Servarr - User contributions [en]

System status

2020-12-11T16:39:50Z

Fryfrog: Clarified and added detail to the movie removed from tmdb system message.

== System ==
=== Health ===
==== Overview ====
====== Radarr ======
<section begin=radarr_system_status_health_overview />
This page contains a list of health checks errors. These health checks are periodically performed performed by Radarr and on certain events. The resulting warnings and errors are listed here to give advice on how to resolve them.
<section end=radarr_system_status_health_overview />
====== Sonarr ======
<section begin=sonarr_system_status_health_overview />
This page contains a list of health checks errors. These health checks are periodically performed performed by Sonarr and on certain events. The resulting warnings and errors are listed here to give advice on how to resolve them.
<section end=sonarr_system_status_health_overview />
====== Lidarr ======
<section begin=lidarr_system_status_health_overview />
This page contains a list of health checks errors. These health checks are periodically performed performed by Lidarr and on certain events. The resulting warnings and errors are listed here to give advice on how to resolve them.
<section end=lidarr_system_status_health_overview />
====== Readarr ======
<section begin=readarr_system_status_health_overview />
This page contains a list of health checks errors. These health checks are periodically performed performed by Readarr and on certain events. The resulting warnings and errors are listed here to give advice on how to resolve them.
<section end=readarr_system_status_health_overview />
==== System Warnings ====
===== Radarr =====
<section begin=radarr_system_status_health_system_warnings />
* <span id="update-to-net-core-version">'''[[#update-to-net-core-version|Update to .NET Core version]]'''</span>
** Newer versions of Radarr are targeted for .NET Core. We provide legacy mono builds for those platforms that cannot use .NET Core. You are running one of these legacy builds but your platform supports .NET Core.
** Fixing Docker installs
*** Re-pull your container
** Fixing Standalone installs
*** This should only happen on Linux hosts. <span style="color:#ff0000">'''Do not install .net core runtime or SDK from microsoft.'''</span> To remedy, download the correct build for your architecture:
****[https://radarr.servarr.com/v1/update/master/updatefile?os=linux&runtime=netcore&arch=x64 x64]
****[https://radarr.servarr.com/v1/update/master/updatefile?os=linux&runtime=netcore&arch=arm64 arm64]
****[https://radarr.servarr.com/v1/update/master/updatefile?os=linux&runtime=netcore&arch=arm arm]
***<span style="color:#ff0000">'''Back-Up your existing configuration'''</span> before the next step.
*** '''Delete your existing binaries' (contents or folder of /opt/Radarr)''' and replace with the contents of the <code>.tar.gz</code> you just downloaded.
***<span style="color:#ff0000">'''DO NOT JUST EXTRACT THE DOWNLOAD OVER THE TOP OF YOUR EXISTING BINARIES.<br> YOU MUST DELETE THE OLD ONES FIRST'''.</span>
**** Update your startup script to call <code>Radarr</code> instead of calling it with mono like <code>mono --debug Radarr.exe</code>. In other words you want, as an example, <code>/opt/Radarr/Radarr</code> and '''not''' <code>mono --debug /opt/Radarr/Radarr</code>.
*** If Radarr doesn’t start, ensure you have the dependencies listed [https://docs.microsoft.com/en-us/dotnet/core/install/dependencies?tabs=netcore31&pivots=os-linux here] installed.
** Managed/tooled installs
*** For instructions for Swizzin installs, please read the [https://swizzin.ltd/applications/radarr/#migrating-to-v3-on-net-core Swizzin Docs article]
*** For instructions on Whatbox, please see the [https://whatbox.ca/wiki/Radarr#radarr_v3_(unstable) WB Wiki article]
*<span id="Mono_version_is_less_than_3_10_upgrade_for_improved_stability">'''[[#Mono_version_is_less_than_3_10_upgrade_for_improved_stability|Mono version is less than 3.10, upgrade for improved stability]]'''</span>
** Radarr is written in .Net and requires Mono to run. Versions of 3.10 and above resolved various stability issues we experienced in the past and is considered the minimum supported version.<br />
** Mono version 4.x and higher are also available and provides a better experience on certain platforms.
** See "Update to .NET Core version above"
*<span id="New_update_is_available">'''[[#New_update_is_available|New update is available]]'''</span>
** Rejoice, the developers have released a new update. This generally means awesome new features and squashed piles of bugs (right?). Apparently you don’t have Auto-Updating enabled, so you’ll have to figure out how to update on your platform. Pressing the Install button on the System -> Updates page is probably a good starting point.
**''(This warning will not appear if your current version is less than 14 days old)''
*<span id="Cannot_install_update_because_startup_folder_is_not_writable_by_the_user">'''[[#Cannot_install_update_because_startup_folder_is_not_writable_by_the_user|Cannot install update because startup folder is not writable by the user]]'''</span>
** This means Radarr will be unable to update itself. You’ll have to update Radarr manually or set the permissions on Radarr’s Startup directory (the installation directory) to allow Radarr to update itself.
*<span id="Updating_will_not_be_possible_to_prevent_deleting_AppData_on_Update">'''[[#Updating_will_not_be_possible_to_prevent_deleting_AppData_on_Update|Updating will not be possible to prevent deleting AppData on Update]]'''</span>
** Radarr detected that AppData folder for your Operating System is located inside the directory that contains the Radarr binaries. Normally it would be <code>C:\ProgramData</code> for Windows and, <code>~/.config</code> for linux.
** Please look at System -> Info to see the current AppData & Startup directories.
** This means Radarr will be unable to update itself without risking data-loss.
** If you’re on linux, you’ll probably have to change the home directory for the user that is running Radarr and copy the current contents of the <code>~/.config/Radarr</code> directory to preserve your database.
*<span id="Branch_is_for_a_previous_version">'''[[#Branch_is_for_a_previous_version|Branch is for a previous version]]'''</span>
** The update branch setup in Settings/General is for a previous version of Radarr, therefore the instance will not see correct update information in the System/Updates feed and may not receive new updates when released.
**'''Note:''' Please note that v0.2 will only have critical bugs resolved as of August 2020. Any additional development or features will be solely in V3. Each push to the “develop” branch creates a build on “nightly” release channel (release channel is the “branch” within radarr’s settings), once we push a build to Github it will show up on “develop” release channel.
*<span id="Could_not_connect_to_signalR">'''[[#Could_not_connect_to_signalR|Could not connect to signalR]]'''</span>
** signalR drives the dynamic UI updates, so if your browser cannot connect to signalR on your server you won’t see any real time updates in the UI.
** The most common occurrence of this is on V3 combined with an nginx reverse proxy. Nginx requires the following addition to the location block for radarr:
*::<code>proxy_http_version 1.1;</code>
*::<code>proxy_set_header Upgrade $http_upgrade;</code>
*::<code>proxy_set_header Connection $http_connection;</code>
** Make sure you <span style="color:#ff0000">'''do not'''</span> include <code>proxy_set_header Connection "Upgrade";</code> as suggested by the nginx documentation. <span style="color:#ff0000">'''THIS WILL NOT WORK'''</span>
** See https://github.com/aspnet/AspNetCore/issues/17081
** For apache reverse proxy you need to add to the configuration:
*::<code>Include /etc/apache2/mods-available/proxy_wstunnel.load</code>
*::<code>ProxyPass "/socket" "ws://127.0.0.1:7878/socket"</code>
*::<code>ProxyPassReverse "/socket" "ws://127.0.0.1:7878/socket"</code>
* <span id="missing-root-folder">'''[[#missing-root-folder|Missing Root Folder]]'''</span>
** This error is typically identified if a Movie is looking for a root folder but that root folder is no longer available.
*** If you would like to remove this warning simply find the movie that is still using the old root folder and edit it to the correct root Folder
*** Easiest way to find this is to go to the Movies (Library) Tab and create a custom filter with the old root folder path and then mass edit these movies to the new path.
<section end=radarr_system_status_health_system_warnings />

===== Sonarr =====
<section begin=sonarr_system_status_health_system_warnings />
* <span id="Currently_installed_Net_Framework_is_old_and_unsupported">'''[[#Currently_installed_Net_Framework_is_old_and_unsupported|Currently installed .Net Framework is old and unsupported]]</span>'''
** Sonarr uses the .Net Framework. We need to build Sonarr against the lowest supported version still used by our users. Occasionally we increase the version we build against to be able to utilize new features. Apparently you haven't applied the appropriate Windows updates in a while and need to upgrade .Net to be able to use newer versions of Sonarr.
** Upgrading the .Net Framework is very straightforward on Windows, although it often requires a restart. Please follow the instructions here: https://dotnet.microsoft.com/download/dotnet-framework.
* <span id="Currently_installed_Net_Framework_is_supported_but_upgrading_is_recommended">'''[[#Currently_installed_Net_Framework_is_supported_but_upgrading_is_recommended|Currently installed .Net Framework is supported but upgrading is recommended]]'''</span>
** Sonarr uses the .Net Framework. We need to build Sonarr against the lowest supported version still used by our users. Upgrading to newer versions allows us to build against newer versions and use new Framework features.
** Upgrading the .Net Framework is very straightforward on Windows, although it often requires a restart. Please follow the instructions here: https://dotnet.microsoft.com/download/dotnet-framework.
* <span id="Currently_installed_mono_version_is_old_and_unsupported">'''[[#Currently_installed_mono_version_is_old_and_unsupported|Currently installed mono version is old and unsupported]]'''</span>
** Sonarr is written in .Net and requires Mono to run. Various versions of Sonarr have different minimum versions of Mono to operate correctly. The ideal version of Mono varies per platform.<br />
** Mono 5.4 is the absolute minimum for Sonarr v3 but Mono 5.20 is currently recommended.
** The upgrade procedure for Mono varies per platform.
* <span id="Currently_installed_mono_version_is_supported_but_upgrading_is_recommended">'''[[#Currently_installed_mono_version_is_supported_but_upgrading_is_recommended|Currently installed mono version is supported but upgrading is recommended]]'''</span>
** Sonarr uses the .Net Framework which Mono implements for your system. We need to build Sonarr against the lowest supported version still used by our users. Upgrading to newer versions allows us to build against newer versions and use new Framework features.
** The upgrade procedure for Mono varies per platform.
* <span id="New_update_is_available">'''[[#New_update_is_available|New update is available]]'''</span>
** Rejoice, the developers have released a new update. This generally means awesome new features and squashed piles of bugs (right?). Apparently you don't have Auto-Updating enabled, so you'll have to figure out how to update on your platform. Pressing the Install button on the System -> Updates page is probably a good starting point. But while you're at it, read the change log to find out what the relevant changes were.
** ''(This warning will not appear if your current version is less than 14 days old)''
* <span id="Cannot_install_update_because_startup_folder_is_not_writable_by_the_user">'''[[#Cannot_install_update_because_startup_folder_is_not_writable_by_the_user|Cannot install update because startup folder is not writable by the user]]'''</span>
** This means Sonarr will be unable to update itself. You'll have to update Sonarr manually or set the permissions on Sonarr's Startup directory (the installation directory) to allow Sonarr to update itself.
* <span id="Updating_will_not_be_possible_to_prevent_deleting_AppData_on_Update">'''[[#Updating_will_not_be_possible_to_prevent_deleting_AppData_on_Update|Updating will not be possible to prevent deleting AppData on Update]]'''</span>
**Sonarr detected that AppData folder for your Operating System is located inside the directory that contains the Sonarr binaries. Normally it would be <code>C:\ProgramData</code> for Windows and, <code>~/.config</code> for linux.<br />
** Please look at System -> About to see the current AppData & Startup directories.
** This means Sonarr will be unable to update itself without risking data-loss.
** If you're on linux, you'll probably have to change the home directory for the user that is running Sonarr and copy the current contents of the <code>~/.config/Sonarr</code> directory to preserve your database.
<section end=sonarr_system_status_health_system_warnings />

===== Lidarr =====
<section begin=lidarr_system_status_health_system_warnings />
Text
<section end=lidarr_system_status_health_system_warnings />
===== Readarr =====
<section begin=readarr_system_status_health_system_warnings />
Text
<section end=readarr_system_status_health_system_warnings />

==== Download Clients ====
===== Radarr =====
<section begin=radarr_system_status_health_download_clients />
* <span id="no_download_client_is_available>'''[[#no_download_client_is_available|No download client is available]]'''</span>
** A properly configured and enabled download client is required for Radarr to be able to download media. Since Radarr supports different download clients, you should determine which best matches your requirements. If you already have a download client installed, you should configure Radarr to use it and create a category. See Settings -> Download Client.
* <span id="unable-to-communicate-with-download-client">'''[[#unable-to-communicate-with-download-client|Unable to communicate with download client]]'''</span>
** Radarr was unable to communicate with the configured download client. Please verify if the download client is operational and double check the url. This could also indicate an authentication error.
** This is typically due to improperlly configured download client. Things you can typically check:
*** Your download clients IP Address if its on the same bare metal machien this is typically <code>127.0.0.1</code>
*** The Port number of that your download client is using these are filled out with the default port number but if you've changed it you'll need to have the same one entered into Radarr.
*** Ensure SSL encryption is not turned on if you're using both your Radarr instance and your download client on a local network. See [[Radarr FAQ#Invalid Certificate and other HTTPS or SSL issues|here]] for more information on this one in our FAQ.
* <span id="Download_clients_are_unavailable_due_to_failure">'''[[#Download_clients_are_unavailable_due_to_failure|Download clients are unavailable due to failure]]'''</span>
** One or more of your download clients is not responding to requests made by Radarr. Therefore Radarr has decided to temporarily stop querying the download client on it’s normal 1 minute cycle, which is normally used to track active downloads and import finished ones. However, Radarr will continue to attempt to send downloads to the client, but will in all likeliness fail.
** You should inspect System->Logs to see what the reason is for the failures.
** If you no longer use this download client, disable it in Radarr to prevent the errors.
* <span id="enable_complete_download_handling">'''[[#enable_complete_download_handling|Enable Completed Download Handling]]'''</span>
** Radarr requires Completed Download Handling to be able to import files that were downloaded by the download client. It is recommended to enable Completed Download Handling.
** ''(Completed Download Handling is enabled by default for new users.)''
* <span id="docker-bad-remote-path-mapping">'''[[#docker-bad-remote-path-mapping|Docker bad remote path mapping]]'''</span>
** This error is typically associated with bad docker paths within either your download client or Radarr
*** An example of this would be:
**** Download client: <code>Download Path: /downloads:/mnt/user/downloads</code>
**** Radarr: <code>Download Path: /data:/mnt/user/downloads</code>
**** Within this example the download client places its downloads into <code>/downloads</code> and therefore tells Radarr when its complete that the finished movie is in <code>/downloads</code>. Radarr then comes along and says "Okay, cool, let me check in <code>/downloads</code>" Well, inside Radarr you did not allocate a <code>/downloads</code> path you allocated a <code>/data</code> path so it throws this error.
**** The easiest fix for this is '''CONSISTENCY''' if you use one scheme in your download client, use it across the board.
**** Team Radarr is a big fan of simply using <code>/data</code>.
***** Download client: <code>/data:/mnt/user/data</code>
***** Radarr: <code>/data:/mnt/user/data</code>
***** Now within the download client you can specify where in <code>/data</code> you'd like to place your downloads, now this varies depending on the client but you should be able to tell it "Yeah download client place my files into." <code>/data/torrents (or usenet)/movies</code> and since you used <code>/data</code> in Radarr when the download client tells Radarr it's done Radarr will come along and say "Sweet, I have a <code>/data</code> and I also can see <code>/torrents (or usenet)/movies</code> all is right in the world."
*** There are many great write ups by some very talented people one on our wiki [[Docker Guide]] and the other by TRaSH with his [https://trash-guides.info/Misc/how-to-set-up-hardlinks-and-atomic-moves/ How To Set Up Hardlinks and Atomic-Moves] Now these guides place heavy emphasis on Hardlinks and Atomic moves (if you're using torrents you SERIOUSLY need to be using this) but the general concept of containers and how path mapping works is the core of these discussions.
<section end=radarr_system_status_health_download_clients />

===== Sonarr =====
<section begin=sonarr_system_status_health_download_clients />
* <span id="No_download_client_is_available">'''[[#No_download_client_is_available|No download client is available]]'''</span>
** A properly configured and enabled download client is required for Sonarr to be able to download media. Since Sonarr supports different download clients, you should determine which best matches your requirements. If you already have a download client installed, you should configure Sonarr to use it and create a category. See Settings -> Download Client.
*<span id="unable-to-communicate-with-download-client">'''[[#unable-to-communicate-with-download-client|Unable to communicate with download client]]'''</span>
** Sonarr was unable to communicate with the configured download client. Please verify if the download client is operational and double check the url. This could also indicate an authentication error.
* <span id="Download_clients_are_unavailable_due_to_failure">'''[[#Download_clients_are_unavailable_due_to_failure|Download clients are unavailable due to failure]]'''</span>
** One or more of your download clients is not responding to requests made by Sonarr. Therefore Sonarr has decided to temporarily stop querying the download client on it's normal 1 minute cycle, which is normally used to track active downloads and import finished ones. However, Sonarr will continue to attempt to send downloads to the client, but will in all likeliness fail.
** You should inspect System->Logs to see what the reason is for the failures.
** If you no longer use this download client, disable it in Sonarr to prevent the errors.
* <span id="Enable_Completed_Download_Handling_or_configure_Drone_Factory">'''[[#Enable_Completed_Download_Handling_or_configure_Drone_Factory|Enable Completed Download Handling or configure Drone Factory]]'''</span>
** Sonarr requires Completed Download Handling or a properly configured Drone Factory to be able to import files that were downloaded by the download client. It is recommended to enable Completed Download Handling.
** ''(Completed Download Handling is enabled by default for new users.)''
<section end=sonarr_system_status_health_download_clients />

