Docker Deluge Image / Service
I want a torrent service that uses a VPN and is set-up to block non VPN WAN (internet) access. On my virtual machine implementation of this I used the following 3 packages: deluge (deluged with deluge-web), openvpn and nftables. I have used both iptables and nftables and find nftables is definitely more elegant to use. As far as I can tell there is not a Docker image that will meet my needs.
I have been successfully been running this in a container on my home server since early 2023. This replaced the a similar setup that have I been operating since about 2017 on a virtual machine using Linux KVM/Libvirt/QEMU.
dockerfile
docker build -t deluge-openvpn-nftables .
- to create the image deluge-openvpn-nftablesdocker run -it -p 8112:8112 –name deluge deluge-openvpn-nftables /bin/sh
- to run the docker image deluge-openvpn-nftables as a container called deluge, with port 8112 passed through, the deluge web interface.- Inside the container shell the deluge system can be started with the command
deluge web
It looks like I need to write an openrc script to allow the application to be controlled by the build in system.
VPN setup including nftable force to anonymize WAN usage
I use 2 forms of vpn (virtual private network) on my home server.
- VPN to gain remote secure private access to my home LAN from the WAN (internet). This is where I describe this Wireguard VPN access from WAN to LAN.
- VPN to anonymize my public internet access, making it more difficult for others to track my online behavior. This is the one I am describing here.
- There are some other potential benefits with this style of VPN usage, e.g. greater privacy and ability to have ip address based on different geographic location.
VPN Provider
I am currently using PrivateVPN as my public VPN provider. They use openVPN for access, with a login configuration. I noticed that they recently now also have the capability to use up to 8 Wireguard configurations. After logging in to their website the Wireguard configurations can be found here PrivateVPN config panel.
OpenVPN setup
Most of the notes below were taken discovering and implementing the Docker usage of openvpn with the s6 init system. That being said there my be some handy bits in there,
- To check external IP
wget -qO - icanhazip.com
, reference from Check External IP From Linux Command Line - OpenVPN 2x HOW TO Look at troubleshooting
docker external volumes
There are 2 type of volume needs in this set up.
- Deluge configuration directory
- I usually like to store my live application configuration files with the docker image / container setup
- Deluge file storage
- download directories (working directories)
- actual download working directory
- torrent file storage directory directory
- completed directory where finish torrent files are stored (longer term storage directories)
deluge configuration files
Next set is to get the deluge configuration files outside the ephemeral container storage to some permanent storage:
The -v /mnt/docker_store/media/.config:/root/.config/deluge/ make Docker map the external directory /mnt/docker_store/media/
on to the internal directory, /root/.config/deluge/
.
docker run -it -v /mnt/docker_store/media/.config:/root/.config/deluge/ --network macnet1 --ip=192.168.1.98 --cap-add=NET_ADMIN --name alpine deluge-openvpn-nftables /bin/sh
deluge working file storage
Clearly deluge files need to be stored outside the docker ephemeral container storage to some permanent storage. I have nfs setup on the host which I will setup relevant sub-directories as volumes on the deluge container for storage. The docker web application allows the store to be selected, however the storage options need to setup to allow function. I will use the container directory /app
to store these sub-directories.
-v /mnt/disk2/Media/Temp/Complete:/app/Complete
The final docker run command is now: docker run -it -v /mnt/docker_store/media/.config:/root/.config/deluge/ -v /mnt/deluge:/app/deluge -v /mnt/disk2/Media/Temp/Complete:/app/Complete --network macnet1 --ip=192.168.1.98 --cap-add=NET_ADMIN --name alpine deluge-openvpn-nftables /bin/sh
Docker nfs volume
After a couple of minor syntax typos I got the basic docker nfs volume working, but when I tried to get 2 volumes set up it was wonky. To date I have not further investigated why.
Docker network
As described in the vpn section openvpn setup, I decided to go with the docker macvlan network setup. This needs to be separately created and can then be called up when the container is run. A static ip address can be assigned when run.
docker network create -d macvlan \ --subnet=192.168.1.0/24 \ --ip-range=192.168.1.95/30 \ --gateway=192.168.1.1 \ -o parent=enp1s0 macnet1
Compose file
My final docker run command was docker run -it -v /mnt/docker_store/media/.config:/app/.config/deluge/ -v /mnt/docker_store/media/.cache/Python-Eggs:/app/.cache/Python-Eggs -v /mnt/deluge:/app/deluge -v /mnt/disk2/Media/Temp/Complete:/app/Complete –network macnet1 –ip=192.168.1.98 –cap-add=NET_ADMIN –name deluge deluge-openvpn-nftables /bin/sh
which I had to convert to docker-compose yml script.
The docker build command to build the image was docker build -t deluge-openvpn-nftables .
The compose.yml file is:
version: '3.9' services: deluge: build: ./ image: deluge-openvpn-nftables:latest tty: true stdin_open: true container_name: deluge restart: 'unless-stopped' # always | no | on-failure [:5 (max-retries)] volumes: - '/mnt/docker_store/media/.config:/app/.config/deluge/' - '/mnt/docker_store/media/.cache/Python-Eggs:/app/.cache/Python-Eggs' - '/mnt/deluge:/app/deluge' - '/mnt/disk2/Media/Temp/Complete:/app/Complete' networks: macnet1: ipv4_address: 192.168.1.98 cap_add: - NET_ADMIN command: /bin/sh networks: macnet1: external: true
Some basic docker compose commands:
docker-compose up -d
to start up the containerdocker-compose up -d --build
to start up and force build the container image firstdocker-compose down
to stop and remove the containerdocker-compose stop
to stop the containerdocker-compose start
to start the container
Notes:
- The
cap_add: NET_ADMIN
is required to allow the container network to allow routing functionality. This is required for the openvpn to operate. - As I run all my one-shots and longruns using s6 init, this is no command that is running to keep the container open (perhaps a poor explanation) The statement
command: /bin/sh
not only keeps the container open it also allows me to shell into it via docker,docker attach servicename
. There are 2 ways to get out, useexit
in the shell which attempts to exit, or type control p then control q. (As I am not running an ssh server in the container, ssh cannot be used.)
Environment Variables into Docker
I need to work on this one more. It did not seem to work well for me in attempts to date. I tried again in mailserver setup also to no avail.
S6_KEEP_ENV
(default = 0): if set, then environment is not reset and whole supervision tree sees original set of env vars. It switches with-contenv into a nop. I placed ENV S6_KEEP_ENV=1
before first init and all the environment variable were visible.
- s6
- The s6-env program s6-env prints the current environment or modifies the environment before running a program.
- The s6-setuidgid program s6-setuidgid executes a program as another user. I used this to change the deluged and delugeweb programs not to run as root.
- The s6-envuidgid program s6-envuidgid potentially sets the UID, GID and GIDLIST environment variables according to the options and arguments it is given; then it executes into another program.
Alpine Docker BusyBox s6-rc
The Alpine docker image is build using musl, BusyBox and OpenRC, however I have setup to use s6-rc instead of OpenRC. The “standard” shell commands are build in the ash library with additional commands in Busybox, Busybox is a single file. Some addtional functionality can be found by using apk add util-linux
. See Wikipedia util-linux for a list of additional functionality in util-linux.
A list of BusyBox Commands
References
- Deluge documentation, unfortunately no specific instructions for Alpine Linux….
- Support Documents OpenVPN CLI, again not for Alpine Linux….
Other miscellaneous related references:
- Alpine
- OpenRC I am not using openRC
- S6
- The s6-rc-compile program Describes the functionality of the S6-rc system