Docker Deluge Image / Service

I want a torrent service that uses a VPN and is set-up to block non VPN WAN (internet) access. On my virtual machine implementation of this I used the following 3 packages: deluge (deluged with deluge-web), openvpn and nftables. I have used both iptables and nftables and find nftables is definitely more elegant to use. As far as I can tell there is not a Docker image that will meet my needs.

I have been successfully been running this in a container on my home server since early 2023. This replaced the a similar setup that have I been operating since about 2017 on a virtual machine using Linux KVM/Libvirt/QEMU.

I decided to build this container image based upon Alpine Linux using the S6 init system. The Skarnet.org is the S6 authors web site and main repository.

S6 Service directories

Basic S6 commands:

Reference:

• just-containers/s6-overlay (Version 3.1.6.2 as of 2023-12-30)
• The s6-rc-compile program Describes the functionality of the S6-rc system
• Easy to follow Beginner Guide on s6 Starter Pack

Other Supervisor software discussions:

• Choosing an init process for multi-process containers - Interesting discussion on different init systems, current at that time. (Seems relevant now too.)
• supervisord: Supervisor: A Process Control System
• Use of Supervisor in docker

Dockerfile

FROM alpine:latest

ADD https://github.com/just-containers/s6-overlay/releases/download/v3.1.3.0/s6-overlay-noarch.tar.xz /tmp
RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz
ADD https://github.com/just-containers/s6-overlay/releases/download/v3.1.3.0/s6-overlay-x86_64.tar.xz /tmp
RUN tar -C / -Jxpf /tmp/s6-overlay-x86_64.tar.xz

ENTRYPOINT ["/init"]

RUN apk update && \
apk --no-cache add openvpn deluge nftables &&\
apk upgrade
#RUN apk add --no-cache tini openrc

COPY privatvpn.conf /etc/openvpn/privatvpn.conf
COPY privatvpn.login /etc/openvpn/privatvpn.login
COPY pre_start_tun.sh /etc/openvpn/
COPY user/* /etc/s6-overlay/s6-rc.d/user/contents.d
#COPY user/pre_start_tun /etc/s6-overlay/s6-rc.d/user/contents.d/
#COPY user/pre_start_nft /etc/s6-overlay/s6-rc.d/user/contents.d/
#COPY user/privatvpn /etc/s6-overlay/s6-rc.d/user/contents.d/
#COPY user/deluged /etc/s6-overlay/s6-rc.d/user/contents.d
#COPY user/delugeweb /etc/s6-overlay/s6-rc.d/user/contents.d

COPY s6-rc.d /etc/s6-overlay/s6-rc.d/
COPY nftables.conf /etc/

EXPOSE 8112/tcp

#ENV PYTHON_EGG_CACHE "/app/.cache/Python-Eggs"

#CMD ["nft", "-f", "/etc/nftables.conf","&&","openvpn","--config","/etc/openvpn/ovpn_file.conf","--daemon","deluged","-d"] 

• docker build -t deluge-openvpn-nftables . - to create the image deluge-openvpn-nftables
• docker run -it -p 8112:8112 –name deluge deluge-openvpn-nftables /bin/sh - to run the docker image deluge-openvpn-nftables as a container called deluge, with port 8112 passed through, the deluge web interface.
• Inside the container shell the deluge system can be started with the command deluge web It looks like I need to write an openrc script to allow the application to be controlled by the build in system.

I use 2 forms of vpn (virtual private network) on my home server.

1. VPN to gain remote secure private access to my home LAN from the WAN (internet). This is where I describe this Wireguard VPN access from WAN to LAN.
2. VPN to anonymize my public internet access, making it more difficult for others to track my online behavior. This is the one I am describing here.
   1. There are some other potential benefits with this style of VPN usage, e.g. greater privacy and ability to have ip address based on different geographic location.

I am currently using PrivateVPN as my public VPN provider. They use openVPN for access, with a login configuration. I noticed that they recently now also have the capability to use up to 8 Wireguard configurations. After logging in to their website the Wireguard configurations can be found here PrivateVPN config panel.

Most of the notes below were taken discovering and implementing the Docker usage of openvpn with the s6 init system. That being said there my be some handy bits in there,

tldr;

• To check external IP wget -qO - icanhazip.com, reference from Check External IP From Linux Command Line
• OpenVPN 2x HOW TO Look at troubleshooting

There are 2 type of volume needs in this set up.

1. Deluge configuration directory
   1. I usually like to store my live application configuration files with the docker image / container setup
2. Deluge file storage
   1. download directories (working directories)
      1. actual download working directory
      2. torrent file storage directory directory
   2. completed directory where finish torrent files are stored (longer term storage directories)

Next set is to get the deluge configuration files outside the ephemeral container storage to some permanent storage:

The -v /mnt/docker_store/media/.config:/root/.config/deluge/ make Docker map the external directory /mnt/docker_store/media/ on to the internal directory, /root/.config/deluge/.

docker run -it -v /mnt/docker_store/media/.config:/root/.config/deluge/ --network macnet1 --ip=192.168.1.98 --cap-add=NET_ADMIN --name alpine deluge-openvpn-nftables /bin/sh

Clearly deluge files need to be stored outside the docker ephemeral container storage to some permanent storage. I have nfs setup on the host which I will setup relevant sub-directories as volumes on the deluge container for storage. The docker web application allows the store to be selected, however the storage options need to setup to allow function. I will use the container directory /app to store these sub-directories.

