Prerequisites
Setup SSH Connection
Some of the steps in the following guide require the user to be able to access a command line interface with their Synology Device. Enable the SSH service within the Synology Control Panel.
For security reasons, it is highly recommended to use a different port than port 22 for SSH. Try to avoid using ports listed in this article: List of TCP and UDP port numbers
Any port between 49152 and 65535 should be OK. If you are going to disable the SSH service after completing this setup guide, you can use port 22.
API Key and Host ID
To use an Iceberg Cyber Sensor Container, an API Key is required. The API key helps to uniquely identify the container instance and helps assign the vulnerability it finds to a user/account. If you do not already have an API Key, please contact Iceberg Cyber to have one provided to you.
Each API also has a linked Host ID. The Host ID will be necessary to start the container and is used to uniquely identify the container’s results in the Iceberg User Portal.
Container Repository Access Key
Iceberg Cyber Sensor Container Images are stored on a private container registry. To access this registry, the user will require a special access key. If you do not already have an access key, please contact the Iceberg Cyber Team and one will be provided to you.
Container Manager App
Synology has an app called Container Manager that is used to manage Docker Containers. You can download this app from within the Package Center. There are two reasons why we need to use command line operations instead of configuring the Iceberg Cyber Sensor Container from solely within the Container Manager app:
We have experienced an issued adding our private container repository to the Repository page within Container Manager. We observe an error that says “Network Error” and suspect this is due to a permissions issue with how the Container Manager adds new private repositories. This is not an issue from the command line.
There is a known limitation within Container Manager where users cannot create IPvLAN or MACvLAN network types. We need a MACvLAN for the Iceberg Cyber Sensor Container to operate properly and therefore require the command line interface operation.
Docker Inc’s official Container Manager app within the Synology Package Center
Download Image
Steps to download the Iceberg Cyber Sensor Container image:
Establish an SSH connection into the your Synology device. You can use the Linux terminal or the PuTTY app on Windows OS.
Login with a Synology user account that has administrator rights. Only Synology admin accounts can access the SSH service.
Run command:
sudo docker login -u <username> -p <access key> icebergsensordocker.azurecr.io
Replace <username> and <access key> with the Container Repository Username and Access Key provided by Iceberg Cyber
If the login was successful, you should see a note in the command line “Login Succeeded”
Run command:
sudo docker pull icebergsensordocker.azurecr.io/sensor/iceberg-sensor:<version>
Replace <version> with the desired version, or the word “latest” for the latest release. The version compatible with the Iceberg Web App is version 1.1.1
Latest is currently set to 1.3.1 as of 2025-03-19
If successful, you should see each layer of the docker image being downloaded
Once all the layers have finished downloading, you should be able to run:
sudo docker image lsand see the Iceberg Cyber Sensor Container in your list of images. You can also see it in your Container Manager in the Synology GUI.
Setup MACvLAN Network
A MACvLAN network may be required for all the features of the Iceberg Cyber Sensor Container to work properly. A MACvLAN network will treat each container on it as if it were directly connected to the same network as the host device, with a different mac address as the host. For more information about MACvLan networks, see Macvlan network driver
To set up the MACvLAN network, follow the below steps:
Gather the necessary information about your host network:
Subnet
Gateway
Host device network interface
To get this information, a command like:
ip link show
will show all the network interfaces on the Synology device. Usually, the desired interface is looks something like “eth0”
Run command:
sudo docker network create -d macvlan --subnet=<subnet> --gateway=<gateway> --ip-range=<desired ip>/32 -o parent=<interface> IcebergNetwork
Replace the contents between any <> with the relevant information.
Replace the <desired ip> with any ip address on the same subnet that does not conflict with any other device on the same network.
If successful, the user should see the IcebergNetwork in the list when the following command is run:
sudo docker network ls
Start Container
To start the container, use the following steps:
Run command
sudo docker run -d --net=IcebergNetwork --env ICEBERG_KEY=<API Key> --env IOTIUM_NODE_SERIAL_ID=<Host ID> --name=IcebergSensorContainer icebergsensordocker.azurecr.io/sensor/iceberg-sensor:<version>
Replace <API Key> with the API Key provided by Iceberg Cyber
Replace <Host ID> with the host Id linked to the API, also provided by Iceberg Cyber
Replace <version> with the desired version of the container
If successful, you should see the container as active if you run:
sudo docker ps -aAfter this stage, you can start, stop, and inspect the container using the Container Manager app within the Synology OS.
Container Manager
You can start/stop and inspect the Iceberg Cyber Sensor Container from within the Container Manager app.
Screenshot of the Container page showing the Iceberg Cyber Sensor Container from within the Container Manager app in the Synology OS.
Results in the Iceberg App
After the container starts for the first time, it may take 2-3 hours for the scanning engine to update. Then you will see the Sensor online in the Iceberg app @ app.icebergcyber.com