5.1 KiB
Setillo
Synology DS223j NAS running DSM 7.3.2. Secondary Synology used for monitoring exporters and AdGuard secondary DNS.
Specs
| Model | DS223j |
| Platform | rtd1619b (aarch64) |
| DSM | 7.3.2 (build 86009) |
| Storage | /volume1 — 8.8 TB btrfs |
| Tailscale | 1.96.4 (as of 2026-04-11) |
Running services
Containers under DSM Container Manager:
| Name | Image | Purpose |
|---|---|---|
node_exporter |
quay.io/prometheus/node-exporter |
Prometheus host metrics |
snmp_exporter |
quay.io/prometheus/snmp-exporter |
SNMP metrics for network gear |
adguard |
adguard/adguardhome |
Secondary AdGuard DNS resolver |
dozzle-agent |
amir20/dozzle |
Remote log agent for the main Dozzle instance |
Sudoers restriction (important)
The vish user has passwordless sudo but cannot invoke shells via sudo:
(ALL) NOPASSWD: "REDACTED_PASSWORD" !/bin/ash, !/bin/sh, !/bin/bash, !/usr/bin/su
Practical implications:
- ✅ Works:
sudo mkdir,sudo mount,sudo wget,sudo /opt/bin/opkg install foo,sudo tee /etc/file,sudo systemctl enable foo - ❌ Blocked:
sudo sh script.sh,sudo bash -c '...',sudo -i,sudo ./script.sh(even with a#!/bin/shshebang — the kernel exec of#!/bin/sh script.shis blocked)
To run shell scripts as root, translate them into a series of individual sudo invocations of non-shell binaries. Use sudo tee file <<EOF heredocs to write files (tee is not a shell, so it's allowed).
Entware (opkg package manager)
Installed 2026-04-11 to work around DSM's minimal busybox toolset.
Layout
| Distro | aarch64-k3.10, GLIBC 2.27 |
| Home | /volume1/@entware |
| Mount point | /opt (bind mount) |
| Persistence | /etc/systemd/system/opt.mount (enabled, After=syno-volume.target, WantedBy=local-fs.target) |
| Installed size | ~260 MB (153 packages) |
Persistence unit
/etc/systemd/system/opt.mount:
[Unit]
Description=Entware bind mount for /opt
DefaultDependencies=no
After=syno-volume.target
Requires=syno-volume.target
Before=local-fs.target
Conflicts=umount.target
[Mount]
What=/volume1/@entware
Where=/opt
Type=none
Options=bind
[Install]
WantedBy=local-fs.target
PATH setup
/opt uses three binary directories. ~/.profile sets:
export PATH=/opt/bin:/opt/sbin:/opt/usr/bin:$PATH
Some binaries live at /opt/bin, some at /opt/sbin (e.g. iotop, fzf), some at /opt/usr/bin (e.g. fd, eza). Keep all three in PATH.
/opt/containerd preservation
DSM pre-creates empty stub dirs /opt/containerd/{bin,lib} (cosmetic — real containerd lives at /var/packages/REDACTED_APP_PASSWORD/). The Entware install recreated these stubs inside the bind-mounted tree so Synology's view of /opt/containerd is preserved whether /opt is bind-mounted or not. If you ever rebuild Entware, recreate them:
sudo mkdir -p /opt/containerd/bin /opt/containerd/lib
sudo chmod 711 /opt/containerd
Installing packages
Entware's opkg is not in the default sudo PATH (and sudoers blocks shells, so you can't sudo bash -c). Always invoke opkg by full path:
sudo /opt/bin/opkg update
sudo /opt/bin/opkg install <pkg>
For Python packages not in the Entware repo, use /opt/bin/pip3:
sudo /opt/bin/pip3 install --break-system-packages <pkg>
Currently installed (high-value tools)
| Category | Packages |
|---|---|
| Shell | bash, tmux, screen, htop, vim-full, nano, less, fzf |
| Network | iperf3, mtr-json, bind-dig, tcpdump, nmap, socat, curl, wget-ssl, nethogs, iftop, whois, mosh-full, openssh-client, openssh-sftp-server |
| Filesystem | rsync, rclone, ncdu, pv, file, tree, lsof, jq, yq (pip) |
| Observability | sysstat, dstat, strace, procps-ng, python3-iotop, glances (pip), fail2ban |
| Dev | git, python3, python3-pip, node, gnupg2 |
| Modern unix | ripgrep, fd, eza, zoxide |
Not available in the Entware aarch64-k3.10 repo
bat— install viacargo install batif neededduf— usedf/ncduinsteadbash-completion— individual tools (git, fzf) provide their ownyq,glances— installed viapip3instead
Uninstall (full reversal)
sudo systemctl disable --now opt.mount
sudo rm /etc/systemd/system/opt.mount
sudo systemctl daemon-reload
sudo rm -rf /volume1/@entware
DSM upgrade caveat
DSM major version bumps (e.g. 7.3 → 8) can clobber /etc/systemd/system/. After any DSM upgrade, re-check:
systemctl is-enabled opt.mount
If missing, recreate the unit file (content above), then sudo systemctl daemon-reload && sudo systemctl enable --now opt.mount. The Entware tree itself survives on /volume1/@entware — only the mount unit needs recreating.
Tailscale upgrades
Tailscale's Synology package ships a built-in self-updater. Don't hunt for SPK URLs — just:
sudo tailscale update --yes
It downloads the right .spk from pkgs.tailscale.com and installs it in place. Confirmed working 2026-04-11 (upgraded 1.92.3 → 1.96.4).