• -v /mnt/deluge:/app/deluge the /mnt/deluge directory has the sub-directories Downloads and torrent which will show up as sub-directories under /app/deluge
• -v /mnt/disk2/Media/Temp/Complete:/app/Complete

The final docker run command is now: docker run -it -v /mnt/docker_store/media/.config:/root/.config/deluge/ -v /mnt/deluge:/app/deluge -v /mnt/disk2/Media/Temp/Complete:/app/Complete --network macnet1 --ip=192.168.1.98 --cap-add=NET_ADMIN --name alpine deluge-openvpn-nftables /bin/sh

After a couple of minor syntax typos I got the basic docker nfs volume working, but when I tried to get 2 volumes set up it was wonky. To date I have not further investigated why.

tldr;

docker volume create --driver local \
  --opt type=nfs \
  --opt o=addr=[ip-address],rw \
  --opt device=:[path-to-directory] \
  [volume-name]

docker volume create --driver local \
  --opt type=nfs \
  --opt o=addr=192.168.1.10,rw \
  --opt device=:deluge \
  deluge 

docker volume create --driver local \
  --opt type=nfs \
  --opt o=addr=192.168.1.10,rw \
  --opt device=:disk2/Media/Temp/Complete \
  Complete 

As described in the vpn section openvpn setup, I decided to go with the docker macvlan network setup. This needs to be separately created and can then be called up when the container is run. A static ip address can be assigned when run.

docker network create -d macvlan  \
    --subnet=192.168.1.0/24  \
    --ip-range=192.168.1.95/30 \
    --gateway=192.168.1.1  \
    -o parent=enp1s0 macnet1

• Docker Docs: Networking using a macvlan network
• Docker Docs : Networking in Compose
• Macvlan Network Driver
• Docker Macvlan network inside container is not reaching to its own host
• Using Docker macvlan networks
• MacVLAN vs IPvlan: Understand the difference

My final docker run command was docker run -it -v /mnt/docker_store/media/.config:/app/.config/deluge/ -v /mnt/docker_store/media/.cache/Python-Eggs:/app/.cache/Python-Eggs -v /mnt/deluge:/app/deluge -v /mnt/disk2/Media/Temp/Complete:/app/Complete –network macnet1 –ip=192.168.1.98 –cap-add=NET_ADMIN –name deluge deluge-openvpn-nftables /bin/sh which I had to convert to docker-compose yml script.

The docker build command to build the image was docker build -t deluge-openvpn-nftables .

The compose.yml file is:

version: '3.9'
services:
  deluge:
    build: ./
    image: deluge-openvpn-nftables:latest
    tty: true
    stdin_open: true
    container_name: deluge
    restart: 'unless-stopped' # always | no | on-failure [:5 (max-retries)]
    volumes:
      - '/mnt/docker_store/media/.config:/app/.config/deluge/'
      - '/mnt/docker_store/media/.cache/Python-Eggs:/app/.cache/Python-Eggs'  
      - '/mnt/deluge:/app/deluge'
      - '/mnt/disk2/Media/Temp/Complete:/app/Complete'
    networks: 
      macnet1:
        ipv4_address: 192.168.1.98
    cap_add:
      - NET_ADMIN
    command: /bin/sh

networks:
  macnet1:
    external: true

Some basic docker compose commands:

• docker-compose up -d to start up the container
• docker-compose up -d --build to start up and force build the container image first
• docker-compose down to stop and remove the container
• docker-compose stop to stop the container
• docker-compose start to start the container

Notes:

1. The cap_add: NET_ADMIN is required to allow the container network to allow routing functionality. This is required for the openvpn to operate.
2. As I run all my one-shots and longruns using s6 init, this is no command that is running to keep the container open (perhaps a poor explanation) The statement command: /bin/sh not only keeps the container open it also allows me to shell into it via docker, docker attach servicename. There are 2 ways to get out, use exit in the shell which attempts to exit, or type control p then control q. (As I am not running an ssh server in the container, ssh cannot be used.)

I need to work on this one more. It did not seem to work well for me in attempts to date. I tried again in mailserver setup also to no avail.

S6_KEEP_ENV (default = 0): if set, then environment is not reset and whole supervision tree sees original set of env vars. It switches with-contenv into a nop. I placed ENV S6_KEEP_ENV=1 before first init and all the environment variable were visible.

• Docker ARG, ENV and .env - a Complete Guide
• How to Pass Environment Variable Value into Dockerfile
• Linux export Command with Examples
• s6
  • The s6-env program s6-env prints the current environment or modifies the environment before running a program.
  • The s6-setuidgid program s6-setuidgid executes a program as another user. I used this to change the deluged and delugeweb programs not to run as root.
  • The s6-envuidgid program s6-envuidgid potentially sets the UID, GID and GIDLIST environment variables according to the options and arguments it is given; then it executes into another program.

The Alpine docker image is build using musl, BusyBox and OpenRC, however I have setup to use s6-rc instead of OpenRC. The “standard” shell commands are build in the ash library with additional commands in Busybox, Busybox is a single file. Some addtional functionality can be found by using apk add util-linux. See Wikipedia util-linux for a list of additional functionality in util-linux.

A list of BusyBox Commands

• Deluge documentation, unfortunately no specific instructions for Alpine Linux….
• Support Documents OpenVPN CLI, again not for Alpine Linux….

Other miscellaneous related references:

• Alpine
  • Working with the Alpine Package Keeper (apk)
  • Writing Init Scripts
  • OpenRC I am not using openRC
  • How to Run "alpine" In Docker - Tutorial Exact Steps and Docker Tips & Ticks
  • DZone - How to Create a Development Environment on Alpine Linux
• S6
  • just-containers/s6-overlay
  • The s6-rc-compile program Describes the functionality of the S6-rc system
• linuxserver /docker-deluge
• Use Docker and Alpine Linux to build lightweight containers
• How to Use the Alpine Docker Official Image
• How to enable and start services on Alpine Linux
• Docker Docs CLI reference