Both sides previous revision Previous revision Next revision | Previous revisionLast revisionBoth sides next revision |
docker_notes:docker-deluge [2023-03-04 Sat wk09 09:56] – ↷ Page moved from tech_notes:docker-deluge to docker_notes:docker-deluge baumkp | docker_notes:docker-deluge [2024-04-28 Sun wk17 11:13] – [s6 supervision rc system] baumkp |
---|
{{tag>linux docker image container init s6 s6-rc openvpn "docker compose" wireguard macvlan nftables}} | {{tag>linux docker image container init s6 s6-rc openvpn "docker compose" wireguard macvlan nftables}} |
======Docker Deluge Image / Service====== | ======Docker Deluge Image / Service====== |
I want a torrent service that uses a VPN and is set-up to have blocked WAN (internet) access. On my virtual machine implementation of this I used the following 3 packages: deluge (deluged with deluge-web), openvpn and nftables. I used both iptables and nftables and nftables is definitely more elegant to use. As far as I can tell there is not Docker image that will meet my needs. So time to delve in deeper myself. | I want a torrent service that uses a VPN and is set-up to block non VPN WAN (internet) access. On my virtual machine implementation of this I used the following 3 packages: deluge (deluged with deluge-web), openvpn and nftables. I have used both iptables and nftables and find nftables is definitely more elegant to use. As far as I can tell there is not a Docker image that will meet my needs. |
| |
=====s6 supervision rc system===== | I have been successfully been running this in a container on my home server since early 2023. This replaced the a similar setup that have I been operating since about 2017 on a virtual machine using Linux KVM/Libvirt/QEMU. |
I decided to build this container image based upon Alpine Linux using the [[https://www.skarnet.org/software/s6/index.html|S6]] init system. The Skarnet.org is the S6 authors web site and main repository. | |
| |
S6 [[https://www.skarnet.org/software/s6/servicedir.html|Service directories]] | |
| |
++++Basic S6 commands:| | |
| |
*''s6-svstat /run/service/servicename'' or ''s6-svstat /run/s6-rc/servicedirs/deluged'' - check a daemon status, longrun only! | |
*''s6-rc -u change servicename'' - enable and start a daemon (up) | |
*''s6-rc -d change servicename'' - disable and stop a daemon (down) | |
*''s6-rc-db list all|services|oneshots|longruns|bundles'' - lists the nominated services in the active s6-rc-db | |
*''s6-rc-db type servicename'' - Prints the type of servicename: oneshot, longrun or bundle | |
*''s6-rc-db dependencies servicename'' - lists the dependencies in the servicename directory, i.e. in servicesname/dependencies.d | |
*''s6-rc-db dependencies servicename'' - lists all the dependencies of servicename | |
*''s6-rc-db -d|-u timeout servicename'' - lists the timeout, -d for timeout down and -u for timeout up | |
| |
BTW dont spell dependencies as dependancies and wonder why things don't work, lol the English language sucks. | |
++++ | |
| |
| |
Reference: | |
*[[https://github.com/just-containers/s6-overlay| just-containers/s6-overlay]] | |
*[[https://skarnet.org/software/s6-rc/s6-rc-compile.html|The s6-rc-compile program]] Describes the functionality of the S6-rc system | |
*[[https://forum.level1techs.com/t/easy-to-follow-beginner-guide-on-s6-starter-pack/178411| | |
Easy to follow Beginner Guide on s6 Starter Pack ]] | |
=====dockerfile===== | =====dockerfile===== |
++++Dockerfile| | ++++Dockerfile| |
* where $lan is set to lan interface, e.g. enp1s0 | * where $lan is set to lan interface, e.g. enp1s0 |
* ''%%docker run -it --network macnet1 --ip=192.168.1.98 --cap-add=NET_ADMIN --name alpine deluge-openvpn-nftables /bin/sh%%'' | * ''%%docker run -it --network macnet1 --ip=192.168.1.98 --cap-add=NET_ADMIN --name alpine deluge-openvpn-nftables /bin/sh%%'' |
* When running nftables to stop leakage of vpn it was found that the docker networking cause failure. Docker use loop address 127.0.0.11 to resolve its dns queries and then refers to the nominated local dns. See ''/etc/resolv.conf''. The docker documentation states that the user should not directly modify the resolv.conf file as it may adversely affect docker performance. As the openvpn program rewrites resolv.conf anyway I decided to do the same in a oneshot to point dns directly . | * When running nftables to stop leakage of vpn it was found that the docker networking cause failure. Docker use loop address 127.0.0.11 to resolve its dns queries and then refers to the nominated local dns. See ''/etc/resolv.conf''. The docker documentation states that the user should not directly modify the resolv.conf file as it may adversely affect docker performance. As the openvpn program rewrites resolv.conf anyway I decided to do the same in a oneshot to point dns directly. I subsequently remembered the basics of UNIX the /etc/hosts file, this is the lowest level DNS on every machine. I simply added the relevant Private VPN end hosts files in here and this worked a beaut. |
