/@docker/containers/3abebd0789f9cbd57a73189783b3d8b6569706039aaf6e35c864b39d7438d0a9/hostname”,
“HostsPath”: “/volume1/@docker/containers/3abebd0789f9cbd57a73189783b3d8b6569706039aaf6e35c864b39d7438d0a9/hosts”,
“LogPath”: “/volume1/@docker/containers/3abebd0789f9cbd57a73189783b3d8b6569706039aaf6e35c864b39d7438d0a9/log.db”,
“Name”: “/ubuntu”,
“RestartCount”: 0,
“Driver”: “btrfs”,
“Platform”: “linux”,
“MountLabel”: “”,
“ProcessLabel”: “”,
“AppArmorProfile”: “docker-default”,
“ExecIDs”: null,
“HostConfig”: {
“Binds”: ,
“ContainerIDFile”: “”,
“LogConfig”: {
“Type”: “db”,
“Config”: {}
},
“NetworkMode”: “bridge”,
“PortBindings”: {},
“RestartPolicy”: {
“Name”: “always”,
“MaximumRetryCount”: 0
},
“AutoRemove”: false,
“VolumeDriver”: “”,
“VolumesFrom”: null,
“CapAdd”: null,
“CapDrop”: null,
“CgroupnsMode”: “host”,
“Dns”: null,
“DnsOptions”: null,
“DnsSearch”: null,
“ExtraHosts”: null,
“GroupAdd”: null,
“IpcMode”: “private”,
“Cgroup”: “”,
“Links”: null,
“OomScoreAdj”: 0,
“PidMode”: “”,
“Privileged”: false,
“PublishAllPorts”: false,
“ReadonlyRootfs”: false,
“SecurityOpt”: null,
“UTSMode”: “”,
“UsernsMode”: “”,
“ShmSize”: 67108864,
“Runtime”: “runc”,
“Env”: [
“PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin”
],
“ConsoleSize”: [
0,
0
],
“Isolation”: “”,
“CpuShares”: 50,
“Memory”: 0,
“NanoCpus”: 0,
“CgroupParent”: “”,
“BlkioWeight”: 0,
“BlkioWeightDevice”: null,
“BlkioDeviceReadBps”: null,
“BlkioDeviceWriteBps”: null,
“BlkioDeviceReadIOps”: null,
“BlkioDeviceWriteIOps”: null,
“CpuPeriod”: 0,
“CpuQuota”: 0,
“CpuRealtimePeriod”: 0,
“CpuRealtimeRuntime”: 0,
“CpusetCpus”: “”,
“CpusetMems”: “”,
“Devices”: null,
“DeviceCgroupRules”: null,
“DeviceRequests”: null,
“KernelMemory”: 0,
“KernelMemoryTCP”: 0,
“MemoryReservation”: 0,
“MemorySwap”: 0,
“MemorySwappiness”: null,
“OomKillDisable”: false,
“PidsLimit”: null,
“Ulimits”: null,
“CpuCount”: 0,
“CpuPercent”: 0,
“IOMaximumIOps”: 0,
“IOMaximumBandwidth”: 0,
“MaskedPaths”: [
“/proc/asound”,
“/proc/acpi”,
“/proc/kcore”,
“/proc/keys”,
“/proc/latency_stats”,
“/proc/timer_list”,
“/proc/timer_stats”,
“/proc/sched_debug”,
“/proc/scsi”,
“/sys/firmware”
],
“ReadonlyPaths”: [
“/proc/bus”,
“/proc/fs”,
“/proc/irq”,
“/proc/sys”,
“/proc/sysrq-trigger”
]
},
“GraphDriver”: {
“Data”: null,
“Name”: “btrfs”
},
“Mounts”: ,
“Config”: {
“Hostname”: “ubuntu1”,
“Domainname”: “”,
“User”: “”,
“AttachStdin”: false,
“AttachStdout”: false,
“AttachStderr”: false,
“Tty”: true,
“OpenStdin”: true,
“StdinOnce”: false,
“Env”: [
“PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin”
],
“Cmd”: [
“/bin/bash”
],
“Image”: “ubuntu:latest”,
“Volumes”: null,
“WorkingDir”: “”,
“Entrypoint”: null,
“OnBuild”: null,
“Labels”: {
“org.opencontainers.image.ref.name”: “ubuntu”,
“org.opencontainers.image.version”: “22.04”
},
“DDSM”: false
},
“NetworkSettings”: {
“Bridge”: “”,
“SandboxID”: “615ddab494412b6da82dcf4aa692b9ec83169e66a3c0453c3ff0d4d8f687f3e5”,
“HairpinMode”: false,
“LinkLocalIPv6Address”: “”,
“LinkLocalIPv6PrefixLen”: 0,
“Ports”: {},
“SandboxKey”: “/var/run/docker/netns/615ddab49441”,
“SecondaryIPAddresses”: null,
“SecondaryIPv6Addresses”: null,
“EndpointID”: “bc4af9fe4b8e50ecca4e257c3ca90a7282cac3f4149d0df7a1884419d46ca0d6”,
“Gateway”: “172.17.0.1”,
“GlobalIPv6Address”: “”,
“GlobalIPv6PrefixLen”: 0,
“IPAddress”: “172.17.0.2”,
“IPPrefixLen”: 16,
“IPv6Gateway”: “”,
“MacAddress”: “02:42:ac:11:00:02”,
“Networks”: {
“bridge”: {
“IPAMConfig”: null,
“Links”: null,
“Aliases”: null,
“NetworkID”: “7697591c4fd3ad58e07634a386fab97a7a2b55c6e90e40456c6afbb8604c7c4e”,
“EndpointID”: “bc4af9fe4b8e50ecca4e257c3ca90a7282cac3f4149d0df7a1884419d46ca0d6”,
“Gateway”: “172.17.0.1”,
“IPAddress”: “172.17.0.2”,
“IPPrefixLen”: 16,
“IPv6Gateway”: “”,
“GlobalIPv6Address”: “”,
“GlobalIPv6PrefixLen”: 0,
“MacAddress”: “02:42:ac:11:00:02”,
“DriverOpts”: null
}
}
}
}
]
roger@DS-Master:~$

