Add node-red user to dailout group

[RaymondMouthaan]

Add node-red user to dailout group by default instead of node-red group.

From Debian Wiki:

dialout: Full and direct access to serial ports. Members of this group can reconfigure the modem, dial anywhere, etc.

In current images, node-red user has it's own group node-red, which has no permissions to serial. To gain permission to serial, one needs to add --user node-red:dailout to the docker run command or equivalent in docker compose file.

We might want to add node-red user to the dailout group, so that above is no longer required and node-red has permission to serial by default.

However, current users might get permission issues with the persistent dir, because of current group.

Do all architectures have dailout group available?
[ √ ] amd64/alpine
[ √ ] arm32v6/alpine
[ √ ] arm32v7/alpine
[ √ ] arm64v8/alpine
[ √ ] i386/alpine
[ √ ] s390x/alpine

Proposal: create a feature branch for this change and do some tests.

[dceejay]

yes - create a dialout branch, etc

[RaymondMouthaan]

Test images & Manifest lists are available here

[tms0]

There is already an existing option with docker or docker-compose 2.0 to add a user to a group, see https://docs.docker.com/engine/reference/run/#additional-groups

[dceejay]

Yes - very useful. The question is should we do it by default ? Or should we just document alternatives (like this)

[tms0]

Can you really do it by default ? I'm not a docker expert, but how can you be sure that the dialout gid from the image will be the same than the host one ?

[RaymondMouthaan]

We can not be sure that the dialout gid on the host is the same as in the container. I've checked on Ubuntu installed on both Raspberry PI and Mac-Mini and they match the gid 20 with the one in the container.

[dceejay]

so the suggestion to do it via command line would be safer in that it would match by name ?

[RaymondMouthaan]

In case of node-red:node-red one always needs to supply node-red:dialout via command or docker-compose.yml if he/she wants to use serial.
In case of node-red:dialout it works out of the box, unless there is a mismatch between dialout groupid on the host and container. Chances of a mismatch are rather small, since both Ubuntu and Alpine have dialout groupid set to 20. I assume on Raspbian (which is like Ubuntu based on Debian) the gid is the same, but maybe someone can verify this?

grep dialout /etc/group

So changing to group dialog might sound like a good idea ..

However when current users have set there persistence dir to 1000:1000 (most users have, I guess), changing the group node-red to dialout gives a Error: EACCES: permission denied.

Which basically means that all users will be affected by the change and need to chown the persistence dir:

chown -R 1000:20 <path_to_persistence_dir>

So in my opinion we leave as is (node-red:node-red) and for those that want to use serial, they just use --user node-red:dialog option or equivalent.

Or we add node-red users to both node-red group and dialout group, but this requires new dev images and tests :-)

New images are available at nodered/node-red-dev and they are tagged by *dialout.1* in these images node-red user is member of both node-red and dialout group. This works for current users with persistence dir set to 1000:1000.

@tms0 can you verify if serial works with these images?

[tms0]

In my opinion, I prefer to let users do the mapping themself between things from the OS and things from the container.

But adding dialout as a secondary group seems acceptable to me, I will give it a try @RaymondMouthaan .

[RaymondMouthaan]

I have a solution in mind, but that requires significant changes to the node-red container. I've not yet got the time to create a experimental version to do so, but if it's ready I'll let you know 😌

[janvda]

FYI On my intel-nuc (Intel(R) Client Systems NUC6CAYS) running CentOS Linux 8 the dialout group has id 18 on the host and not 20 !

[root@nuc-jan ~]# grep dialout /etc/group
dialout:x:18:lirc
[root@nuc-jan ~]# 

[root@nuc-jan ~]# uname -a
Linux nuc-jan.borsbeek 4.18.0-193.6.3.el8_2.x86_64 #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@nuc-jan ~]# 

Note that I am not requesting this feature. Above information is just provided for consideration when making any changes.

[emes]

Just in case helpful for others...

They've merged the v2/v3 compose specs which brings back the services element group_add. This was in v2 and removed in v3 releases.

So if you install docker-compose 1.27.0+ and are running Docker Engine 19.03.0+

  node-red:
    devices:
      - /dev/whatever
    group_add:
      - dialout

instead of user: "node-red:dialout"

and node-red user will be in both groups:

bash-5.0$ whoami
node-red
bash-5.0$ groups
node-red dialout

[kpm-at-hfi]

Nice! Thanks for sharing @emes!