===== Lidarr =====
<section begin=lidarr_system_status_health_download_clients />
Text
<section end=lidarr_system_status_health_download_clients />
===== Readarr =====
<section begin=readarr_system_status_health_download_clients />
Text
<section end=readarr_system_status_health_download_clients />

==== Completed/Failed Download Handling ====
===== Radarr =====
<section begin=radarr_system_status_health_complete_failed_download_handling />
* <span id="Completed_Download_Handling_is_disabled">'''[[#Completed_Download_Handling_is_disabled|Completed Download Handling is disabled]]'''</span>
** ''(This warning is only generated for existing users before when the Completed Download Handling feature was implemented. This feature is disabled by default to ensure the system continued to operate as expected for current configurations.)''
** It’s recommended to switch to Completed Download Handling since it provides better compatibility for the unpacking and post-processing logic of various download clients. With it, Radarr will only import a download once the download client reports it as ready.
** If you don’t wish to enable Completed Download Handling at all and wants to remove the warning. You can enable and then disable Completed Download Handling. This obviously isn’t recommended.
** If you wish to enable Completed Download Handling you should verify the following: * '''Warning''': Completed Download Handling only works properly if the download client and Radarr are on the same machine since it gets the path to be imported directly from the download client. * If you added a post-processing script to Sabnzbd/NzbGet to notify Radarr that it should scan the Drone Factory. You ''SHOULD'' disable this script to prevent conflicts. * Completed Download Handling and the Drone Factory cannot be configured for the same directory. If Completed Download Handling detects a download resides in the Drone Factory it will be ignored. (again to prevent conflicts)<br />
** You should reconfigure Radarr to use a different Drone Factory Folder or disable it altogether.<br />
** Alternatively you can change the output folder for the Category, as long as that output folder is not a subdirectory of the Drone Factory Folder.
** Both Completed Download Handling and the Drone Factory logic generates Import Events in history while importing files. However, only Completed Download Handling associates this Import event with a Download Client history item. If Completed Download Handling was enabled recently, your download client may still contain history items that were already imported but do not have a history event with the same unique id. Radarr attempts to resolve this issue automatically, occassionally Radarr may be unable to make that association and cause a ‘Completed’ download to be listed in the History -> Queue table forever. The easiest way to resolve this is to clear your Download Client history, or only those individual items. Alternatively you can rename the category.
<section end=radarr_system_status_health_complete_failed_download_handling />

===== Sonarr =====
<section begin=sonarr_system_status_health_complete_failed_download_handling />
* <span id="Completed_Download_Handling_is_disabled">'''[[#Completed_Download_Handling_is_disabled|Completed Download Handling is disabled]]'''</span>
**''(This warning is only generated for existing users before when the Completed Download Handling feature was implemented. This feature is disabled by default to ensure the system continued to operate as expected for current configurations.)''
** It's recommended to switch to Completed Download Handling since it provides better compatibility for the unpacking and post-processing logic of various download clients. With it, Sonarr will only import a download once the download client reports it as ready.
** If you don't wish to enable Completed Download Handling at all and wants to remove the warning. You can enable and then disable Completed Download Handling. This obviously isn't recommended.
** If you wish to enable Completed Download Handling you should verify the following:
*** '''Warning''': Completed Download Handling only works properly if the download client and Sonarr are on the same machine since it gets the path to be imported directly from the download client.
*** If you added a post-processing script to Sabnzbd/NzbGet to notify Sonarr that it should scan the Drone Factory. You ''SHOULD'' disable this script to prevent conflicts.
*** Completed Download Handling and the Drone Factory cannot be configured for the same directory. If Completed Download Handling detects a download resides in the Drone Factory it will be ignored. (again to prevent conflicts)<br />
Alternatively you can change the output folder for the Category, as long as that output folder is not a subdirectory of the Drone Factory Folder.
** Both Completed Download Handling and the Drone Factory logic generates Import Events in history while importing files. However, only Completed Download Handling associates this Import event with a Download Client history item. If Completed Download Handling was enabled recently, your download client may still contain history items that were already imported but do not have a history event with the same unique id. Sonarr attempts to resolve this issue automatically, occassionally Sonarr may be unable to make that association and cause a 'Completed' download to be listed in the History -> Queue table forever. The easiest way to resolve this is to clear your Download Client history, or only those individual items. Alternatively you can rename the category.
<section end=sonarr_system_status_health_complete_failed_download_handling />
===== Lidarr =====
<section begin=lidarr_system_status_health_complete_failed_download_handling />
Text
<section end=lidarr_system_status_health_complete_failed_download_handling />
===== Readarr =====
<section begin=readarr_system_status_health_complete_failed_download_handling />
Text
<section end=readarr_system_status_health_complete_failed_download_handling />

==== Indexers ====
===== Radarr =====
<section begin=radarr_system_status_health_indexers />
* <span id="No_indexers_are_enabled">'''[[#No_indexers_are_enabled|No indexers are enabled]]'''</span>
** Radarr requires indexers to be able to discover new releases. Please read the wiki on instructions how to add indexers.
* <span id="Enabled_indexers_do_not_support_searching">'''[[#Enabled_indexers_do_not_support_searching|Enabled indexers do not support searching]]''' </span>
** None of the indexers you have enabled support searching. This means Radarr will only be able to find new releases via the RSS feeds. But searching for movies (either Automatic Search or Manual Search) will never return any results. Obviously, the only way to remedy it is to add another indexer.
* <span id="Indexers_are_unavailable_due_to_failures">'''[[#Indexers_are_unavailable_due_to_failures|Indexers are unavailable due to failures]]'''</span>
** Errors occurs while Radarr tried to use one of your indexers. To limit retries, Radarr will not use the indexer for an increasing amount of time (up to 24h).
** This mechanism is triggered if Radarr was unable to get a response from the indexer (could be dns, connection, authentication or indexer issue), or unable to fetch the nzb/torrent file from the indexer. Please inspect the logs to determine what kind of error causes the problem.
** You can prevent the warning by disabling the affected indexer.
** Run the Test on the indexer to force Radarr to recheck the indexer, please note that the Health Check warning will not always disappear immediately.
<section end=radarr_system_status_health_indexers />

===== Sonarr =====
<section begin=sonarr_system_status_health_indexers />
* <span id="No_indexers_are_enabled">'''[[#No_indexers_are_enabled|No indexers are enabled]]'''</span>
** Sonarr requires indexers to be able to discover new releases. Please read the wiki on instructions how to add indexers.
* <span id="Enabled_indexers_do_not_support_searching">'''[[#Enabled_indexers_do_not_support_searching|Enabled indexers do not support searching]]'''</span>
** None of the indexers you have enabled support searching. This means Sonarr will only be able to find new releases via the RSS feeds. But searching for episodes (either Automatic Search or Manual Search) will never return any results. Obviously, the only way to remedy it is to add another indexer.
* <span id="Indexers_are_unavailable_due_to_failures">'''[[#Indexers_are_unavailable_due_to_failures|Indexers are unavailable due to failures]]'''</span>
** Errors occurs while Sonarr tried to use one of your indexers. To limit retries, Sonarr will not use the indexer for an increasing amount of time (up to 24h).<br />
** This mechanism is triggered if Sonarr was unable to get a response from the indexer (could be dns, connection, authentication or indexer issue), or unable to fetch the nzb/torrent file from the indexer. Please inspect the logs to determine what kind of error causes the problem.
** You can prevent the warning by disabling the affected indexer.
**Run the Test on the indexer to force Sonarr to recheck the indexer, please note that the Health Check warning will not always disappear immediately.
<section end=sonarr_system_status_health_indexers />
===== Lidarr =====
<section begin=lidarr_system_status_health_indexers />
Text
<section end=lidarr_system_status_health_indexers />
===== Readarr =====
<section begin=readarr_system_status_health_indexers />
Text
<section end=readarr_system_status_health_indexers />

==== Folders ====
===== Radarr =====
<section begin=radarr_system_status_health_folders />
* <span id="Missing_root_folder">'''[[#Missing_root_folder|Missing root folder]]'''</span>
** This message may appear if a previous root folder is no longer used. To remove old root folders:
*** Begin adding a new Movie* by searching for a name, but do not submit
*** In the 'Path' dropdown, select 'Add a different path'
*** Click the cross at the end of a row to remove the unused path
** Note - if the folder has been removed from the operating system, you will need to recreate the folder in the operating system, and restart Radarr, or else you will not be able to select it from the dropdown box. After that you can remove the path from the operating system.
** The message will continue to appear until all movies have their root folder updated to the new root folder. To change the root folder for other movies, visit the movies editor.
*** NB: I thought Radarr was for Movies and not Series
<section end=radarr_system_status_health_folders />

===== Sonarr =====
<section begin=sonarr_system_status_health_folders />
* <span id="Missing root folder">'''[[#Missing root folder|Missing root folder]]'''</span>
** This message may appear if a previous root folder is no longer used. To remove old root folders:
**# Begin adding a new Series by searching for a name, but do not submit
**# In the 'Path' dropdown, select 'Add a different path'
**# Click the cross at the end of a row to remove the unused path
** Note - if the folder has been removed from the operating system, you will need to recreate the folder in the operating system, and restart Sonarr, or else you will not be able to select it from the dropdown box. After that you can remove the path from the operating system.
** The message will continue to appear until all series have their root folder updated to the new root folder. To change the root folder for other series, visit the series editor.
<section end=sonarr_system_status_health_folders />
===== Lidarr =====
<section begin=lidarr_system_status_health_folders />
Text
<section end=lidarr_system_status_health_folders />
===== Readarr =====
<section begin=readarr_system_status_health_folders />
Text
<section end=readarr_system_status_health_folders />

==== Media ====
===== Radarr =====
<section begin=radarr_system_status_health_media />
* <span id="Movie was removed from TMDb">'''[[#Movie was removed from TMDb|Movie was removed from TMDb]]'''</span>
** The movie is linked to a TMDbId that was deleted from TMDb, usually because it was a duplicate, wasn't a movie or changed ID for some other reason. Deleted movies will not receive any updates and should be corrected by the user to ensure continued functionality. Remove the movie from Radarr w/o deleting the files, then try to re-add it. If it doesn't show up in a search, check Sonarr because it might be a TV miniseries like Stephen King's It.<br />
** You can find and edit deleted movies by creating a custom filter using the following steps: 1. Click Movies from the left menu 2. Click the dropdown on Filter and select “Custom Filter” 3. Enter a label, for example “Deleted Movies” 4. Make the filter as follows: Status is Deleted 5. Click save and select the newly created filter from the filter dropdown menu
<section end=radarr_system_status_health_media />
===== Sonarr =====
<section begin=sonarr_system_status_health_media />
* <span id="Series_Removed_from_TheTVDB">'''[[#Series_Removed_from_TheTVDB|Series Removed from TheTVDB]]'''</span>
** The affected series were removed from TheTVDB, this usually happens because it is a duplicate or considered part of a different series. To correct you will need to remove the affected series and add the correct series.
<section end=sonarr_system_status_health_media />
===== Lidarr =====
<section begin=lidarr_system_status_health_media />
Text
<section end=lidarr_system_status_health_media />
===== Readarr =====
<section begin=readarr_system_status_health_media />
Text
<section end=readarr_system_status_health_media />

=== Disk Space ===
==== Radarr ====
<section begin=radarr_system_status_disk_space />
* This section will show you available disk space
** In docker this can be tricky as it will typically show you the available space w/in your Docker image
<section end=radarr_system_status_disk_space />

==== Sonarr ====
<section begin=sonarr_system_status_disk_space />
Text
<section end=sonarr_system_status_disk_space />
==== Lidarr ====
<section begin=lidarr_system_status_disk_space />
Text
<section end=lidarr_system_status_disk_space />
==== Readarr ====
<section begin=readarr_system_status_disk_space />
Text
<section end=readarr_system_status_disk_space />

=== About ===
==== Radarr ====
<section begin=radarr_system_status_about />
This will tell you about your current install of Radarr
<section end=radarr_system_status_about />

==== Sonarr ====
<section begin=sonarr_system_status_about />
Text
<section end=sonarr_system_status_about />
==== Lidarr ====
<section begin=lidarr_system_status_about />
Text
<section end=lidarr_system_status_about />
==== Readarr ====
<section begin=readarr_system_status_about />
Text
<section end=readarr_system_status_about />

=== More Info ===
==== Radarr ====
<section begin=radarr_system_status_more_info />
* Home page: [https://radarr.video Radarr's home page]
* Discord: [https://discord.gg/r5wJPt9 Join our discord]
* Wiki: [https://wiki.servarr.com You're here already]
* Donations: If you're feeling generous and would like to donate click [https://opencollective.com/radarr here]
* Source: [https://github.com/Radarr/Radarr Github]
* Feature Requests: Got as great idea drop it [https://github.com/Radarr/Radarr/issues here]
<section end=radarr_system_status_more_info />

==== Sonarr ====
<section begin=sonarr_system_status_more_info />
Text
<section end=sonarr_system_status_more_info />
==== Lidarr ====
<section begin=lidarr_system_status_more_info />
Text
<section end=lidarr_system_status_more_info />
==== Readarr ====
<section begin=readarr_system_status_more_info />
Text
<section end=readarr_system_status_more_info />

=== Templates ===

Template:Troubleshooting

2020-11-24T18:47:27Z

Fryfrog: /* Troubleshooting Downloads and Importing */

<noinclude>
<templatedata>
{
"params": {
"ARRNAME": {
"description": "Name of the Application",
"example": "Radarr",
"type": "string",
"required": true
},
"ARR_DISCORD": {
"description": "Link to the ARR #support Discord",
"type": "url",
"required": true
},
"ARR_WEBSITE": {
"description": "Link to the ARR Website",
"type": "url",
"required": true
},
"ARR_LATEST_RELEASE": {
"description": "Link to the ARR Download",
"type": "url",
"required": true
}
}
}
</templatedata>
</noinclude>
== Troubleshooting ==
----
Please note that this information is only for <span style="color:#ff0000">{{{ARRNAME}}} {{{VERSION}}}</span>.
=== Asking for Help ===
----
Do you need help? That's okay, everyone needs help sometimes. You can get real time help via chat on [{{{ARR_DISCORD}}} Discord] or [https://www.reddit.com/r/{{{ARRNAME}}} Reddit].

But before you go there and post, be sure your request for help is the best it can be. Clearly describe the problem and briefly describe your setup, including things like your OS/distribution, version of Mono (if not Windows and not .Netcore), version of {{{ARRNAME}}}, download client and its version. '''If you are using [https://www.docker.com/ Docker] please run through [[Docker Guide|the Docker Guide]] first as that will solve common and frequent path/permissions issues. Otherwise please have a [[Docker Guide#Docker-compose|docker compose]] handy''' Tell us about what you've tried already, what you've looked at. Use the Logging and Log Files to turn your logging up to trace, recreate the issue, pastebin the relevant context and include a link to it in your post. Maybe even include some screen shots to highlight the issue.

The more we know, the easier it is to help you.

== Logging and Log Files ==

==== Location ====
The log files are located in {{{ARRNAME}}}'s [[{{{ARRNAME}}} Appdata Directory|Appdata Directory]], inside the logs/ folder. You can also access the log files from the {{{ARRNAME}}} UI at System -> Logs -> Files.

Note: The Logs Table in the UI is not the same as the log files and isn't as useful. If you're asked for logs, please copy/paste from the log files and not the table.

==== Sharing Logs ====
The logs can be long and hard to read as part of a forum or [https://www.reddit.com/r/{{{ARRNAME}}} Reddit] post and they're spammy in [{{{ARR_DISCORD}}} Discord], so please use a [https://pastebin.com Pastebin]. The whole file typically isn't needed, just a good amount of context from before and after the issue/error. Don't forget to wait for spammy tasks like the RSS sync or library refresh to finish.

==== Trace/Debug Logs ====

You can change the log level at Settings -> General -> Logging. {{{ARRNAME}}} does not need to restarted for the change to take effect. This change only effects the log files, not the logging database. The latest debug/trace log files are named <code>{{{ARRNAME}}}.debug.txt</code> and <code>{{{ARRNAME}}}r.trace.txt</code> respectively.

If you're unable to access the {{{ARRNAME}}} UI to set the logging level you can do so by editing config.xml in the AppData directory by setting the LogLevel value to Debug or Trace instead of Info.
<div style="margin-left: 2em;"><pre>
<Config>
...
<LogLevel>debug</LogLevel>
...
</Config>
</pre></div>

==== Clearing Logs ====

You can clear log files and the logs database directly from the UI, under System -> Logs -> Files and System -> Logs -> Delete (Trash Can Icon)

==== Multiple Log Files ====

{{{ARRNAME}}} uses rolling log files limited to 1MB each. The current log file is always ,<code>{{{ARRNAME}}}.txt</code>, for the the other files <code>{{{ARRNAME}}}.0.txt</code> is the next newest (the higher the number the older it is) up to 6 log files total. This log file contains fatal,error,warn and info entries.

When Debug log level is enabled, additional <code>{{{ARRNAME}}}.debug.txt</code> rolling log files will be present, up to 51 files. This log files contains fatal, error, warn, info, and debug entries. It usually covers a 40h period.

When Trace log level is enabled, additional <code>{{{ARRNAME}}}.trace.txt</code> rolling log files will be present, up to 51 files. This log files contains fatal, error, warn, info, debug, and trace entries. Due to trace verbosity it only covers a couple of hours.

== Recovering from a Failed Update ==
----
==== Purpose ====
We do everything we can to prevent issues when upgrading, but they occur, this will walk you through the steps of recovering your installation.

