A hidden gem, that’s what it is!

You see, I always liked how Synology has a web interface that is like a desktop, with windows and applications that really make you feel like you’re “computing in the cloud”. Of course a Synology NAS has its limits as to what you can do, and in particular Synology Office and the other Office applications that run in “full screen” new tabs, destroy the feeling of being logged into a remote computer.

So, I always wondered… What is this LXQt package? Are you telling me there’s a full Linux desktop available, just waiting to be installed and run? And what? Accessed from the browser?

Too good to be true, I thought. But that’s exactly what it is.

Meet Synology LXQt

LXQt desktop accessed through the browser

Let me explain!

Synology NAS, at least the powerful ones, have a Docker package that can be installed. This LXQt package depends on Docker, as it is in fact, a Docker image that gets pulled and set up for you, which then runs in the background. This Docker image is publicly available so in theory, you could set this up on any Docker host without a Synology NAS. The only difference is, that the LXQt package sets everything up for you, and creates a share to hold your files, and creates a little “desktop icon” (in the DSM web interface “desktop”), which when clicked, will open a new tab with an in-browser VNC client, which will then automatically connect to this LXQt desktop.

Docker volumes are by default stored in the “Docker” share on the Synology NAS, and by default this LXQt container has an “lxqt” volume for (partial) persistent storage. More on that later.

SUDO

This container comes with root rights, which should be fine, since it’s a container. If you break things, you can just recreate it.

The default account is “ubuntu” which has sudo rights, and the password is “synology”.

Ubuntu 16.04 LTS

This Docker image is based on Ubuntu 16.04 LTS, which can be updated to the latest version, as you normally would update Ubuntu.

As you can see, by default it has access to all the resources of the NAS. In this case we have 4x Intel Celeron J4125 @ 2.00 GHz and 8 GB of RAM.

This screenshot was taken after fully updating the container.

sudo apt update
sudo apt upgrade -y

/home/ubuntu

Since the default user is ubuntu, its user folder is in /home/ubuntu which happens to be mounted as Docker volume. By default, the folder “lxqt” in the “docker” share (in the Synology NAS) gets mounted to /home/ubuntu so all your user’s files are persistently stored.

If we create a TESTFILE in /home/ubuntu, we can find it in the Synology NAS “lxqt” folder in the “docker” share:

A screenshot showing docker > lxqt which is a volume mounted on /home/ubuntu where we can see our TESTFILE.

noVNC

The VNC client, is an in-browser VNC client named noVNC. The VNC server has by default no password and it does not use encryption. The same is true for noVNC itself.

Since this is unencrypted (plain HTTP), you should of course only use this in LAN or set up some HTTPS reverse proxy to access it from outside (or an SSH tunnel). You would then also have to secure it somehow, as by default, it will simply launch the VNC session without authentication, as the VNC server has no password by default. As you can see, on the desktop there’s a way to set a password for VNC, but in practice it’s broken. While you can set a password, the “noVNC” web client can’t ask for it as seen on the screenshot below:

And I wouldn’t trust this authentication to be secure anyway, even if it worked.

Fixing “locked out” noVNC

Since we now know that docker > lxqt gets mounted on /home/ubuntu, we can get access back by simply deleting the “passwd” file in the “.vnc” folder that we can find in the docker share > lxqt. Then restart the “LXQt” package by going to the Package Center on your Synology NAS DSM (admin interface), looking for the LXQt package, clicking stop, wait for it to stop and then click run.

Using VNC directly

As for using VNC to it directly, in the Synology firewall settings, I did not see it in the list of applications. Maybe it would be possible if you figure out the port and open it in the firewall manually (as long as it’s not bound to localhost, it should work). But again, VNC too is just plain (unencrypted) and thus not suitable to be accessed from outside unless you use an SSH tunnel.

OK, I won’t be like that. It’s the default port 5900. ;)

And of course you’d have to forward the port in Docker too (from host to container) which isn’t done by default.

But again, I don’t recommend it. 🤷🏻‍♀️

The Docker bits

If we go to the “Docker” package, where we would normally download Docker images and set up containers manually, we will see that indeed, the LXQt container was set up for us:

And as you can see, it does not consume much in terms of resources.

If we go to the “Image” tab, we can see that it is indeed a publicly available Docker image, and there’s even a link to the Docker hub:

Which leads to https://registry.hub.docker.com/r/synology/lxqt/ in case you want to hack around on it. ;)

You cannot delete the Docker LXQt package related things manually, as it will give you an error message that it’s a dependency of the package and that you need to delete the package instead.

Sadly this Docker image was last updated 4 years ago, but at least you can update the Ubuntu within manually as stated above.

The technical bits

Since this is a Docker image, I can dissect and analyze it for you and tell you the highlights of how this is possible within Docker:

To make this all work, Synology uses a virtual frame buffer, which is provided with the application Xvfb, which also implements X11. Basically, a virtual display.

On top of this, they run the VNC server x11vnc which gets bound to said virtual display. The window manager is openbox and the session is simply an lxqt-session.

For VNC in the browser, it starts websockify (the Python 2.7 version) which then shares /usr/share/novnc (which holds the “web app” contents) to port 6080 and has the arguments localhost:5900 which is the local VNC server it should connect to. Port 6080 is inside the container, but Docker forwards the beforementioned 30006 to it, which is the one you connect to.

Conclusion

This is an interesting approach to get a lightweight Linux desktop on a NAS, within a Docker container so that it’s isolated from the rest of the system.

I think this has potential but it seems it’s not popular based on the download count of just under 60k, which is really not much considering Synology NAS is so popular. In comparison, the FOSS antivirus “ClamAV” which in the Package Center is labeled as “Antivirus Essential” was downloaded over 13M times. And I think this little user interest has led Synology to abandoning it (it’s still available in the Package Center but the Docker image wasn’t updated in 4 years).

I think part of the reason might be that Synology NAS is an easy-to-use consumer product, and most consumers probably don’t know what “LXQt” even means or can’t imagine how it’s related to a NAS and therefore don’t bother installing it and checking it out. Maybe if it was labeled “Desktop Essential” or “Real Desktop” or similar, it would have been downloaded more often, likewise if “Antivirus Essential” was just labeled “ClamAV” it would have probably been downloaded fewer times.

But I think this LXQt is a hidden gem to hack around on, but nothing to be used in production. And since it’s a public Docker image, you can go hack around on it right now, without a Synlogy NAS!

That’s all there is to it!