Docker capabilities

t0ukax · November 20, 2025, 11:07am

Hello, I am new to Syncthing and Docker I was wondering if it was possible to suppress as much as plossible a Synchthing container capabilities in the deployement.

I couldnt find what capabilities were used and i am afraid that adding –cap-drop=ALL in the deployement would make it impossible to use.

Thanks in Advance and sorry for the not really good english

calmh · November 20, 2025, 2:30pm

Try it?

t0ukax · November 20, 2025, 5:02pm

I tryed it and droping all make the container restart in loop i think this brake indeed everything… I use the following .yml file for my docker compose:

---
services:
  syncthing:
    image: syncthing/syncthing
    container_name: syncthing
    hostname: mysyncthing
    environment:
      - PUID=1000
      - PGID=1000
      - STGUIADDRESS=0.0.0.0:8384
    volumes:
      - /data1/st-sync:/var/syncthing
    network_mode: host
    restart: unless-stopped
    cap_drop:
      - ALL
    healthcheck:
      test: curl -fkLsS -m 2 127.0.0.1:8384/rest/noauth/health | grep -o --color=never OK || exit 1
      interval: 1m
      timeout: 10s
      retries: 3

The thing is I dont want to try one by one each capabilities, and maby there is a functionnality that wont work afterwards and I wont notice it… So I was wondering if the required capabilities were in the documentation but I cant find it.

Nummer378 · November 20, 2025, 5:55pm

Normal syncthing usage does not require any special capabilities. If you intend to use the advanced option syncOwnership you neeed chown and fowner caps as documented.

Sometimes docker makes things a bit more complicated than usual, but syncthing doesn’t use anything that would require privileges under normal operation.

calmh · November 20, 2025, 6:06pm

The entrypoint script will try to fixup permissions and switch uid/gid if running as uid 0. That won’t work if it’s running as uid 0 but without any actual capabilities. But you can start it as a normal user without capabilities (probably don’t even need the --cap-drop then, but maybe I’m missing something), with a volume it can write to:

% docker run -it --rm --cap-drop=ALL --user 1000:1000 -v /tmp/syncthing:/var/syncthing ghcr.io/syncthing/syncthing:latest
2025-11-20 18:06:16 INF syncthing v2.0.11 "Hafnium Hornet" (go1.25.3 linux-arm64) docker@github.syncthing.net 2025-10-27 03:59:48 UTC [noupgrade] (log.pkg=main)
2025-11-20 18:06:16 INF Generating key and certificate (cn=syncthing log.pkg=syncthing)
2025-11-20 18:06:16 INF Default config saved; edit to taste (with Syncthing stopped) or use the GUI (path=/var/syncthing/config/config.xml log.pkg=syncthing)
...

system · December 20, 2025, 6:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.