==== Determine the issue ====
The best place to look when {{{ARRNAME}}} won't start after an update is your log files, before trying to start {{{ARRNAME}}} again, use [[{{{ARRNAME}}} Settings#Logging|Logging]] and [[{{{ARRNAME}}} System#Log_Files|Log Files]] to find them and increase the log level.

'''Migration Issue'''

Migration errors won't be identical, but here is an example:

<code>
14-2-4 18:56:49.5|Info|MigrationLogger|*** 36: update_with_quality_converters migrating ***

14-2-4 18:56:49.6|Error|MigrationLogger|SQL logic error or missing database duplicate column name: Items

While Processing: "ALTER TABLE "QualityProfiles" ADD COLUMN "Items" TEXT"

</code>

==== Resolving the issue ====
In the event of a migration issue there is not much you can do immediately, if the issue is specific to you (or there are not yet any posts), please create a post on [https://reddit.com/r/{{{ARRNAME}}} our subreddit], if there are others with the same issue, then rest assured we are working on it.

==== Manually upgrading ====
Grab the latest release from [{{{ARR_WEBSITE}}} our website] - if you're running the develop version you can get the latest release [{{{ARR_LATEST_RELEASE}}} HERE]

Install the update (.exe) or extract (.zip) the contents over your existing installation and re-run {{{ARRNAME}}} as you normally would.

== Downloads and Importing ==

Downloading and importing is where ''most'' people experience issues. From a high level perspective, {{{ARRNAME}}} needs to be able to communicate with your download client and have access to the files it downloads. There is a large variety of supported download clients and an even ''bigger'' variety of setups. This means that while there are some ''common'' setups, there isn’t one ''right'' setup and everyone’s setup can be a little different.

Start by using the [[#Logging and Log Files|logging and log files]] article to turn logging up to trace, it is likely you’re going to need to look at them to figure out what is wrong. And if you can’t, anyone you ask for help will need to see them for sure. Remember to get them from the actual log file, put them in a pastebin and show us context around what we need to see. Nobody wants to dig through the whole trace log (it is huge!), but just a line or two is unlikely to help.

When you reach out for help, be sure to read [[#Asking for Help|asking for help]] so that you can provide us with the details we’ll need.

=== Testing the Download Client ===

Start by testing the download client, if it doesn’t work you’ll be able to see details in the trace level logs. You should find a URL you can put into your browser and see if it works. It could be a connection problem, which could indicate a wrong ip, hostname, port or even a firewall blocking access. It might be obvious, like an authentication problem where you’ve gotten the username, password or apikey wrong.

=== Testing a Download ===

Now we’ll try a download, pick a {{{MEDIA}}} and do a manual search. Pick one of those files and attempt to download it. Does it get sent to the download client? Does it end up with the correct category? Does it show up in Activity? Does it end up in the trace level logs during the '''Check For Finished Download''' task which runs roughly every minute? Does it get correctly parsed during that task? Does the queued up download have a reasonable name? Since {{{ARRNAME}}} searches by '''{{{SEARCHSOURCE}}}''', on most indexers/trackers, it can queue one up with a name that it can’t recognize.

=== Testing an Import ===

Import issues should almost always manifest as an item in Activity with an orange icon you can hover to see the error. If they’re not showing up in Activity, this is the issue you need to focus on first so go back and figure that out. Most import errors are ''permissions'' issues, remember that {{{ARRNAME}}} needs to be able to read and write in the download folder. Sometimes, permissions in the library folder can be at fault too, so be sure to check both.

Incorrect path issues are possible too, though less common in normal setups. The key to understanding path issues is knowing that {{{ARRNAME}}} gets the path to the download ''from'' the download client, via its API. This becomes a problem in more unique use cases, like the download client running on a different system (maybe even OS!). It can also occur in a Docker setup, when volumes are not done well. A remote path map is a good solution where you don’t have control, like a seedbox setup. On a Docker setup, fixing the paths is a better option.

=== Common Problems ===

==== Can’t see share on Windows ====

The default user for a Windows service is '''SYSTEM''' which typically doesn’t have access to your shares. Edit the service and set it up to run as your own user, see the FAQ entry [[]{{{ARRNAME}}} FAQ#Why can’t {{{ARRNAME}}} see my files on a remote server?|why can’t {{{ARRNAME}}} see my files on a remote server]] for details.

==== Mapped network drives are not reliable ====

While mapped network drives like <code>X:\</code> are convenient, they aren’t as reliable as UNC paths like <code>\\server\share</code> and they’re also not available before login. Setup {{{ARRNAME}}} and your download client(s) so that they use UNC paths as needed. If your library is on a share, you’d make sure your root folders are using UNC paths. If your download client sends to a share, that is where you’ll need to configure UNC paths since {{{ARRNAME}}} gets the download path from the download client. It is fine to keep your mapped network drives to use yourself, just don’t use them for automation.

==== Docker and user, group, ownership, permissions and paths ====

Docker adds another layer of complexity that is easy to get wrong, but still end up with a setup that functions, but has various problems. Instead of going over them here, read this wiki article [https://old.reddit.com/r/usenet/wiki/docker for these automation software and Docker] which is all about user, group, ownership, permissions and paths. It isn’t specific to any Docker system, instead it goes over things at a high level so that you can implement them in your own environment.

==== Download client clearing items ====

The download client should ''not'' be responsible for removing downloads. Usenet clients should be configured so they ''don’t'' remove downloads from history. Torrent clients should be setup so they ''don’t'' remove torrents when they’re finished seeding (pause or stop instead). This is because {{{ARRNAME}}} communicates with the download client to know what to import, so if they’re ''removed'' there is nothing to be imported… even if there is a folder full of files.

==== Download folder and library folder not different folders ====

The download client should download into a temporary-ish folder and {{{ARRNAME}}} should import from that into your Library folder. If you download right into your library folder, you’ll end up with multiple copies of episodes and when there are import issues, you may not notice because your media server will see the download client copy. The download folder will also be a hot mess of poorly named folders and files while your library folder will be nice and neat.

==== Incorrect category ====

{{{ARRNAME}}} should be setup to use a category so that it only tries to process its own downloads. It is rare that a torrent submitted by {{{ARRNAME}}} gets added w/o the correct category, but it can happen. If you’re adding torrents manually and want {{{ARRNAME}}} to process them, they’ll need to have the correct category. It can be set at any time, since {{{ARRNAME}}} tries to process downloads every minute.

==== Packed torrents ====

If your torrent is packed in <code>.rar</code> files, you’ll need to setup extraction. You can typically search your torrent client’s name and “unpack” to find a solution. There are some other interesting solutions in this space, like [https://github.com/davidnewhall/unpackerr unpackerr] and [https://sourceforge.net/projects/rarfs/ rarfs], but they’re more complicated. One issue to look out for with packed torrents is that the video file will be copied or hard linked like normal, but it isn’t needed since the <code>.rar</code> files are seeding. That means if you’re using a ''copy'' setup, the torrent will be consuming double the space. And if you’re using a hard link setup, your torrent folder will be a little messier because of the unneeded file. This can be mitigated w/ a [https://gist.github.com/fryfrog/94716e7e27ba38dff57c7631d9f58bed cleanup script].

==== Permissions on the destination ====

Don’t forget to check permissions and ownership of the ''destination''. It is easy to get fixated on the download’s ownership and permissions and that is ''usually'' the cause of permissions related issues, but it ''could'' be the destination as well. Check that the destination folder(s) exist. Check that a destination ''file'' doesn’t already exist or can’t be deleted or moved to recycle bin. Check that ownership and permissions allow the downloaded file to be copied, hard linked or moved.

==== Repeated downloads ====

There are a few causes of repeated downloads, but a recent one is related to the Indexer restriction in Release Profiles. Because the indexer ''isn’t'' stored w/ the episode data, any preferred word scores are ''zero'' for episodes in your library, ''but'' during “RSS” and search, they’ll be applied. This gets you into a loop where you download the items again and again because it looks like an upgrade, then isn’t, then shows up again and looks like an upgrade, then isn’t. Don’t restrict your release profile to an indexer. See issue [https://github.com/{{{ARRNAME}}}/{{{ARRNAME}}}/issues/3853 #3853].

==== Usenet download misses import ====

{{{ARRNAME}}} only looks at the 30 most recent downloads in sabnzbd and nzbget, so if you ''keep'' your history this means that during large queues with import issues, downloads can be silently missed and not imported. The best way to avoid that is to keep your history clear, so that any items that still appear need investigating. You can achieve this by enabling Remove under Completed and Failed Download Handler. In nzbget, this will move items to the ''hidden'' history which is great. Unfortunately, sabnzbd does not have a similar feature. The best you can achieve there is to use the nzb backup folder.

==== qBittorrent 4.3.x ====

This version of qB changed how torrent folder and torrent name relate, previous to this the folder was named after the torrent. Starting in this version, the torrent folder name can be different. There is a [https://github.com/{{{ARRNAME}}}/{{{ARRNAME}}}/pull/3346 pull request] working on solving this, but in the mean time the simplest solution is to stick with 4.2.5 for now. Existing torrents can be fixed by renaming the folder to the name of the torrent.

== Searches Indexers and Trackers ==

=== Turn logging up to trace ===

The first step is to turn logging up to Trace, see [[#Logging and Log Files|Logging and Log Files]] for details. You’ll then reproduce the issue and use the trace level logs from that time frame to examine the issue. If someone is helping you, put context from before/after in a [https://paste.ubuntu.com pastebin] to show them. It doesn’t need to be the whole file and it shouldn’t ''just'' be the error. You should also reproduce the issue while tasks that spam the log file aren’t running.

=== Testing an Indexer or Tracker ===

When you test an indexer or tracker, in debug or trace logs you can find the URL used. An example of a successful test is below, you can see it query the indexer via a specific URL with specific parameters and then the response. You test this url in your browser like <code>{{{QUERYSTRING}}}</code> replacing the <code>apikey=(removed)</code> with the correct apikey like <code>apikey=123</code>. You can experiment with the parameters if you’re getting an error from the indexer or see if you have connectivity issues if it doesn’t even work. After you’ve tested in your own browser, you should test from the system {{{ARRNAME}}} is running on ''if'' you haven’t already.

{{#lst::Troubleshooting Misc|{{{ARRNAME2}}}_indexers_and_trackers_code_block}}

=== Testing a Search ===
{{#lst::Troubleshooting Misc|{{{ARRNAME2}}}_indexers_and_trackers_testing_a_search}}

[[images/Series.Season.Episode.v3.png]]

[[images/Series.Season.Episode.Search.Manual.png]]

{{#lst::Troubleshooting Misc|{{{ARRNAME2}}}_indexers_and_trackers_code_block2}}

You can find this ''full'' trace log at [[Manual Episode Search Trace Log]] along with a pastebin link that is easier to read.

=== Common Problems ===

==== Wrong categories ====

Incorrect categories is probably the most common cause of results showing in manual searches of an indexer/tracker, but ''not'' in {{{ARRNAME}}}. The indexer/tracker ''should'' show the category in the search results, which should help you figure out what is missing. If you’re using Jackett, each tracker has a list of specifically supported categories. Make sure you’re using the correct ones for Categories. I find it helpful to have the list visible in one browser window while I edit the entry in {{{ARRNAME}}}.
{{#lst::Troubleshooting Misc|{{{ARRNAME2}}}_indexers_and_trackers_type}}
==== Wrong results ====

Sometimes indexers will return completely unrelated results, {{{ARRNAME}}} will feed in parameters to limit the search to a {{{SEARCHSOURCE}}}, but the results returned are completely unrelated. Or sometimes, mostly related with a few incorrect results. The first is usually an indexer problem and you’ll be able to tell from the trace logs which is causing it. You can disable that indexer and report the problem. The other is usually categorized releases which should be reportable on the indexer/tracker.

==== Certificate validation ====

You’ll be connecting to most indexers/trackers via https, so you’ll need that to work properly on your system. That means your time zone and time both need to be set ''correctly''. It also means your system certificates need to be up to date. And if you’re using Mono, <code>MONO_TLS_PROVIDER=legacy</code> was a fix from ''years'' ago that should ''not'' be used anymore, so make sure you’re not setting that accidentally.

==== Hitting rate limits ====

If you run your {{{ARRNAME}}} through a VPN or proxy, you may be competing with 10s or 100s or 1000s of other people all trying to use services like {{{SEARCHSOURCE}}}, Xem and/or your indexers and trackers. Rate limiting and ddos protection are often done by IP address and your VPN/proxy exit point is ''one'' IP address. Unless you’re in a repressive country like China, Australia or South Africa you don’t need to VPN/proxy your {{{ARRNAME}}}/Radarr.

==== Using the Jackett /all endpoint ====

The Jackett <code>/all</code> endpoint is convenient, but that is essentially its only benefit. Everything else is potential problems, so adding each tracker individually is preferred. It allows for fine tuning of categories on a per tracker basis, which can be a problem w/ the <code>/all</code> end point if using the wrong category causes errors on some. In {{{ARRNAME}}}, each indexer/tracker is limited to 1000 results if pagination is supported or 100 if not, which means as you add more and more trackers to Jackett, you’re more and more likely to clip results. Finally, if ''one'' of the trackers in <code>/all</code> returns an error, {{{ARRNAME}}} will disable it and now you don’t get any results.

=== Errors ===

These are some of the common errors you may see when adding an indexer

==== The underlying connection was closed: An unexpected error occurred on a send. ====

This is caused by the indexer using a SSL protocol not supported by .net 4.5, to resolve this you will need to install .net 4.5, which is available on Vista/Server 2008 and above (if you’re on XP/Server 2003 its time to upgrade).

==== Error getting response stream (Write: The authentication or decryption has failed.): SendFailure ====

This is caused by the indexer using a new certificate authority that is not trusted by mono 2.10. The solution is to upgrade to mono 3.x, on Ubuntu this can be done via this method: http://stackoverflow.com/a/13384233/882971 We recommend upgrading to mono 3.x to fix a number of bugs and add support for .net 4.5 features.

==== The request timed out ====

{{{ARRNAME}}} seems to have issues with certain TLS versions or configurations. If you get the following error messages in your log: > System.Net.WebException: The request timed out: ’https://example.org/api?t=caps&apikey=(removed) —> System.Net.WebException: The request timed out

And you can see the following in the trace logfile: > <DATE&TIME>|Trace|FallbackHttpDispatcher|Curl not available, using default WebClient.

You might fix it by installing libcurl3. On Ubuntu/Debian use > apt install libcurl3

Docker Guide

2020-10-07T19:57:09Z

Fryfrog: /* Get docker-compose */

=== The Best Docker Setup ===

'''TL; DR''': An [https://www.lexico.com/en/definition/eponymous eponymous] user per daemon and a shared group with a umask of <code>002</code>. Consistent path definitions between ''all'' containers that maintains the folder structure. Using one volume for Sonarr, Radarr and Lidarr so the download folder and library folder are on the same file system which makes hard links and instant moves possible. And most of all, ignore ''most'' of the Docker image’s path documentation!

==== Introduction ====

This article will not show you specifics about the best Docker setup, but it describes an overview that you can use to make your own setup the best that it can be. The idea is that you run each docker container as its own user, with a shared group and consistent volumes so every container sees the same path layout. This is easy to say, but difficult to understand and explain.

==== Multiple users and a shared group ====

===== Permissions =====

Ideally, each software runs as its own user user and they’re all part of a shared group with folder permissions set to <code>775</code> (<code>drwxrwxr-x</code>) and files set to <code>664</code> (<code>-rw-rw-r--</code>), which is a umask of <code>002</code>. A sane alternative to this is a single shared user, which would use <code>755</code> and <code>644</code> which is a umask of <code>022</code>. You can restrict permissions even more by denying read from “other”, which would be a umask of <code>007</code> for a user per daemon or <code>077</code> for a single shared user. For a deeper explanation, try the Arch Linux wiki articles about [https://wiki.archlinux.org/index.php/File_permissions_and_attributes File permissions and attributes] and [https://wiki.archlinux.org/index.php/Umask Umask].

===== UMASK =====

Many docker images accept a <code>-e UMASK=002</code> environment variable and some software inside can be configured with a user, group and umask (NZBGet) or folder/file permission (Sonarr/Radarr). This will ensure that files and folders created by ''one'' can be read and written by the others. If you’re using existing folders and files, you’ll need to fix their current ownership and permissions too, but going forward they’ll be correct because you set each software up right.

===== PUID and PGID =====

Many docker images also take a <code>-e PUID=123</code> and <code>-e PGID=321</code> that lets you change the UID/GID used inside to that of an account on the outside. If you ever peak in, you’ll find that username is something like <code>abc</code>, <code>nobody</code> or <code>hotio</code>, but because it uses the UID/GID you pass in, on the outside it looks like the expected user. If you’re using storage from another system via NFS or CIFS, it will make your life easier if ''that'' system also has matching users and group. Perhaps let one system pick the UID/GIDs, then re-use those on the other system, assuming they don’t conflict.

===== Example =====

You run [https://github.com/Sonarr/Sonarr/releases Sonarr] using [https://github.com/hotio/docker-sonarr hotio/sonarr], you’ve created a <code>sonarr</code> user with uid <code>123</code> and a shared group <code>media</code> with gid <code>321</code> which the <code>sonarr</code> user is a member of. You configure the Docker image to run with <code>-e PUID=123 -e PGID=321 -e UMASK=002</code>. Sonarr also lets you configured user, group as well as folder and file permissions. The previous settings should negate these, but you could configure them if you wanted. Folders would be <code>775</code>, files <code>664</code> and the user/group are a little tricky because ''inside'' the container, they have a different name. Maybe <code>abc</code> or <code>nobody</code>. I’d leave all these blank unless you find you need them for some reason.