Hopefully this will provide some insight.

7

Following your commands you pasted it shows you listed the containers which showed two.

9d65df1331a3
and
3abebd0789f9

Then you created a 3rd container off of the ubuntu image.

Then you inspected the container that already existed.(3abebd0789f9)

See the ID # from your inspect command…

roger@DS-Master:~$ sudo docker inspect ubuntu
[
{
“Id”: “3abebd0789f9cbd57a73189783b3d8b6569706039aaf6e35c864b39d7438d0a9”,
“Created”: “2023-02-23T22:15:54.838615953Z”,

If you ran the sudo docker ps -a again i would expect there to be 3 containers now. Remove the old one and attach to the new one created and you should be good.

8

That was it Steven. I kept seeing new containers showing up, mysteriously, but now I understand that I was in fact starting a new Container (I’m super new to this Docker stuff as you can tell).

Once started I installed the headless Twingate client and walla:

root@719f8d6b869a:/# twingate start
Starting Twingate service in headless mode
Twingate has been started
Waiting for status…
online
root@719f8d6b869a:/# twingate resources
RESOURCE NAME ADDRESS
DS-Backup 192.168.50.121

root@719f8d6b869a:/#

Twingate started and I appear to have access to the resource I need. After stopping the container and restarting I still need to start Twingate again but it starts up fine.

Having gotten over that hump, thanks to all of the help I’ve gotten, my next task is to see if I can get access to my resource, DS-Backup, to Hyper Backup so I can do Synology to Synology backups via Twingate.

Thanks again for walking me thru this.

Roger