* Need to manually create ++/dev/net/tun|<code bash> | * Need to manually create ++/dev/net/tun|<code bash> |
#!/bin/sh | #!/bin/sh |
chmod 660 /dev/net/tun | chmod 660 /dev/net/tun |
| |
echo "nameserver 192.168.1.1" > /etc/resolv.conf | echo "103.231.89.219 au-mel.pvdata.host" >> /etc/hosts #This adds a PrivatVPN host to the host DNS |
| echo "103.231.88.203 au-mel.pvdata.host" >> /etc/hosts #This adds a PrivatVPN host to the host DNS |
| echo "143.244.63.96 au-syd.pvdata.host" >> /etc/hosts #This adds a PrivatVPN host to the host DNS |
| echo "143.244.33.81 sg-sin.pvdata.host" >> /etc/hosts #This adds a PrivatVPN host to the host DNS |
| |
| /usr/sbin/openvpn /etc/openvpn/privatvpn.conf & #This runs the openvpn program in background using nominated configuration file |
</code>++ see [[https://serverfault.com/questions/1003011/openvpn-error-cannot-open-tun-tap-dev-dev-net-tun-no-such-file-or-directory|OpenVPN - ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)]] | </code>++ see [[https://serverfault.com/questions/1003011/openvpn-error-cannot-open-tun-tap-dev-dev-net-tun-no-such-file-or-directory|OpenVPN - ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)]] |
*Inside container command to run ''/usr/sbin/openvpn /etc/openvpn/privatvpn.conf'', add & to free up terminal | *Inside container command to run ''/usr/sbin/openvpn /etc/openvpn/privatvpn.conf'', add & to free up terminal |
| |
=====Docker network===== | =====Docker network===== |
As described in the vpn section [[https://wiki.kptree.net/doku.php?id=tech_notes:docker-deluge#openvpn_setup|openvpn setup]], I decided to go with the docker macvlan network setup. This needs to be separately created and can then be called up when the container is run. A static ip address can be assigned when run. | As described in the vpn section [[https://wiki.kptree.net/doku.php?id=docker_notes:docker-deluge#openvpn_setup|openvpn setup]], I decided to go with the docker macvlan network setup. This needs to be separately created and can then be called up when the container is run. A static ip address can be assigned when run. |
<code bash> | <code bash> |
docker network create -d macvlan \ | docker network create -d macvlan \ |
| |
=====Environment Variables into Docker===== | =====Environment Variables into Docker===== |
I need to work on this one more. It did not seem to work well for me in attempts to date. | I need to work on this one more. It did not seem to work well for me in attempts to date. I tried again in mailserver setup also to no avail. |
| |
''S6_KEEP_ENV'' (default = 0): if set, then environment is not reset and whole supervision tree sees original set of env vars. It switches with-contenv into a nop. I placed ''ENV S6_KEEP_ENV=1'' before first init and all the environment variable were visible. | ''S6_KEEP_ENV'' (default = 0): if set, then environment is not reset and whole supervision tree sees original set of env vars. It switches with-contenv into a nop. I placed ''ENV S6_KEEP_ENV=1'' before first init and all the environment variable were visible. |
*[[http://skarnet.org/software/s6/s6-setuidgid.html|The s6-setuidgid program]] s6-setuidgid executes a program as another user. I used this to change the deluged and delugeweb programs not to run as root. | *[[http://skarnet.org/software/s6/s6-setuidgid.html|The s6-setuidgid program]] s6-setuidgid executes a program as another user. I used this to change the deluged and delugeweb programs not to run as root. |
*[[http://skarnet.org/software/s6/s6-envuidgid.html|The s6-envuidgid program]] s6-envuidgid potentially sets the UID, GID and GIDLIST environment variables according to the options and arguments it is given; then it executes into another program. | *[[http://skarnet.org/software/s6/s6-envuidgid.html|The s6-envuidgid program]] s6-envuidgid potentially sets the UID, GID and GIDLIST environment variables according to the options and arguments it is given; then it executes into another program. |
| |
| =====Alpine Docker BusyBox s6-rc===== |
| The Alpine docker image is build using musl, BusyBox and OpenRC, however I have setup to use s6-rc instead of OpenRC. The "standard" shell commands are build in the ash library with additional commands in Busybox, Busybox is a single file. Some addtional functionality can be found by using ''apk add util-linux''. See [[https://en.wikipedia.org/wiki/Util-linux|Wikipedia util-linux]] for a list of additional functionality in util-linux. |
| |
| A list of [[https://boxmatrix.info/wiki/BusyBox-Commands|BusyBox Commands]] |
| |
=====References===== | =====References===== |
| |
| |
<- tech_notes:docker-dokuwiki|Back ^ tech_notes:index|Start page ^ tech_notes:docker-mailserver|Next -> | <- docker_notes:docker-calibre|Back ^ docker_notes:index|Start page ^ docker_notes:docker-mailserver|Next -> |