==== Single user and optional shared group ====

Another popular and arguably easier option is a single, shared user. Perhaps even ''your'' user. It isn’t as secure and doesn’t follow best practices, but in the end it is easier to understand and implement. The UMASK for this is <code>022</code> which results in <code>755</code> (<code>drwxr-xr-x</code>) for folders and <code>644</code> (<code>-rw-r--r--</code>) for files. The group no longer really matters, so you’ll probably just use the group named after the user. This does make it harder to share with ''other'' users, so you may still end up wanting a UMASK of <code>002</code> even w/ this setup.

==== Ownership and permissions of /config ====

Don’t forget that your <code>/config</code> volume will ''also'' need to have correct ownership and permissions, usually the daemon’s user and that user’s group like <code>sonarr:sonarr</code> and a umask of <code>022</code> or <code>077</code> so ''only'' that user has access. In a single user setup, this would of course be the one user you’ve chosen.

==== Consistent and well planned paths ====

The easiest and most important detail is to create unified path definitions across all the containers.

If you’re wondering why hard links aren’t working or why a simple move is taking far longer than it should, this section explains it. The paths you use on the ''inside'' matter. Because of how Docker’s volumes work, passing in two volumes such as the commonly suggested <code>/tv</code> and <code>/downloads</code> makes them look like two file systems, even if they aren’t. This means hard links won’t work ''and'' instead of an instant move, a slower and more io intensive copy + delete is used. If you have multiple download clients because you’re using torrents and usenet, having a single <code>/downloads</code> path means they’ll be mixed up. Because the Radarr in one container will ask the NZBGet in its own container where files are, using the same path in both means it will all just work. If you don’t, you’d need to fix it with a remote path map.

So pick ''one'' path layout and use it for all of them. I’m a fan of <code>/data</code>, but there are other great names like <code>/shared</code>, <code>/media</code> or <code>/dvr</code>. If this can be the same on the outside ''and'' inside, your setup will be simpler: one path to remember or if integrating docker and native software. But if not, that’s fine too. For example, Synology might use <code>/Volume1/data</code> and unRAID might use <code>/mnt/user/data</code> on the outside, but <code>/data</code> on the inside is fine.

It is also important to remember that you’ll need to setup or re-configure paths in the software running ''inside'' these Docker containers. If you change the paths for your download client, you’ll need to edit its settings to match. If you change your library path, you’ll need to change those settings in Sonarr, Radarr, Lidarr and/or Plex.

===== Examples =====

What matters here is the general structure, not the names. You are free to pick folder names that make sense to you. And there are other ways of arranging things too. For example, you’re not likely to download and run into conflicts of identical releases between usenet and torrents, so you ''could'' put both in <code>/data/downloads/{movies|music|tv}</code> folders. Downloads don’t even have to be sorted into sub-folders either, since movies, music and tv will rarely conflict.

This example <code>data</code> folder has sub-folders for torrents and usenet and each of these have sub-folders for tv, movie and music downloads to keep things neat. The <code>media</code> folder has nicely named <code>TV</code>, <code>Movies</code> and <code>Music</code> sub-folders, this is your library and what you’d pass to Plex or Emby.

<pre>data
├── torrents
│ ├── movies
│ ├── music
│ └── tv
├── usenet
│ ├── movies
│ ├── music
│ └── tv
└── media
├── Movies
├── Music
└── TV</pre>
The path for each Docker container can be as specific as needed while still maintaining the correct structure:

====== Torrents ======

<pre>data
└── torrents
├── movies
├── music
└── tv</pre>
Torrents only needs access to torrent files, so pass it <code>-v /host/data/torrents:/data/torrents</code>. In the torrent software settings, you’ll need to reconfigure paths and you can sort into sub-folders like<code>/data/torrents/{tv|movies|music}</code>.

====== Usenet ======

<pre>data
└── usenet
├── movies
├── music
└── tv</pre>
Usenet only needs access to usenet files, so pass it <code>-v /host/data/usenet:/data/usenet</code>. In the usenet software settings, you’ll need to reconfigure paths and you can sort into sub-folders like<code>/data/usenet/{tv|movies|music}</code>.

====== Media Server ======

<pre>data
└── media
├── Movies
├── Music
└── TV</pre>
Plex/Emby only needs access to your media library, so pass <code>-v /host/data/media:/data/media</code>, which can have any number of sub folders like <code>Movies</code>, <code>Kids Movies</code>, <code>TV</code>, <code>Documentary TV</code> and/or <code>Music</code> as sub folders.

====== Sonarr, Radarr and Lidarr ======

<pre>data
├── torrents
│ ├── movies
│ ├── music
│ └── tv
├── usenet
│ ├── movies
│ ├── music
│ └── tv
└── media
├── Movies
├── Music
└── TV</pre>
Sonarr, Radarr and Lidarr get everything using <code>-v /host/data:/data</code> because the ''download'' folder(s) and ''media'' folder will look like and ''be'' one file system. Hard links will work and moves will be atomic, instead of copy + delete.

===== Issues =====

There are a couple minor issues w/ not following the Docker image’s suggested paths.

The biggest is that volumes defined in the <code>Dockerfile</code> will get created if they’re not specified, this means they’ll pile up as you delete and re-create the containers. If they end up w/ data in them, they can consume space unexpectedly and likely in an unsuitable place. You can find a [https://old.reddit.com/r/usenet/wiki/docker#wiki_prune_docker cleanup command] in the helpful commands section below. This could also be mitigated by passing in an empty folder for all the volumes you don’t want to use, like <code>/data/empty:/movies</code> and <code>/data/empty:/downloads</code>. Maybe even put a file named <code>DO NOT USE THIS FOLDER</code> inside, to remind yourself.

Another problem is that some images are pre-configured to use the documented volumes, so you’ll need to change settings in the software inside the Docker container. Thankfully, since configuration persists outside the container this is a one time issue. You might also pick a path like <code>/data</code> or <code>/media</code> which some images already define for a specific use. It shouldn’t be a problem, but will be a little more confusing when combined w/ the previous issues. In the end, it is worth it for working hard links and fast moves. The consistency and simplicity are welcome side effects as well.

If you use the latest version of the abandoned [https://github.com/Sperryfreak01/RadarrSync RadarrSync] to synchronize two Radarr instances, it ''depends'' on mapping the ''same'' path inside to a different path on the outside, for example <code>/movies</code> for one instance would point at <code>/data/media/Movies</code> and the other at <code>/data/media/Movies 4k</code>. This breaks ''everything'' you’ve read above. There is no good solution, you either use the old version which isn’t as good, do your mapping in a way that is ugly and breaks hard links or just don’t use it at all.

==== Running containers using ====

===== Docker-compose =====

This is the best option for most users, it lets you control and configure many containers and their interdependence in one file. A good starting place is docker’s own [https://docs.docker.com/compose/gettingstarted/ Get started with Docker Compose]. You can use [https://composerize.com composerize] or [https://old.reddit.com/r/usenet/wiki/docker#wiki_get_docker-compose red5d/docker-autocompose]to convert <code>docker run</code> commands into a single <code>docker-compose.yml</code> file.

The below is ''not'' a complete working example! The containers only have PID, UID, UMASK and example paths defined to keep it simple.

<pre># sonarr
Sonarr:
image: "hotio/sonarr"
volumes:
- /path/to/config/sonarr:/config
- /host/data:/data
environment:
- PUID=111
- PGID=321
- UMASK=002

# deluge
Deluge:
image: binhex/arch-delugevpn
volumes:
- /path/to/config/deluge:/config
- /host/data/torrents:/data/torrents
environment:
- PUID=222
- PGID=321
- UMASK=002

# sabnzbd
SABnzbd:
image: binhex/arch-sabnzbd
volumes:
- /path/to/config/sabnzbd:/config
- /host/data/usenet:/data/usenet
environment:
- PUID=333
- PGID=321
- UMASK=002

# plex
Plex:
image: binhex/arch-plex
volumes:
- /path/to/config/plex:/config
- /host/data/media:/data/media

environment:
- PUID=444
- PGID=321
- UMASK=002</pre>
====== Update all images and containers ======

<pre>docker-compose pull
docker-compose up -d</pre>
====== Update individual image and container ======

<pre>docker-compose pull NAME
docker-compose up -d NAME</pre>
===== Docker Run =====

Like the Docker Compose example above, the following <code>docker run</code> commands are stripped down to ''only'' the PUID, PGID, UMASK and volumes in order to act as an obvious example.

<pre># sonarr
docker run -v /path/to/config/sonarr:/config \
-v /host/data:/data \
-e PUID=111 -e PGID=321 -e UMASK=002 \
hotio/sonarr

# deluge
docker run -v /path/to/config/deluge:/config \
-v /host/data/torrents:/data/torrents \
-e PUID=222 -e PGID=321 -e UMASK=002 \
binhex/arch-delugevpn

# sabnzbd
docker run -v /path/to/config/sabnzbd:/config \
-v /host/data/usenet:/data/usenet \
-e PUID=333 -e PGID=321 -e UMASK=002 \
binhex/arch-sabnzbd

# plex
docker run -v /path/to/config/plex:/config \
-v /host/data/media:/data/media \
-e PUID=444 -e PGID=321 -e UMASK=002 \
binhex/arch-plex</pre>
===== Systemd =====

I don’t run a full Docker setup, so I manage my few Docker containers with individual systemd service files. It standardizes control and makes dependencies simpler for both native and docker services. The generic example below can be adapted to any container by adjusting or adding the various values and options.

<pre># /etc/systemd/system/thing.service
[Unit]
Description=Thing
Requires=docker.service
After=network.target docker.service

[Service]
ExecStart=/usr/bin/docker run --rm \
--name=thing \
-v /path/to/config/thing:/config \
-v /host/data:/data
-e PUID=111 -e PGID=321 -e UMASK=002 \
nobody/thing

ExecStop=/usr/bin/docker stop -t 30 thing

[Install]
WantedBy=default.target</pre>
==== Helpful commands ====

===== List running containers =====

<pre>docker ps</pre>
===== Shell ''inside'' a container =====

<pre>docker exec -it CONTAINER_NAME /bin/bash</pre>
For more information, see the [https://docs.docker.com/engine/reference/commandline/exec/ docker exec] documentation.

===== Prune docker =====

<pre>docker system prune --all --volumes</pre>
Remove unused containers, networks, volumes, images and build cache. As the WARNING this command gives says, this will remove all of the previously mentioned items for anything not in use by a running container. In a correctly configured environment, this is fine. But be aware and proceed cautiously the first time. See the [https://docs.docker.com/engine/reference/commandline/system_prune/ docker system prune] documentation for more details.

===== Get docker run command =====

Getting the <code>docker run</code> command from GUI managers can be hard, this docker image makes it easy for a running container ([https://stackoverflow.com/questions/32758793/how-to-show-the-run-command-of-a-docker-container source]).

<pre>docker run --rm -v /var/run/docker.sock:/var/run/docker.sock assaflavie/runlike CONTAINER_NAME</pre>
===== Get docker-compose =====

Getting a <code>docker-compose.yml</code> from running instances is possible w/ [https://hub.docker.com/r/red5d/docker-autocompose red5d/docker-autocompose], in case you’ve already started your containers w/ <code>docker run</code> or <code>docker create</code> and want to change to <code>docker-compose</code> style. It is also great for sharing your settings with others, since it doesn’t matter what management software you’re using. The last argument(s) are your container names and you can pass in as many as needed at the same time. The first container name is required, more are optional. You can see container names in the '''NAMES''' column of `docker ps`, they're usually set by you or might be generated based on the image like <code>binhex-qbittorrent</code>. It is ''not'' the image name, like <code>binhex/arch-qbittorrentvpn</code>.

<pre>docker run --rm -v /var/run/docker.sock:/var/run/docker.sock red5d/docker-autocompose CONTAINER_NAME [ANOTHER_CONTAINER_NAME] ... [ONE_MORE_CONTAINER_NAME]</pre>

===== Troubleshoot networking =====

Most Docker images don’t have many useful tools in them for troubleshooting, but you can [https://success.docker.com/article/troubleshooting-container-networking attach a network troubleshooting type image] to an existing container to help with that.

<pre>docker run -it --rm --network container:CONTAINER_NAME nicolaka/netshoot</pre>
===== Recursively chown user and group =====

<pre>chown -R user:group /some/path/here</pre>
===== Recursively chmod to 775/664 =====

<pre>chmod -R a=,a+rX,u+w,g+w /some/path/here
^ ^ ^ ^ adds write to group
| | | adds write to user
| | adds read to all and execute to all folders (which controls access)
| sets all to `000`</pre>
===== Find UID/GID for user =====

<pre>id <username></pre>

===== Examine files for hard links =====
<pre>ls -alhi
42207934 -rw-r--r-- 2 user group 0 Sep 11 11:55 hardlink
42207936 -rw-r--r-- 1 user group 0 Sep 11 11:55 nohardlinks
42207934 -rw-r--r-- 2 user group 0 Sep 11 11:55 original
</pre>

<pre>stat original
File: original
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: 803h/2051d Inode: 42207934 Links: 2
Access: (0644/-rw-r--r--) Uid: ( 1000/ user) Gid: ( 1001/ group)
Access: 2020-09-11 11:55:43.803327144 -0500
Modify: 2020-09-11 11:55:43.803327144 -0500
Change: 2020-09-11 11:55:49.706660476 -0500
Birth: 2020-09-11 11:55:43.803327144 -0500
</pre>

==== Interesting docker images ====

* [https://hub.docker.com/r/rasmunk/sshfs rasmunk/sshfs] let you create an sshfs volume, ''perfect'' for a seedbox setup using a remote mount instead of sync. Better documentation, including examples can be found at the github [https://github.com/rasmunk/docker-volume-sshfs rasmunk/docker-volume-sshfs] repository. This is a more recently maintained fork of [https://hub.docker.com/p/vieux/sshfs vieux/sshfs].
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/sonarr sonarr], [https://hub.docker.com/r/hotio/radarr radarr] and [https://hub.docker.com/r/hotio/lidarr lidarr] images let you run the built in version ''or'' specify an alternative via environment variable. The documentation and Dockerfile also don’t make any poor path suggestions.
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/ombi ombi], [https://hub.docker.com/r/hotio/jackett jackett], [https://hub.docker.com/r/hotio/nzbhydra2 nzbhydra2] and [https://hub.docker.com/r/hotio/bazarr bazarr] are useful too, but don’t really require any special permissions or paths.
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/unpackerr unpackerr] is useful for packed torrent extraction across a variety of torrent clients where unpacking is lacking or missing entirely.
* [https://hub.docker.com/u/binhex binhex’s] [https://hub.docker.com/r/binhex/arch-qbittorrentvpn/ qbittorrent], [https://hub.docker.com/r/binhex/arch-delugevpn/ deluge] and [https://hub.docker.com/r/binhex/arch-rtorrentvpn/ rtorrent] are popular torrent clients with built in VPN support. For usenet, there is [https://hub.docker.com/r/binhex/arch-sabnzbd/ sabnzbd] and [https://hub.docker.com/r/binhex/arch-nzbget/ nzbget].
* [https://hub.docker.com/u/binhex binhex’s] [https://hub.docker.com/r/binhex/arch-sonarr/ sonarr], [https://hub.docker.com/r/binhex/arch-radarr/ radarr] and [https://hub.docker.com/r/binhex/arch-lidarr/ lidarr] images suggest default paths that don’t allow for hard linking, instead follow the process described above and pass in a single volume.
* [https://hub.docker.com/u/linuxserver linuxserver.io’s] images also suggest default paths that don’t allow for hard linking, instead follow the process described above and pass in a single volume. But they do have images for a ''lot'' of software and they’re well maintained.
* [https://hub.docker.com/r/pyouroboros/ouroboros pyouroboros/ouroboros] or [https://hub.docker.com/r/containrrr/watchtower containrrr/watchtower] automatically update your running Docker containers to the latest available image. These are not recommended if you use Docker Compose.

==== Custom Docker Network and DNS ====

One interesting feature of a [https://docs.docker.com/network/network-tutorial-standalone/#use-user-defined-bridge-networks custom Docker network] is that it gets its own DNS server. If you create a bridge network for your containers, you can use their hostnames in your configuration. For example, if you <code>docker run --network=isolated --hostname=deluge binhex/arch-deluge</code> and <code>docker run --network=isolated --hostname=radarr binhex/arch-radarr</code>, you can then configure the Download Client in Radarr to point at just <code>deluge</code> and it’ll work ''and'' communicate on its own private network. Which means if you wanted to be even more secure, you could ''stop'' forwarding that port too. If you put your reverse proxy container on the same network, you can even stop forwarding the web interface ports and make them even more secure.

==== Common Problems ====

===== Correct ''outside'' paths, incorrect ''inside'' paths =====

Many people read this and think they understand, but they end up seeing the outside path correctly to something like <code>/data/usenet</code>, but then they miss the point and set the ''inside'' path to <code>/downloads</code> still.

===== Running Docker containers as root or changing users around =====

If you find yourself running your containers as <code>root:root</code>, you’re doing something wrong. If you’re not passing in a UID and GID, you’ll be using what ever the default is for the image and ''that'' will be unlikely to line up w/ a reasonable user on your system. And if you’re changing the user and group your Docker containers are running as, you’ll probably end up w/ permissions issues on folders like the <code>/config</code> folder which will likely have files and folders in them that got created the first time w/ the UID/GID you used the first time.

===== Running Docker containers w/ umask 000 =====

If you find yourself setting a UMASK of <code>000</code> (which is 777 for folders and 666 for files), you’re ''also'' doing something wrong. It leaves your files and folders read/write to ''everyone'', which is poor Linux hygiene.

==== LinuxServer.io ====

The ''entire'' reason this article even exists is [https://hub.docker.com/u/linuxserver linuxserver.io]’s documentation and default path suggestions. They’re singlehandedly responsible for the <code>/tv</code>, <code>/movies</code> and <code>/downloads</code> paths which ''break'' hard links and atomic moves. It is for this reason that ''none'' of them are ''specifically'' recommended by this article. That said, once you understand the problem with those paths and that you ''don’t'' have to use them, their images are fine. So feel free to use them and ''most'' of their documentation. Just ''ignore'' their path suggestions.

==== Getting Help ====

Need some help? For real time, chat style support try the [https://discord.gg/xyRwnyB Sonarr] or [https://discord.gg/SRBnFmX Radarr] Discord servers. If you prefer forum style support, make a post in [http://reddit.com/r/sonarr /r/sonarr] or [http://reddit.com/r/radarr /r/radarr].

Docker Guide

2020-10-07T19:55:31Z

Fryfrog: /* Get docker-compose */

=== The Best Docker Setup ===

'''TL; DR''': An [https://www.lexico.com/en/definition/eponymous eponymous] user per daemon and a shared group with a umask of <code>002</code>. Consistent path definitions between ''all'' containers that maintains the folder structure. Using one volume for Sonarr, Radarr and Lidarr so the download folder and library folder are on the same file system which makes hard links and instant moves possible. And most of all, ignore ''most'' of the Docker image’s path documentation!

==== Introduction ====

This article will not show you specifics about the best Docker setup, but it describes an overview that you can use to make your own setup the best that it can be. The idea is that you run each docker container as its own user, with a shared group and consistent volumes so every container sees the same path layout. This is easy to say, but difficult to understand and explain.

==== Multiple users and a shared group ====

===== Permissions =====

Ideally, each software runs as its own user user and they’re all part of a shared group with folder permissions set to <code>775</code> (<code>drwxrwxr-x</code>) and files set to <code>664</code> (<code>-rw-rw-r--</code>), which is a umask of <code>002</code>. A sane alternative to this is a single shared user, which would use <code>755</code> and <code>644</code> which is a umask of <code>022</code>. You can restrict permissions even more by denying read from “other”, which would be a umask of <code>007</code> for a user per daemon or <code>077</code> for a single shared user. For a deeper explanation, try the Arch Linux wiki articles about [https://wiki.archlinux.org/index.php/File_permissions_and_attributes File permissions and attributes] and [https://wiki.archlinux.org/index.php/Umask Umask].

===== UMASK =====

Many docker images accept a <code>-e UMASK=002</code> environment variable and some software inside can be configured with a user, group and umask (NZBGet) or folder/file permission (Sonarr/Radarr). This will ensure that files and folders created by ''one'' can be read and written by the others. If you’re using existing folders and files, you’ll need to fix their current ownership and permissions too, but going forward they’ll be correct because you set each software up right.

===== PUID and PGID =====

Many docker images also take a <code>-e PUID=123</code> and <code>-e PGID=321</code> that lets you change the UID/GID used inside to that of an account on the outside. If you ever peak in, you’ll find that username is something like <code>abc</code>, <code>nobody</code> or <code>hotio</code>, but because it uses the UID/GID you pass in, on the outside it looks like the expected user. If you’re using storage from another system via NFS or CIFS, it will make your life easier if ''that'' system also has matching users and group. Perhaps let one system pick the UID/GIDs, then re-use those on the other system, assuming they don’t conflict.

===== Example =====

You run [https://github.com/Sonarr/Sonarr/releases Sonarr] using [https://github.com/hotio/docker-sonarr hotio/sonarr], you’ve created a <code>sonarr</code> user with uid <code>123</code> and a shared group <code>media</code> with gid <code>321</code> which the <code>sonarr</code> user is a member of. You configure the Docker image to run with <code>-e PUID=123 -e PGID=321 -e UMASK=002</code>. Sonarr also lets you configured user, group as well as folder and file permissions. The previous settings should negate these, but you could configure them if you wanted. Folders would be <code>775</code>, files <code>664</code> and the user/group are a little tricky because ''inside'' the container, they have a different name. Maybe <code>abc</code> or <code>nobody</code>. I’d leave all these blank unless you find you need them for some reason.

==== Single user and optional shared group ====

Another popular and arguably easier option is a single, shared user. Perhaps even ''your'' user. It isn’t as secure and doesn’t follow best practices, but in the end it is easier to understand and implement. The UMASK for this is <code>022</code> which results in <code>755</code> (<code>drwxr-xr-x</code>) for folders and <code>644</code> (<code>-rw-r--r--</code>) for files. The group no longer really matters, so you’ll probably just use the group named after the user. This does make it harder to share with ''other'' users, so you may still end up wanting a UMASK of <code>002</code> even w/ this setup.

==== Ownership and permissions of /config ====

Don’t forget that your <code>/config</code> volume will ''also'' need to have correct ownership and permissions, usually the daemon’s user and that user’s group like <code>sonarr:sonarr</code> and a umask of <code>022</code> or <code>077</code> so ''only'' that user has access. In a single user setup, this would of course be the one user you’ve chosen.

==== Consistent and well planned paths ====

The easiest and most important detail is to create unified path definitions across all the containers.

If you’re wondering why hard links aren’t working or why a simple move is taking far longer than it should, this section explains it. The paths you use on the ''inside'' matter. Because of how Docker’s volumes work, passing in two volumes such as the commonly suggested <code>/tv</code> and <code>/downloads</code> makes them look like two file systems, even if they aren’t. This means hard links won’t work ''and'' instead of an instant move, a slower and more io intensive copy + delete is used. If you have multiple download clients because you’re using torrents and usenet, having a single <code>/downloads</code> path means they’ll be mixed up. Because the Radarr in one container will ask the NZBGet in its own container where files are, using the same path in both means it will all just work. If you don’t, you’d need to fix it with a remote path map.

So pick ''one'' path layout and use it for all of them. I’m a fan of <code>/data</code>, but there are other great names like <code>/shared</code>, <code>/media</code> or <code>/dvr</code>. If this can be the same on the outside ''and'' inside, your setup will be simpler: one path to remember or if integrating docker and native software. But if not, that’s fine too. For example, Synology might use <code>/Volume1/data</code> and unRAID might use <code>/mnt/user/data</code> on the outside, but <code>/data</code> on the inside is fine.

It is also important to remember that you’ll need to setup or re-configure paths in the software running ''inside'' these Docker containers. If you change the paths for your download client, you’ll need to edit its settings to match. If you change your library path, you’ll need to change those settings in Sonarr, Radarr, Lidarr and/or Plex.

===== Examples =====

What matters here is the general structure, not the names. You are free to pick folder names that make sense to you. And there are other ways of arranging things too. For example, you’re not likely to download and run into conflicts of identical releases between usenet and torrents, so you ''could'' put both in <code>/data/downloads/{movies|music|tv}</code> folders. Downloads don’t even have to be sorted into sub-folders either, since movies, music and tv will rarely conflict.

This example <code>data</code> folder has sub-folders for torrents and usenet and each of these have sub-folders for tv, movie and music downloads to keep things neat. The <code>media</code> folder has nicely named <code>TV</code>, <code>Movies</code> and <code>Music</code> sub-folders, this is your library and what you’d pass to Plex or Emby.

<pre>data
├── torrents
│ ├── movies
│ ├── music
│ └── tv
├── usenet
│ ├── movies
│ ├── music
│ └── tv
└── media
├── Movies
├── Music
└── TV</pre>
The path for each Docker container can be as specific as needed while still maintaining the correct structure:

====== Torrents ======

<pre>data
└── torrents
├── movies
├── music
└── tv</pre>
Torrents only needs access to torrent files, so pass it <code>-v /host/data/torrents:/data/torrents</code>. In the torrent software settings, you’ll need to reconfigure paths and you can sort into sub-folders like<code>/data/torrents/{tv|movies|music}</code>.

====== Usenet ======

<pre>data
└── usenet
├── movies
├── music
└── tv</pre>
Usenet only needs access to usenet files, so pass it <code>-v /host/data/usenet:/data/usenet</code>. In the usenet software settings, you’ll need to reconfigure paths and you can sort into sub-folders like<code>/data/usenet/{tv|movies|music}</code>.

====== Media Server ======

<pre>data
└── media
├── Movies
├── Music
└── TV</pre>
Plex/Emby only needs access to your media library, so pass <code>-v /host/data/media:/data/media</code>, which can have any number of sub folders like <code>Movies</code>, <code>Kids Movies</code>, <code>TV</code>, <code>Documentary TV</code> and/or <code>Music</code> as sub folders.

====== Sonarr, Radarr and Lidarr ======

<pre>data
├── torrents
│ ├── movies
│ ├── music
│ └── tv
├── usenet
│ ├── movies
│ ├── music
│ └── tv
└── media
├── Movies
├── Music
└── TV</pre>
Sonarr, Radarr and Lidarr get everything using <code>-v /host/data:/data</code> because the ''download'' folder(s) and ''media'' folder will look like and ''be'' one file system. Hard links will work and moves will be atomic, instead of copy + delete.

===== Issues =====

There are a couple minor issues w/ not following the Docker image’s suggested paths.

The biggest is that volumes defined in the <code>Dockerfile</code> will get created if they’re not specified, this means they’ll pile up as you delete and re-create the containers. If they end up w/ data in them, they can consume space unexpectedly and likely in an unsuitable place. You can find a [https://old.reddit.com/r/usenet/wiki/docker#wiki_prune_docker cleanup command] in the helpful commands section below. This could also be mitigated by passing in an empty folder for all the volumes you don’t want to use, like <code>/data/empty:/movies</code> and <code>/data/empty:/downloads</code>. Maybe even put a file named <code>DO NOT USE THIS FOLDER</code> inside, to remind yourself.

Another problem is that some images are pre-configured to use the documented volumes, so you’ll need to change settings in the software inside the Docker container. Thankfully, since configuration persists outside the container this is a one time issue. You might also pick a path like <code>/data</code> or <code>/media</code> which some images already define for a specific use. It shouldn’t be a problem, but will be a little more confusing when combined w/ the previous issues. In the end, it is worth it for working hard links and fast moves. The consistency and simplicity are welcome side effects as well.

If you use the latest version of the abandoned [https://github.com/Sperryfreak01/RadarrSync RadarrSync] to synchronize two Radarr instances, it ''depends'' on mapping the ''same'' path inside to a different path on the outside, for example <code>/movies</code> for one instance would point at <code>/data/media/Movies</code> and the other at <code>/data/media/Movies 4k</code>. This breaks ''everything'' you’ve read above. There is no good solution, you either use the old version which isn’t as good, do your mapping in a way that is ugly and breaks hard links or just don’t use it at all.

==== Running containers using ====

===== Docker-compose =====

This is the best option for most users, it lets you control and configure many containers and their interdependence in one file. A good starting place is docker’s own [https://docs.docker.com/compose/gettingstarted/ Get started with Docker Compose]. You can use [https://composerize.com composerize] or [https://old.reddit.com/r/usenet/wiki/docker#wiki_get_docker-compose red5d/docker-autocompose]to convert <code>docker run</code> commands into a single <code>docker-compose.yml</code> file.

The below is ''not'' a complete working example! The containers only have PID, UID, UMASK and example paths defined to keep it simple.

<pre># sonarr
Sonarr:
image: "hotio/sonarr"
volumes:
- /path/to/config/sonarr:/config
- /host/data:/data
environment:
- PUID=111
- PGID=321
- UMASK=002

# deluge
Deluge:
image: binhex/arch-delugevpn
volumes:
- /path/to/config/deluge:/config
- /host/data/torrents:/data/torrents
environment:
- PUID=222
- PGID=321
- UMASK=002

# sabnzbd
SABnzbd:
image: binhex/arch-sabnzbd
volumes:
- /path/to/config/sabnzbd:/config
- /host/data/usenet:/data/usenet
environment:
- PUID=333
- PGID=321
- UMASK=002

# plex
Plex:
image: binhex/arch-plex
volumes:
- /path/to/config/plex:/config
- /host/data/media:/data/media

environment:
- PUID=444
- PGID=321
- UMASK=002</pre>
====== Update all images and containers ======

<pre>docker-compose pull
docker-compose up -d</pre>
====== Update individual image and container ======

<pre>docker-compose pull NAME
docker-compose up -d NAME</pre>
===== Docker Run =====

Like the Docker Compose example above, the following <code>docker run</code> commands are stripped down to ''only'' the PUID, PGID, UMASK and volumes in order to act as an obvious example.

<pre># sonarr
docker run -v /path/to/config/sonarr:/config \
-v /host/data:/data \
-e PUID=111 -e PGID=321 -e UMASK=002 \
hotio/sonarr

# deluge
docker run -v /path/to/config/deluge:/config \
-v /host/data/torrents:/data/torrents \
-e PUID=222 -e PGID=321 -e UMASK=002 \
binhex/arch-delugevpn

# sabnzbd
docker run -v /path/to/config/sabnzbd:/config \
-v /host/data/usenet:/data/usenet \
-e PUID=333 -e PGID=321 -e UMASK=002 \
binhex/arch-sabnzbd

# plex
docker run -v /path/to/config/plex:/config \
-v /host/data/media:/data/media \
-e PUID=444 -e PGID=321 -e UMASK=002 \
binhex/arch-plex</pre>
===== Systemd =====

I don’t run a full Docker setup, so I manage my few Docker containers with individual systemd service files. It standardizes control and makes dependencies simpler for both native and docker services. The generic example below can be adapted to any container by adjusting or adding the various values and options.

<pre># /etc/systemd/system/thing.service
[Unit]
Description=Thing
Requires=docker.service
After=network.target docker.service

[Service]
ExecStart=/usr/bin/docker run --rm \
--name=thing \
-v /path/to/config/thing:/config \
-v /host/data:/data
-e PUID=111 -e PGID=321 -e UMASK=002 \
nobody/thing

ExecStop=/usr/bin/docker stop -t 30 thing

[Install]
WantedBy=default.target</pre>
==== Helpful commands ====

===== List running containers =====

<pre>docker ps</pre>
===== Shell ''inside'' a container =====

<pre>docker exec -it CONTAINER_NAME /bin/bash</pre>
For more information, see the [https://docs.docker.com/engine/reference/commandline/exec/ docker exec] documentation.

===== Prune docker =====

<pre>docker system prune --all --volumes</pre>
Remove unused containers, networks, volumes, images and build cache. As the WARNING this command gives says, this will remove all of the previously mentioned items for anything not in use by a running container. In a correctly configured environment, this is fine. But be aware and proceed cautiously the first time. See the [https://docs.docker.com/engine/reference/commandline/system_prune/ docker system prune] documentation for more details.

===== Get docker run command =====

Getting the <code>docker run</code> command from GUI managers can be hard, this docker image makes it easy for a running container ([https://stackoverflow.com/questions/32758793/how-to-show-the-run-command-of-a-docker-container source]).

<pre>docker run --rm -v /var/run/docker.sock:/var/run/docker.sock assaflavie/runlike CONTAINER_NAME</pre>
===== Get docker-compose =====

Getting a <code>docker-compose.yml</code> from running instances is possible w/ [https://hub.docker.com/r/red5d/docker-autocompose red5d/docker-autocompose], in case you’ve already started your containers w/ <code>docker run</code> or <code>docker create</code> and want to change to <code>docker-compose</code> style. It is also great for sharing your settings with others, since it doesn’t matter what management software you’re using. The last argument(s) are your container names and you can pass in as many as needed at the same time. The first container name is required, more are optional. You can see container names in the '''NAMES''' column of `docker ps`, they're usually set by you or might be generated based on the image like <code>binhex-qbittorrent</code>. It is ''not'' the image name, like <code>binhex/arch-qbittorrentvpn</code>.

<pre>docker run --rm -v /var/run/docker.sock:/var/run/docker.sock red5d/docker-autocompose CONTAINER_NAME [CONTAINER_NAME] ... [CONTAINER_NAME]</pre>

===== Troubleshoot networking =====

Most Docker images don’t have many useful tools in them for troubleshooting, but you can [https://success.docker.com/article/troubleshooting-container-networking attach a network troubleshooting type image] to an existing container to help with that.

<pre>docker run -it --rm --network container:CONTAINER_NAME nicolaka/netshoot</pre>
===== Recursively chown user and group =====

<pre>chown -R user:group /some/path/here</pre>
===== Recursively chmod to 775/664 =====

<pre>chmod -R a=,a+rX,u+w,g+w /some/path/here
^ ^ ^ ^ adds write to group
| | | adds write to user
| | adds read to all and execute to all folders (which controls access)
| sets all to `000`</pre>
===== Find UID/GID for user =====

<pre>id <username></pre>

===== Examine files for hard links =====
<pre>ls -alhi
42207934 -rw-r--r-- 2 user group 0 Sep 11 11:55 hardlink
42207936 -rw-r--r-- 1 user group 0 Sep 11 11:55 nohardlinks
42207934 -rw-r--r-- 2 user group 0 Sep 11 11:55 original
</pre>

<pre>stat original
File: original
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: 803h/2051d Inode: 42207934 Links: 2
Access: (0644/-rw-r--r--) Uid: ( 1000/ user) Gid: ( 1001/ group)
Access: 2020-09-11 11:55:43.803327144 -0500
Modify: 2020-09-11 11:55:43.803327144 -0500
Change: 2020-09-11 11:55:49.706660476 -0500
Birth: 2020-09-11 11:55:43.803327144 -0500
</pre>

==== Interesting docker images ====

* [https://hub.docker.com/r/rasmunk/sshfs rasmunk/sshfs] let you create an sshfs volume, ''perfect'' for a seedbox setup using a remote mount instead of sync. Better documentation, including examples can be found at the github [https://github.com/rasmunk/docker-volume-sshfs rasmunk/docker-volume-sshfs] repository. This is a more recently maintained fork of [https://hub.docker.com/p/vieux/sshfs vieux/sshfs].
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/sonarr sonarr], [https://hub.docker.com/r/hotio/radarr radarr] and [https://hub.docker.com/r/hotio/lidarr lidarr] images let you run the built in version ''or'' specify an alternative via environment variable. The documentation and Dockerfile also don’t make any poor path suggestions.
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/ombi ombi], [https://hub.docker.com/r/hotio/jackett jackett], [https://hub.docker.com/r/hotio/nzbhydra2 nzbhydra2] and [https://hub.docker.com/r/hotio/bazarr bazarr] are useful too, but don’t really require any special permissions or paths.
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/unpackerr unpackerr] is useful for packed torrent extraction across a variety of torrent clients where unpacking is lacking or missing entirely.
* [https://hub.docker.com/u/binhex binhex’s] [https://hub.docker.com/r/binhex/arch-qbittorrentvpn/ qbittorrent], [https://hub.docker.com/r/binhex/arch-delugevpn/ deluge] and [https://hub.docker.com/r/binhex/arch-rtorrentvpn/ rtorrent] are popular torrent clients with built in VPN support. For usenet, there is [https://hub.docker.com/r/binhex/arch-sabnzbd/ sabnzbd] and [https://hub.docker.com/r/binhex/arch-nzbget/ nzbget].
* [https://hub.docker.com/u/binhex binhex’s] [https://hub.docker.com/r/binhex/arch-sonarr/ sonarr], [https://hub.docker.com/r/binhex/arch-radarr/ radarr] and [https://hub.docker.com/r/binhex/arch-lidarr/ lidarr] images suggest default paths that don’t allow for hard linking, instead follow the process described above and pass in a single volume.
* [https://hub.docker.com/u/linuxserver linuxserver.io’s] images also suggest default paths that don’t allow for hard linking, instead follow the process described above and pass in a single volume. But they do have images for a ''lot'' of software and they’re well maintained.
* [https://hub.docker.com/r/pyouroboros/ouroboros pyouroboros/ouroboros] or [https://hub.docker.com/r/containrrr/watchtower containrrr/watchtower] automatically update your running Docker containers to the latest available image. These are not recommended if you use Docker Compose.

==== Custom Docker Network and DNS ====

One interesting feature of a [https://docs.docker.com/network/network-tutorial-standalone/#use-user-defined-bridge-networks custom Docker network] is that it gets its own DNS server. If you create a bridge network for your containers, you can use their hostnames in your configuration. For example, if you <code>docker run --network=isolated --hostname=deluge binhex/arch-deluge</code> and <code>docker run --network=isolated --hostname=radarr binhex/arch-radarr</code>, you can then configure the Download Client in Radarr to point at just <code>deluge</code> and it’ll work ''and'' communicate on its own private network. Which means if you wanted to be even more secure, you could ''stop'' forwarding that port too. If you put your reverse proxy container on the same network, you can even stop forwarding the web interface ports and make them even more secure.

==== Common Problems ====

===== Correct ''outside'' paths, incorrect ''inside'' paths =====

Many people read this and think they understand, but they end up seeing the outside path correctly to something like <code>/data/usenet</code>, but then they miss the point and set the ''inside'' path to <code>/downloads</code> still.

===== Running Docker containers as root or changing users around =====

If you find yourself running your containers as <code>root:root</code>, you’re doing something wrong. If you’re not passing in a UID and GID, you’ll be using what ever the default is for the image and ''that'' will be unlikely to line up w/ a reasonable user on your system. And if you’re changing the user and group your Docker containers are running as, you’ll probably end up w/ permissions issues on folders like the <code>/config</code> folder which will likely have files and folders in them that got created the first time w/ the UID/GID you used the first time.

===== Running Docker containers w/ umask 000 =====

If you find yourself setting a UMASK of <code>000</code> (which is 777 for folders and 666 for files), you’re ''also'' doing something wrong. It leaves your files and folders read/write to ''everyone'', which is poor Linux hygiene.

==== LinuxServer.io ====

The ''entire'' reason this article even exists is [https://hub.docker.com/u/linuxserver linuxserver.io]’s documentation and default path suggestions. They’re singlehandedly responsible for the <code>/tv</code>, <code>/movies</code> and <code>/downloads</code> paths which ''break'' hard links and atomic moves. It is for this reason that ''none'' of them are ''specifically'' recommended by this article. That said, once you understand the problem with those paths and that you ''don’t'' have to use them, their images are fine. So feel free to use them and ''most'' of their documentation. Just ''ignore'' their path suggestions.

==== Getting Help ====

Need some help? For real time, chat style support try the [https://discord.gg/xyRwnyB Sonarr] or [https://discord.gg/SRBnFmX Radarr] Discord servers. If you prefer forum style support, make a post in [http://reddit.com/r/sonarr /r/sonarr] or [http://reddit.com/r/radarr /r/radarr].

Docker Guide

2020-10-07T19:46:10Z

Fryfrog: Fix formatting...

=== The Best Docker Setup ===

'''TL; DR''': An [https://www.lexico.com/en/definition/eponymous eponymous] user per daemon and a shared group with a umask of <code>002</code>. Consistent path definitions between ''all'' containers that maintains the folder structure. Using one volume for Sonarr, Radarr and Lidarr so the download folder and library folder are on the same file system which makes hard links and instant moves possible. And most of all, ignore ''most'' of the Docker image’s path documentation!

==== Introduction ====

This article will not show you specifics about the best Docker setup, but it describes an overview that you can use to make your own setup the best that it can be. The idea is that you run each docker container as its own user, with a shared group and consistent volumes so every container sees the same path layout. This is easy to say, but difficult to understand and explain.

==== Multiple users and a shared group ====

===== Permissions =====

Ideally, each software runs as its own user user and they’re all part of a shared group with folder permissions set to <code>775</code> (<code>drwxrwxr-x</code>) and files set to <code>664</code> (<code>-rw-rw-r--</code>), which is a umask of <code>002</code>. A sane alternative to this is a single shared user, which would use <code>755</code> and <code>644</code> which is a umask of <code>022</code>. You can restrict permissions even more by denying read from “other”, which would be a umask of <code>007</code> for a user per daemon or <code>077</code> for a single shared user. For a deeper explanation, try the Arch Linux wiki articles about [https://wiki.archlinux.org/index.php/File_permissions_and_attributes File permissions and attributes] and [https://wiki.archlinux.org/index.php/Umask Umask].

===== UMASK =====

Many docker images accept a <code>-e UMASK=002</code> environment variable and some software inside can be configured with a user, group and umask (NZBGet) or folder/file permission (Sonarr/Radarr). This will ensure that files and folders created by ''one'' can be read and written by the others. If you’re using existing folders and files, you’ll need to fix their current ownership and permissions too, but going forward they’ll be correct because you set each software up right.

===== PUID and PGID =====

Many docker images also take a <code>-e PUID=123</code> and <code>-e PGID=321</code> that lets you change the UID/GID used inside to that of an account on the outside. If you ever peak in, you’ll find that username is something like <code>abc</code>, <code>nobody</code> or <code>hotio</code>, but because it uses the UID/GID you pass in, on the outside it looks like the expected user. If you’re using storage from another system via NFS or CIFS, it will make your life easier if ''that'' system also has matching users and group. Perhaps let one system pick the UID/GIDs, then re-use those on the other system, assuming they don’t conflict.

===== Example =====

You run [https://github.com/Sonarr/Sonarr/releases Sonarr] using [https://github.com/hotio/docker-sonarr hotio/sonarr], you’ve created a <code>sonarr</code> user with uid <code>123</code> and a shared group <code>media</code> with gid <code>321</code> which the <code>sonarr</code> user is a member of. You configure the Docker image to run with <code>-e PUID=123 -e PGID=321 -e UMASK=002</code>. Sonarr also lets you configured user, group as well as folder and file permissions. The previous settings should negate these, but you could configure them if you wanted. Folders would be <code>775</code>, files <code>664</code> and the user/group are a little tricky because ''inside'' the container, they have a different name. Maybe <code>abc</code> or <code>nobody</code>. I’d leave all these blank unless you find you need them for some reason.

==== Single user and optional shared group ====

Another popular and arguably easier option is a single, shared user. Perhaps even ''your'' user. It isn’t as secure and doesn’t follow best practices, but in the end it is easier to understand and implement. The UMASK for this is <code>022</code> which results in <code>755</code> (<code>drwxr-xr-x</code>) for folders and <code>644</code> (<code>-rw-r--r--</code>) for files. The group no longer really matters, so you’ll probably just use the group named after the user. This does make it harder to share with ''other'' users, so you may still end up wanting a UMASK of <code>002</code> even w/ this setup.

==== Ownership and permissions of /config ====

Don’t forget that your <code>/config</code> volume will ''also'' need to have correct ownership and permissions, usually the daemon’s user and that user’s group like <code>sonarr:sonarr</code> and a umask of <code>022</code> or <code>077</code> so ''only'' that user has access. In a single user setup, this would of course be the one user you’ve chosen.

==== Consistent and well planned paths ====

The easiest and most important detail is to create unified path definitions across all the containers.

If you’re wondering why hard links aren’t working or why a simple move is taking far longer than it should, this section explains it. The paths you use on the ''inside'' matter. Because of how Docker’s volumes work, passing in two volumes such as the commonly suggested <code>/tv</code> and <code>/downloads</code> makes them look like two file systems, even if they aren’t. This means hard links won’t work ''and'' instead of an instant move, a slower and more io intensive copy + delete is used. If you have multiple download clients because you’re using torrents and usenet, having a single <code>/downloads</code> path means they’ll be mixed up. Because the Radarr in one container will ask the NZBGet in its own container where files are, using the same path in both means it will all just work. If you don’t, you’d need to fix it with a remote path map.

So pick ''one'' path layout and use it for all of them. I’m a fan of <code>/data</code>, but there are other great names like <code>/shared</code>, <code>/media</code> or <code>/dvr</code>. If this can be the same on the outside ''and'' inside, your setup will be simpler: one path to remember or if integrating docker and native software. But if not, that’s fine too. For example, Synology might use <code>/Volume1/data</code> and unRAID might use <code>/mnt/user/data</code> on the outside, but <code>/data</code> on the inside is fine.

It is also important to remember that you’ll need to setup or re-configure paths in the software running ''inside'' these Docker containers. If you change the paths for your download client, you’ll need to edit its settings to match. If you change your library path, you’ll need to change those settings in Sonarr, Radarr, Lidarr and/or Plex.

===== Examples =====

What matters here is the general structure, not the names. You are free to pick folder names that make sense to you. And there are other ways of arranging things too. For example, you’re not likely to download and run into conflicts of identical releases between usenet and torrents, so you ''could'' put both in <code>/data/downloads/{movies|music|tv}</code> folders. Downloads don’t even have to be sorted into sub-folders either, since movies, music and tv will rarely conflict.

This example <code>data</code> folder has sub-folders for torrents and usenet and each of these have sub-folders for tv, movie and music downloads to keep things neat. The <code>media</code> folder has nicely named <code>TV</code>, <code>Movies</code> and <code>Music</code> sub-folders, this is your library and what you’d pass to Plex or Emby.

<pre>data
├── torrents
│ ├── movies
│ ├── music
│ └── tv
├── usenet
│ ├── movies
│ ├── music
│ └── tv
└── media
├── Movies
├── Music
└── TV</pre>
The path for each Docker container can be as specific as needed while still maintaining the correct structure:

====== Torrents ======

<pre>data
└── torrents
├── movies
├── music
└── tv</pre>
Torrents only needs access to torrent files, so pass it <code>-v /host/data/torrents:/data/torrents</code>. In the torrent software settings, you’ll need to reconfigure paths and you can sort into sub-folders like<code>/data/torrents/{tv|movies|music}</code>.

====== Usenet ======

<pre>data
└── usenet
├── movies
├── music
└── tv</pre>
Usenet only needs access to usenet files, so pass it <code>-v /host/data/usenet:/data/usenet</code>. In the usenet software settings, you’ll need to reconfigure paths and you can sort into sub-folders like<code>/data/usenet/{tv|movies|music}</code>.

====== Media Server ======

<pre>data
└── media
├── Movies
├── Music
└── TV</pre>
Plex/Emby only needs access to your media library, so pass <code>-v /host/data/media:/data/media</code>, which can have any number of sub folders like <code>Movies</code>, <code>Kids Movies</code>, <code>TV</code>, <code>Documentary TV</code> and/or <code>Music</code> as sub folders.

====== Sonarr, Radarr and Lidarr ======

<pre>data
├── torrents
│ ├── movies
│ ├── music
│ └── tv
├── usenet
│ ├── movies
│ ├── music
│ └── tv
└── media
├── Movies
├── Music
└── TV</pre>
Sonarr, Radarr and Lidarr get everything using <code>-v /host/data:/data</code> because the ''download'' folder(s) and ''media'' folder will look like and ''be'' one file system. Hard links will work and moves will be atomic, instead of copy + delete.

===== Issues =====

There are a couple minor issues w/ not following the Docker image’s suggested paths.

The biggest is that volumes defined in the <code>Dockerfile</code> will get created if they’re not specified, this means they’ll pile up as you delete and re-create the containers. If they end up w/ data in them, they can consume space unexpectedly and likely in an unsuitable place. You can find a [https://old.reddit.com/r/usenet/wiki/docker#wiki_prune_docker cleanup command] in the helpful commands section below. This could also be mitigated by passing in an empty folder for all the volumes you don’t want to use, like <code>/data/empty:/movies</code> and <code>/data/empty:/downloads</code>. Maybe even put a file named <code>DO NOT USE THIS FOLDER</code> inside, to remind yourself.

Another problem is that some images are pre-configured to use the documented volumes, so you’ll need to change settings in the software inside the Docker container. Thankfully, since configuration persists outside the container this is a one time issue. You might also pick a path like <code>/data</code> or <code>/media</code> which some images already define for a specific use. It shouldn’t be a problem, but will be a little more confusing when combined w/ the previous issues. In the end, it is worth it for working hard links and fast moves. The consistency and simplicity are welcome side effects as well.

If you use the latest version of the abandoned [https://github.com/Sperryfreak01/RadarrSync RadarrSync] to synchronize two Radarr instances, it ''depends'' on mapping the ''same'' path inside to a different path on the outside, for example <code>/movies</code> for one instance would point at <code>/data/media/Movies</code> and the other at <code>/data/media/Movies 4k</code>. This breaks ''everything'' you’ve read above. There is no good solution, you either use the old version which isn’t as good, do your mapping in a way that is ugly and breaks hard links or just don’t use it at all.

==== Running containers using ====

===== Docker-compose =====

This is the best option for most users, it lets you control and configure many containers and their interdependence in one file. A good starting place is docker’s own [https://docs.docker.com/compose/gettingstarted/ Get started with Docker Compose]. You can use [https://composerize.com composerize] or [https://old.reddit.com/r/usenet/wiki/docker#wiki_get_docker-compose red5d/docker-autocompose]to convert <code>docker run</code> commands into a single <code>docker-compose.yml</code> file.

The below is ''not'' a complete working example! The containers only have PID, UID, UMASK and example paths defined to keep it simple.

<pre># sonarr
Sonarr:
image: "hotio/sonarr"
volumes:
- /path/to/config/sonarr:/config
- /host/data:/data
environment:
- PUID=111
- PGID=321
- UMASK=002

# deluge
Deluge:
image: binhex/arch-delugevpn
volumes:
- /path/to/config/deluge:/config
- /host/data/torrents:/data/torrents
environment:
- PUID=222
- PGID=321
- UMASK=002

# sabnzbd
SABnzbd:
image: binhex/arch-sabnzbd
volumes:
- /path/to/config/sabnzbd:/config
- /host/data/usenet:/data/usenet
environment:
- PUID=333
- PGID=321
- UMASK=002

# plex
Plex:
image: binhex/arch-plex
volumes:
- /path/to/config/plex:/config
- /host/data/media:/data/media

environment:
- PUID=444
- PGID=321
- UMASK=002</pre>
====== Update all images and containers ======

<pre>docker-compose pull
docker-compose up -d</pre>
====== Update individual image and container ======

<pre>docker-compose pull NAME
docker-compose up -d NAME</pre>
===== Docker Run =====

Like the Docker Compose example above, the following <code>docker run</code> commands are stripped down to ''only'' the PUID, PGID, UMASK and volumes in order to act as an obvious example.

<pre># sonarr
docker run -v /path/to/config/sonarr:/config \
-v /host/data:/data \
-e PUID=111 -e PGID=321 -e UMASK=002 \
hotio/sonarr

# deluge
docker run -v /path/to/config/deluge:/config \
-v /host/data/torrents:/data/torrents \
-e PUID=222 -e PGID=321 -e UMASK=002 \
binhex/arch-delugevpn

# sabnzbd
docker run -v /path/to/config/sabnzbd:/config \
-v /host/data/usenet:/data/usenet \
-e PUID=333 -e PGID=321 -e UMASK=002 \
binhex/arch-sabnzbd

# plex
docker run -v /path/to/config/plex:/config \
-v /host/data/media:/data/media \
-e PUID=444 -e PGID=321 -e UMASK=002 \
binhex/arch-plex</pre>
===== Systemd =====

I don’t run a full Docker setup, so I manage my few Docker containers with individual systemd service files. It standardizes control and makes dependencies simpler for both native and docker services. The generic example below can be adapted to any container by adjusting or adding the various values and options.

<pre># /etc/systemd/system/thing.service
[Unit]
Description=Thing
Requires=docker.service
After=network.target docker.service

[Service]
ExecStart=/usr/bin/docker run --rm \
--name=thing \
-v /path/to/config/thing:/config \
-v /host/data:/data
-e PUID=111 -e PGID=321 -e UMASK=002 \
nobody/thing

ExecStop=/usr/bin/docker stop -t 30 thing

[Install]
WantedBy=default.target</pre>
==== Helpful commands ====

===== List running containers =====

<pre>docker ps</pre>
===== Shell ''inside'' a container =====

<pre>docker exec -it CONTAINER_NAME /bin/bash</pre>
For more information, see the [https://docs.docker.com/engine/reference/commandline/exec/ docker exec] documentation.

===== Prune docker =====

<pre>docker system prune --all --volumes</pre>
Remove unused containers, networks, volumes, images and build cache. As the WARNING this command gives says, this will remove all of the previously mentioned items for anything not in use by a running container. In a correctly configured environment, this is fine. But be aware and proceed cautiously the first time. See the [https://docs.docker.com/engine/reference/commandline/system_prune/ docker system prune] documentation for more details.

===== Get docker run command =====

Getting the <code>docker run</code> command from GUI managers can be hard, this docker image makes it easy for a running container ([https://stackoverflow.com/questions/32758793/how-to-show-the-run-command-of-a-docker-container source]).

<pre>docker run --rm -v /var/run/docker.sock:/var/run/docker.sock assaflavie/runlike CONTAINER_NAME</pre>
===== Get docker-compose =====

Getting a <code>docker-compose.yml</code> from running instances is possible w/ [https://hub.docker.com/r/red5d/docker-autocompose red5d/docker-autocompose], in case you’ve already started your containers w/ <code>docker run</code> or <code>docker create</code> and want to change to <code>docker-compose</code> style. It is also great for sharing your settings with others, since it doesn’t matter what management software you’re using. The last argument(s) are your container names and you can pass in as many as needed at the same time. The first container name is required, more are optional. You can see container names in the '''NAMES''' column of `docker ps`, they're usually set by you or might be generated based on the image like <code>binhex-qbittorrent</code>. It is *not* the image name, like <code>binhex/arch-qbittorrentvpn</code>.

<pre>docker run --rm -v /var/run/docker.sock:/var/run/docker.sock red5d/docker-autocompose CONTAINER_NAME [CONTAINER_NAME] ... [CONTAINER_NAME]</pre>

===== Troubleshoot networking =====

Most Docker images don’t have many useful tools in them for troubleshooting, but you can [https://success.docker.com/article/troubleshooting-container-networking attach a network troubleshooting type image] to an existing container to help with that.

<pre>docker run -it --rm --network container:CONTAINER_NAME nicolaka/netshoot</pre>
===== Recursively chown user and group =====

<pre>chown -R user:group /some/path/here</pre>
===== Recursively chmod to 775/664 =====

<pre>chmod -R a=,a+rX,u+w,g+w /some/path/here
^ ^ ^ ^ adds write to group
| | | adds write to user
| | adds read to all and execute to all folders (which controls access)
| sets all to `000`</pre>
===== Find UID/GID for user =====

<pre>id <username></pre>

===== Examine files for hard links =====
<pre>ls -alhi
42207934 -rw-r--r-- 2 user group 0 Sep 11 11:55 hardlink
42207936 -rw-r--r-- 1 user group 0 Sep 11 11:55 nohardlinks
42207934 -rw-r--r-- 2 user group 0 Sep 11 11:55 original
</pre>

<pre>stat original
File: original
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: 803h/2051d Inode: 42207934 Links: 2
Access: (0644/-rw-r--r--) Uid: ( 1000/ user) Gid: ( 1001/ group)
Access: 2020-09-11 11:55:43.803327144 -0500
Modify: 2020-09-11 11:55:43.803327144 -0500
Change: 2020-09-11 11:55:49.706660476 -0500
Birth: 2020-09-11 11:55:43.803327144 -0500
</pre>

==== Interesting docker images ====

* [https://hub.docker.com/r/rasmunk/sshfs rasmunk/sshfs] let you create an sshfs volume, ''perfect'' for a seedbox setup using a remote mount instead of sync. Better documentation, including examples can be found at the github [https://github.com/rasmunk/docker-volume-sshfs rasmunk/docker-volume-sshfs] repository. This is a more recently maintained fork of [https://hub.docker.com/p/vieux/sshfs vieux/sshfs].
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/sonarr sonarr], [https://hub.docker.com/r/hotio/radarr radarr] and [https://hub.docker.com/r/hotio/lidarr lidarr] images let you run the built in version ''or'' specify an alternative via environment variable. The documentation and Dockerfile also don’t make any poor path suggestions.
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/ombi ombi], [https://hub.docker.com/r/hotio/jackett jackett], [https://hub.docker.com/r/hotio/nzbhydra2 nzbhydra2] and [https://hub.docker.com/r/hotio/bazarr bazarr] are useful too, but don’t really require any special permissions or paths.
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/unpackerr unpackerr] is useful for packed torrent extraction across a variety of torrent clients where unpacking is lacking or missing entirely.
* [https://hub.docker.com/u/binhex binhex’s] [https://hub.docker.com/r/binhex/arch-qbittorrentvpn/ qbittorrent], [https://hub.docker.com/r/binhex/arch-delugevpn/ deluge] and [https://hub.docker.com/r/binhex/arch-rtorrentvpn/ rtorrent] are popular torrent clients with built in VPN support. For usenet, there is [https://hub.docker.com/r/binhex/arch-sabnzbd/ sabnzbd] and [https://hub.docker.com/r/binhex/arch-nzbget/ nzbget].
* [https://hub.docker.com/u/binhex binhex’s] [https://hub.docker.com/r/binhex/arch-sonarr/ sonarr], [https://hub.docker.com/r/binhex/arch-radarr/ radarr] and [https://hub.docker.com/r/binhex/arch-lidarr/ lidarr] images suggest default paths that don’t allow for hard linking, instead follow the process described above and pass in a single volume.
* [https://hub.docker.com/u/linuxserver linuxserver.io’s] images also suggest default paths that don’t allow for hard linking, instead follow the process described above and pass in a single volume. But they do have images for a ''lot'' of software and they’re well maintained.
* [https://hub.docker.com/r/pyouroboros/ouroboros pyouroboros/ouroboros] or [https://hub.docker.com/r/containrrr/watchtower containrrr/watchtower] automatically update your running Docker containers to the latest available image. These are not recommended if you use Docker Compose.

==== Custom Docker Network and DNS ====

One interesting feature of a [https://docs.docker.com/network/network-tutorial-standalone/#use-user-defined-bridge-networks custom Docker network] is that it gets its own DNS server. If you create a bridge network for your containers, you can use their hostnames in your configuration. For example, if you <code>docker run --network=isolated --hostname=deluge binhex/arch-deluge</code> and <code>docker run --network=isolated --hostname=radarr binhex/arch-radarr</code>, you can then configure the Download Client in Radarr to point at just <code>deluge</code> and it’ll work ''and'' communicate on its own private network. Which means if you wanted to be even more secure, you could ''stop'' forwarding that port too. If you put your reverse proxy container on the same network, you can even stop forwarding the web interface ports and make them even more secure.

==== Common Problems ====

===== Correct ''outside'' paths, incorrect ''inside'' paths =====

Many people read this and think they understand, but they end up seeing the outside path correctly to something like <code>/data/usenet</code>, but then they miss the point and set the ''inside'' path to <code>/downloads</code> still.

===== Running Docker containers as root or changing users around =====

If you find yourself running your containers as <code>root:root</code>, you’re doing something wrong. If you’re not passing in a UID and GID, you’ll be using what ever the default is for the image and ''that'' will be unlikely to line up w/ a reasonable user on your system. And if you’re changing the user and group your Docker containers are running as, you’ll probably end up w/ permissions issues on folders like the <code>/config</code> folder which will likely have files and folders in them that got created the first time w/ the UID/GID you used the first time.

===== Running Docker containers w/ umask 000 =====

If you find yourself setting a UMASK of <code>000</code> (which is 777 for folders and 666 for files), you’re ''also'' doing something wrong. It leaves your files and folders read/write to ''everyone'', which is poor Linux hygiene.

==== LinuxServer.io ====

The ''entire'' reason this article even exists is [https://hub.docker.com/u/linuxserver linuxserver.io]’s documentation and default path suggestions. They’re singlehandedly responsible for the <code>/tv</code>, <code>/movies</code> and <code>/downloads</code> paths which ''break'' hard links and atomic moves. It is for this reason that ''none'' of them are ''specifically'' recommended by this article. That said, once you understand the problem with those paths and that you ''don’t'' have to use them, their images are fine. So feel free to use them and ''most'' of their documentation. Just ''ignore'' their path suggestions.

==== Getting Help ====

Need some help? For real time, chat style support try the [https://discord.gg/xyRwnyB Sonarr] or [https://discord.gg/SRBnFmX Radarr] Discord servers. If you prefer forum style support, make a post in [http://reddit.com/r/sonarr /r/sonarr] or [http://reddit.com/r/radarr /r/radarr].

Docker Guide

2020-10-07T19:44:58Z

Fryfrog: Improving the get docker-compose section to be clearer about what CONTAINER_NAME and [CONTAINER_NAME]

=== The Best Docker Setup ===

'''TL; DR''': An [https://www.lexico.com/en/definition/eponymous eponymous] user per daemon and a shared group with a umask of <code>002</code>. Consistent path definitions between ''all'' containers that maintains the folder structure. Using one volume for Sonarr, Radarr and Lidarr so the download folder and library folder are on the same file system which makes hard links and instant moves possible. And most of all, ignore ''most'' of the Docker image’s path documentation!

==== Introduction ====

This article will not show you specifics about the best Docker setup, but it describes an overview that you can use to make your own setup the best that it can be. The idea is that you run each docker container as its own user, with a shared group and consistent volumes so every container sees the same path layout. This is easy to say, but difficult to understand and explain.

==== Multiple users and a shared group ====

===== Permissions =====

Ideally, each software runs as its own user user and they’re all part of a shared group with folder permissions set to <code>775</code> (<code>drwxrwxr-x</code>) and files set to <code>664</code> (<code>-rw-rw-r--</code>), which is a umask of <code>002</code>. A sane alternative to this is a single shared user, which would use <code>755</code> and <code>644</code> which is a umask of <code>022</code>. You can restrict permissions even more by denying read from “other”, which would be a umask of <code>007</code> for a user per daemon or <code>077</code> for a single shared user. For a deeper explanation, try the Arch Linux wiki articles about [https://wiki.archlinux.org/index.php/File_permissions_and_attributes File permissions and attributes] and [https://wiki.archlinux.org/index.php/Umask Umask].

===== UMASK =====

Many docker images accept a <code>-e UMASK=002</code> environment variable and some software inside can be configured with a user, group and umask (NZBGet) or folder/file permission (Sonarr/Radarr). This will ensure that files and folders created by ''one'' can be read and written by the others. If you’re using existing folders and files, you’ll need to fix their current ownership and permissions too, but going forward they’ll be correct because you set each software up right.

===== PUID and PGID =====

Many docker images also take a <code>-e PUID=123</code> and <code>-e PGID=321</code> that lets you change the UID/GID used inside to that of an account on the outside. If you ever peak in, you’ll find that username is something like <code>abc</code>, <code>nobody</code> or <code>hotio</code>, but because it uses the UID/GID you pass in, on the outside it looks like the expected user. If you’re using storage from another system via NFS or CIFS, it will make your life easier if ''that'' system also has matching users and group. Perhaps let one system pick the UID/GIDs, then re-use those on the other system, assuming they don’t conflict.

===== Example =====

You run [https://github.com/Sonarr/Sonarr/releases Sonarr] using [https://github.com/hotio/docker-sonarr hotio/sonarr], you’ve created a <code>sonarr</code> user with uid <code>123</code> and a shared group <code>media</code> with gid <code>321</code> which the <code>sonarr</code> user is a member of. You configure the Docker image to run with <code>-e PUID=123 -e PGID=321 -e UMASK=002</code>. Sonarr also lets you configured user, group as well as folder and file permissions. The previous settings should negate these, but you could configure them if you wanted. Folders would be <code>775</code>, files <code>664</code> and the user/group are a little tricky because ''inside'' the container, they have a different name. Maybe <code>abc</code> or <code>nobody</code>. I’d leave all these blank unless you find you need them for some reason.

==== Single user and optional shared group ====

Another popular and arguably easier option is a single, shared user. Perhaps even ''your'' user. It isn’t as secure and doesn’t follow best practices, but in the end it is easier to understand and implement. The UMASK for this is <code>022</code> which results in <code>755</code> (<code>drwxr-xr-x</code>) for folders and <code>644</code> (<code>-rw-r--r--</code>) for files. The group no longer really matters, so you’ll probably just use the group named after the user. This does make it harder to share with ''other'' users, so you may still end up wanting a UMASK of <code>002</code> even w/ this setup.

==== Ownership and permissions of /config ====

Don’t forget that your <code>/config</code> volume will ''also'' need to have correct ownership and permissions, usually the daemon’s user and that user’s group like <code>sonarr:sonarr</code> and a umask of <code>022</code> or <code>077</code> so ''only'' that user has access. In a single user setup, this would of course be the one user you’ve chosen.

==== Consistent and well planned paths ====

The easiest and most important detail is to create unified path definitions across all the containers.

If you’re wondering why hard links aren’t working or why a simple move is taking far longer than it should, this section explains it. The paths you use on the ''inside'' matter. Because of how Docker’s volumes work, passing in two volumes such as the commonly suggested <code>/tv</code> and <code>/downloads</code> makes them look like two file systems, even if they aren’t. This means hard links won’t work ''and'' instead of an instant move, a slower and more io intensive copy + delete is used. If you have multiple download clients because you’re using torrents and usenet, having a single <code>/downloads</code> path means they’ll be mixed up. Because the Radarr in one container will ask the NZBGet in its own container where files are, using the same path in both means it will all just work. If you don’t, you’d need to fix it with a remote path map.

So pick ''one'' path layout and use it for all of them. I’m a fan of <code>/data</code>, but there are other great names like <code>/shared</code>, <code>/media</code> or <code>/dvr</code>. If this can be the same on the outside ''and'' inside, your setup will be simpler: one path to remember or if integrating docker and native software. But if not, that’s fine too. For example, Synology might use <code>/Volume1/data</code> and unRAID might use <code>/mnt/user/data</code> on the outside, but <code>/data</code> on the inside is fine.

It is also important to remember that you’ll need to setup or re-configure paths in the software running ''inside'' these Docker containers. If you change the paths for your download client, you’ll need to edit its settings to match. If you change your library path, you’ll need to change those settings in Sonarr, Radarr, Lidarr and/or Plex.

===== Examples =====

What matters here is the general structure, not the names. You are free to pick folder names that make sense to you. And there are other ways of arranging things too. For example, you’re not likely to download and run into conflicts of identical releases between usenet and torrents, so you ''could'' put both in <code>/data/downloads/{movies|music|tv}</code> folders. Downloads don’t even have to be sorted into sub-folders either, since movies, music and tv will rarely conflict.

This example <code>data</code> folder has sub-folders for torrents and usenet and each of these have sub-folders for tv, movie and music downloads to keep things neat. The <code>media</code> folder has nicely named <code>TV</code>, <code>Movies</code> and <code>Music</code> sub-folders, this is your library and what you’d pass to Plex or Emby.

<pre>data
├── torrents
│ ├── movies
│ ├── music
│ └── tv
├── usenet
│ ├── movies
│ ├── music
│ └── tv
└── media
├── Movies
├── Music
└── TV</pre>
The path for each Docker container can be as specific as needed while still maintaining the correct structure:

====== Torrents ======

<pre>data
└── torrents
├── movies
├── music
└── tv</pre>
Torrents only needs access to torrent files, so pass it <code>-v /host/data/torrents:/data/torrents</code>. In the torrent software settings, you’ll need to reconfigure paths and you can sort into sub-folders like<code>/data/torrents/{tv|movies|music}</code>.

====== Usenet ======

<pre>data
└── usenet
├── movies
├── music
└── tv</pre>
Usenet only needs access to usenet files, so pass it <code>-v /host/data/usenet:/data/usenet</code>. In the usenet software settings, you’ll need to reconfigure paths and you can sort into sub-folders like<code>/data/usenet/{tv|movies|music}</code>.

====== Media Server ======

<pre>data
└── media
├── Movies
├── Music
└── TV</pre>
Plex/Emby only needs access to your media library, so pass <code>-v /host/data/media:/data/media</code>, which can have any number of sub folders like <code>Movies</code>, <code>Kids Movies</code>, <code>TV</code>, <code>Documentary TV</code> and/or <code>Music</code> as sub folders.

====== Sonarr, Radarr and Lidarr ======

<pre>data
├── torrents
│ ├── movies
│ ├── music
│ └── tv
├── usenet
│ ├── movies
│ ├── music
│ └── tv
└── media
├── Movies
├── Music
└── TV</pre>
Sonarr, Radarr and Lidarr get everything using <code>-v /host/data:/data</code> because the ''download'' folder(s) and ''media'' folder will look like and ''be'' one file system. Hard links will work and moves will be atomic, instead of copy + delete.

===== Issues =====

There are a couple minor issues w/ not following the Docker image’s suggested paths.

The biggest is that volumes defined in the <code>Dockerfile</code> will get created if they’re not specified, this means they’ll pile up as you delete and re-create the containers. If they end up w/ data in them, they can consume space unexpectedly and likely in an unsuitable place. You can find a [https://old.reddit.com/r/usenet/wiki/docker#wiki_prune_docker cleanup command] in the helpful commands section below. This could also be mitigated by passing in an empty folder for all the volumes you don’t want to use, like <code>/data/empty:/movies</code> and <code>/data/empty:/downloads</code>. Maybe even put a file named <code>DO NOT USE THIS FOLDER</code> inside, to remind yourself.

Another problem is that some images are pre-configured to use the documented volumes, so you’ll need to change settings in the software inside the Docker container. Thankfully, since configuration persists outside the container this is a one time issue. You might also pick a path like <code>/data</code> or <code>/media</code> which some images already define for a specific use. It shouldn’t be a problem, but will be a little more confusing when combined w/ the previous issues. In the end, it is worth it for working hard links and fast moves. The consistency and simplicity are welcome side effects as well.

If you use the latest version of the abandoned [https://github.com/Sperryfreak01/RadarrSync RadarrSync] to synchronize two Radarr instances, it ''depends'' on mapping the ''same'' path inside to a different path on the outside, for example <code>/movies</code> for one instance would point at <code>/data/media/Movies</code> and the other at <code>/data/media/Movies 4k</code>. This breaks ''everything'' you’ve read above. There is no good solution, you either use the old version which isn’t as good, do your mapping in a way that is ugly and breaks hard links or just don’t use it at all.

==== Running containers using ====

===== Docker-compose =====

This is the best option for most users, it lets you control and configure many containers and their interdependence in one file. A good starting place is docker’s own [https://docs.docker.com/compose/gettingstarted/ Get started with Docker Compose]. You can use [https://composerize.com composerize] or [https://old.reddit.com/r/usenet/wiki/docker#wiki_get_docker-compose red5d/docker-autocompose]to convert <code>docker run</code> commands into a single <code>docker-compose.yml</code> file.

The below is ''not'' a complete working example! The containers only have PID, UID, UMASK and example paths defined to keep it simple.

<pre># sonarr
Sonarr:
image: "hotio/sonarr"
volumes:
- /path/to/config/sonarr:/config
- /host/data:/data
environment:
- PUID=111
- PGID=321
- UMASK=002

# deluge
Deluge:
image: binhex/arch-delugevpn
volumes:
- /path/to/config/deluge:/config
- /host/data/torrents:/data/torrents
environment:
- PUID=222
- PGID=321
- UMASK=002

# sabnzbd
SABnzbd:
image: binhex/arch-sabnzbd
volumes:
- /path/to/config/sabnzbd:/config
- /host/data/usenet:/data/usenet
environment:
- PUID=333
- PGID=321
- UMASK=002

# plex
Plex:
image: binhex/arch-plex
volumes:
- /path/to/config/plex:/config
- /host/data/media:/data/media

environment:
- PUID=444
- PGID=321
- UMASK=002</pre>
====== Update all images and containers ======

<pre>docker-compose pull
docker-compose up -d</pre>
====== Update individual image and container ======

<pre>docker-compose pull NAME
docker-compose up -d NAME</pre>
===== Docker Run =====

Like the Docker Compose example above, the following <code>docker run</code> commands are stripped down to ''only'' the PUID, PGID, UMASK and volumes in order to act as an obvious example.

<pre># sonarr
docker run -v /path/to/config/sonarr:/config \
-v /host/data:/data \
-e PUID=111 -e PGID=321 -e UMASK=002 \
hotio/sonarr

# deluge
docker run -v /path/to/config/deluge:/config \
-v /host/data/torrents:/data/torrents \
-e PUID=222 -e PGID=321 -e UMASK=002 \
binhex/arch-delugevpn

# sabnzbd
docker run -v /path/to/config/sabnzbd:/config \
-v /host/data/usenet:/data/usenet \
-e PUID=333 -e PGID=321 -e UMASK=002 \
binhex/arch-sabnzbd

# plex
docker run -v /path/to/config/plex:/config \
-v /host/data/media:/data/media \
-e PUID=444 -e PGID=321 -e UMASK=002 \
binhex/arch-plex</pre>
===== Systemd =====

I don’t run a full Docker setup, so I manage my few Docker containers with individual systemd service files. It standardizes control and makes dependencies simpler for both native and docker services. The generic example below can be adapted to any container by adjusting or adding the various values and options.

<pre># /etc/systemd/system/thing.service
[Unit]
Description=Thing
Requires=docker.service
After=network.target docker.service

[Service]
ExecStart=/usr/bin/docker run --rm \
--name=thing \
-v /path/to/config/thing:/config \
-v /host/data:/data
-e PUID=111 -e PGID=321 -e UMASK=002 \
nobody/thing

ExecStop=/usr/bin/docker stop -t 30 thing

[Install]
WantedBy=default.target</pre>
==== Helpful commands ====

===== List running containers =====

<pre>docker ps</pre>
===== Shell ''inside'' a container =====

<pre>docker exec -it CONTAINER_NAME /bin/bash</pre>
For more information, see the [https://docs.docker.com/engine/reference/commandline/exec/ docker exec] documentation.

===== Prune docker =====

<pre>docker system prune --all --volumes</pre>
Remove unused containers, networks, volumes, images and build cache. As the WARNING this command gives says, this will remove all of the previously mentioned items for anything not in use by a running container. In a correctly configured environment, this is fine. But be aware and proceed cautiously the first time. See the [https://docs.docker.com/engine/reference/commandline/system_prune/ docker system prune] documentation for more details.

===== Get docker run command =====

Getting the <code>docker run</code> command from GUI managers can be hard, this docker image makes it easy for a running container ([https://stackoverflow.com/questions/32758793/how-to-show-the-run-command-of-a-docker-container source]).

<pre>docker run --rm -v /var/run/docker.sock:/var/run/docker.sock assaflavie/runlike CONTAINER_NAME</pre>
===== Get docker-compose =====

Getting a <code>docker-compose.yml</code> from running instances is possible w/ [https://hub.docker.com/r/red5d/docker-autocompose red5d/docker-autocompose], in case you’ve already started your containers w/ <code>docker run</code> or <code>docker create</code> and want to change to <code>docker-compose</code> style. It is also great for sharing your settings with others, since it doesn’t matter what management software you’re using. The last argument(s) are your container names and you can pass in as many as needed at the same time. The first container name is required, more are optional. You can see container names in the NAMES column of `docker ps`, they're usually set by you or might be generated based on the image like `binhex-qbittorrent`. It is *not* the image name, like `binhex/arch-qbittorrentvpn`.

<pre>docker run --rm -v /var/run/docker.sock:/var/run/docker.sock red5d/docker-autocompose CONTAINER_NAME [CONTAINER_NAME] ... [CONTAINER_NAME]</pre>

===== Troubleshoot networking =====

Most Docker images don’t have many useful tools in them for troubleshooting, but you can [https://success.docker.com/article/troubleshooting-container-networking attach a network troubleshooting type image] to an existing container to help with that.

<pre>docker run -it --rm --network container:CONTAINER_NAME nicolaka/netshoot</pre>
===== Recursively chown user and group =====

<pre>chown -R user:group /some/path/here</pre>
===== Recursively chmod to 775/664 =====

<pre>chmod -R a=,a+rX,u+w,g+w /some/path/here
^ ^ ^ ^ adds write to group
| | | adds write to user
| | adds read to all and execute to all folders (which controls access)
| sets all to `000`</pre>
===== Find UID/GID for user =====

<pre>id <username></pre>

===== Examine files for hard links =====
<pre>ls -alhi
42207934 -rw-r--r-- 2 user group 0 Sep 11 11:55 hardlink
42207936 -rw-r--r-- 1 user group 0 Sep 11 11:55 nohardlinks
42207934 -rw-r--r-- 2 user group 0 Sep 11 11:55 original
</pre>

<pre>stat original
File: original
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: 803h/2051d Inode: 42207934 Links: 2
Access: (0644/-rw-r--r--) Uid: ( 1000/ user) Gid: ( 1001/ group)
Access: 2020-09-11 11:55:43.803327144 -0500
Modify: 2020-09-11 11:55:43.803327144 -0500
Change: 2020-09-11 11:55:49.706660476 -0500
Birth: 2020-09-11 11:55:43.803327144 -0500
</pre>

==== Interesting docker images ====

* [https://hub.docker.com/r/rasmunk/sshfs rasmunk/sshfs] let you create an sshfs volume, ''perfect'' for a seedbox setup using a remote mount instead of sync. Better documentation, including examples can be found at the github [https://github.com/rasmunk/docker-volume-sshfs rasmunk/docker-volume-sshfs] repository. This is a more recently maintained fork of [https://hub.docker.com/p/vieux/sshfs vieux/sshfs].
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/sonarr sonarr], [https://hub.docker.com/r/hotio/radarr radarr] and [https://hub.docker.com/r/hotio/lidarr lidarr] images let you run the built in version ''or'' specify an alternative via environment variable. The documentation and Dockerfile also don’t make any poor path suggestions.
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/ombi ombi], [https://hub.docker.com/r/hotio/jackett jackett], [https://hub.docker.com/r/hotio/nzbhydra2 nzbhydra2] and [https://hub.docker.com/r/hotio/bazarr bazarr] are useful too, but don’t really require any special permissions or paths.
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/unpackerr unpackerr] is useful for packed torrent extraction across a variety of torrent clients where unpacking is lacking or missing entirely.
* [https://hub.docker.com/u/binhex binhex’s] [https://hub.docker.com/r/binhex/arch-qbittorrentvpn/ qbittorrent], [https://hub.docker.com/r/binhex/arch-delugevpn/ deluge] and [https://hub.docker.com/r/binhex/arch-rtorrentvpn/ rtorrent] are popular torrent clients with built in VPN support. For usenet, there is [https://hub.docker.com/r/binhex/arch-sabnzbd/ sabnzbd] and [https://hub.docker.com/r/binhex/arch-nzbget/ nzbget].
* [https://hub.docker.com/u/binhex binhex’s] [https://hub.docker.com/r/binhex/arch-sonarr/ sonarr], [https://hub.docker.com/r/binhex/arch-radarr/ radarr] and [https://hub.docker.com/r/binhex/arch-lidarr/ lidarr] images suggest default paths that don’t allow for hard linking, instead follow the process described above and pass in a single volume.
* [https://hub.docker.com/u/linuxserver linuxserver.io’s] images also suggest default paths that don’t allow for hard linking, instead follow the process described above and pass in a single volume. But they do have images for a ''lot'' of software and they’re well maintained.
* [https://hub.docker.com/r/pyouroboros/ouroboros pyouroboros/ouroboros] or [https://hub.docker.com/r/containrrr/watchtower containrrr/watchtower] automatically update your running Docker containers to the latest available image. These are not recommended if you use Docker Compose.

==== Custom Docker Network and DNS ====

One interesting feature of a [https://docs.docker.com/network/network-tutorial-standalone/#use-user-defined-bridge-networks custom Docker network] is that it gets its own DNS server. If you create a bridge network for your containers, you can use their hostnames in your configuration. For example, if you <code>docker run --network=isolated --hostname=deluge binhex/arch-deluge</code> and <code>docker run --network=isolated --hostname=radarr binhex/arch-radarr</code>, you can then configure the Download Client in Radarr to point at just <code>deluge</code> and it’ll work ''and'' communicate on its own private network. Which means if you wanted to be even more secure, you could ''stop'' forwarding that port too. If you put your reverse proxy container on the same network, you can even stop forwarding the web interface ports and make them even more secure.

==== Common Problems ====

===== Correct ''outside'' paths, incorrect ''inside'' paths =====

Many people read this and think they understand, but they end up seeing the outside path correctly to something like <code>/data/usenet</code>, but then they miss the point and set the ''inside'' path to <code>/downloads</code> still.

===== Running Docker containers as root or changing users around =====

If you find yourself running your containers as <code>root:root</code>, you’re doing something wrong. If you’re not passing in a UID and GID, you’ll be using what ever the default is for the image and ''that'' will be unlikely to line up w/ a reasonable user on your system. And if you’re changing the user and group your Docker containers are running as, you’ll probably end up w/ permissions issues on folders like the <code>/config</code> folder which will likely have files and folders in them that got created the first time w/ the UID/GID you used the first time.

===== Running Docker containers w/ umask 000 =====

If you find yourself setting a UMASK of <code>000</code> (which is 777 for folders and 666 for files), you’re ''also'' doing something wrong. It leaves your files and folders read/write to ''everyone'', which is poor Linux hygiene.

==== LinuxServer.io ====

The ''entire'' reason this article even exists is [https://hub.docker.com/u/linuxserver linuxserver.io]’s documentation and default path suggestions. They’re singlehandedly responsible for the <code>/tv</code>, <code>/movies</code> and <code>/downloads</code> paths which ''break'' hard links and atomic moves. It is for this reason that ''none'' of them are ''specifically'' recommended by this article. That said, once you understand the problem with those paths and that you ''don’t'' have to use them, their images are fine. So feel free to use them and ''most'' of their documentation. Just ''ignore'' their path suggestions.

==== Getting Help ====

Need some help? For real time, chat style support try the [https://discord.gg/xyRwnyB Sonarr] or [https://discord.gg/SRBnFmX Radarr] Discord servers. If you prefer forum style support, make a post in [http://reddit.com/r/sonarr /r/sonarr] or [http://reddit.com/r/radarr /r/radarr].

Docker Guide

2020-09-15T23:40:50Z

Fryfrog: /* PUID and PGID */

=== The Best Docker Setup ===

'''TL; DR''': An [https://www.lexico.com/en/definition/eponymous eponymous] user per daemon and a shared group with a umask of <code>002</code>. Consistent path definitions between ''all'' containers that maintains the folder structure. Using one volume for Sonarr, Radarr and Lidarr so the download folder and library folder are on the same file system which makes hard links and instant moves possible. And most of all, ignore ''most'' of the Docker image’s path documentation!

==== Introduction ====

This article will not show you specifics about the best Docker setup, but it describes an overview that you can use to make your own setup the best that it can be. The idea is that you run each docker container as its own user, with a shared group and consistent volumes so every container sees the same path layout. This is easy to say, but difficult to understand and explain.

==== Multiple users and a shared group ====

===== Permissions =====

Ideally, each software runs as its own user user and they’re all part of a shared group with folder permissions set to <code>775</code> (<code>drwxrwxr-x</code>) and files set to <code>664</code> (<code>-rw-rw-r--</code>), which is a umask of <code>002</code>. A sane alternative to this is a single shared user, which would use <code>755</code> and <code>644</code> which is a umask of <code>022</code>. You can restrict permissions even more by denying read from “other”, which would be a umask of <code>007</code> for a user per daemon or <code>077</code> for a single shared user. For a deeper explanation, try the Arch Linux wiki articles about [https://wiki.archlinux.org/index.php/File_permissions_and_attributes File permissions and attributes] and [https://wiki.archlinux.org/index.php/Umask Umask].

===== UMASK =====

Many docker images accept a <code>-e UMASK=002</code> environment variable and some software inside can be configured with a user, group and umask (NZBGet) or folder/file permission (Sonarr/Radarr). This will ensure that files and folders created by ''one'' can be read and written by the others. If you’re using existing folders and files, you’ll need to fix their current ownership and permissions too, but going forward they’ll be correct because you set each software up right.

===== PUID and PGID =====

Many docker images also take a <code>-e PUID=123</code> and <code>-e PGID=321</code> that lets you change the UID/GID used inside to that of an account on the outside. If you ever peak in, you’ll find that username is something like <code>abc</code>, <code>nobody</code> or <code>hotio</code>, but because it uses the UID/GID you pass in, on the outside it looks like the expected user. If you’re using storage from another system via NFS or CIFS, it will make your life easier if ''that'' system also has matching users and group. Perhaps let one system pick the UID/GIDs, then re-use those on the other system, assuming they don’t conflict.

===== Example =====

You run [https://github.com/Sonarr/Sonarr/releases Sonarr] using [https://github.com/hotio/docker-sonarr hotio/sonarr], you’ve created a <code>sonarr</code> user with uid <code>123</code> and a shared group <code>media</code> with gid <code>321</code> which the <code>sonarr</code> user is a member of. You configure the Docker image to run with <code>-e PUID=123 -e PGID=321 -e UMASK=002</code>. Sonarr also lets you configured user, group as well as folder and file permissions. The previous settings should negate these, but you could configure them if you wanted. Folders would be <code>775</code>, files <code>664</code> and the user/group are a little tricky because ''inside'' the container, they have a different name. Maybe <code>abc</code> or <code>nobody</code>. I’d leave all these blank unless you find you need them for some reason.

==== Single user and optional shared group ====

Another popular and arguably easier option is a single, shared user. Perhaps even ''your'' user. It isn’t as secure and doesn’t follow best practices, but in the end it is easier to understand and implement. The UMASK for this is <code>022</code> which results in <code>755</code> (<code>drwxr-xr-x</code>) for folders and <code>644</code> (<code>-rw-r--r--</code>) for files. The group no longer really matters, so you’ll probably just use the group named after the user. This does make it harder to share with ''other'' users, so you may still end up wanting a UMASK of <code>002</code> even w/ this setup.

==== Ownership and permissions of /config ====

Don’t forget that your <code>/config</code> volume will ''also'' need to have correct ownership and permissions, usually the daemon’s user and that user’s group like <code>sonarr:sonarr</code> and a umask of <code>022</code> or <code>077</code> so ''only'' that user has access. In a single user setup, this would of course be the one user you’ve chosen.

==== Consistent and well planned paths ====

The easiest and most important detail is to create unified path definitions across all the containers.

If you’re wondering why hard links aren’t working or why a simple move is taking far longer than it should, this section explains it. The paths you use on the ''inside'' matter. Because of how Docker’s volumes work, passing in two volumes such as the commonly suggested <code>/tv</code> and <code>/downloads</code> makes them look like two file systems, even if they aren’t. This means hard links won’t work ''and'' instead of an instant move, a slower and more io intensive copy + delete is used. If you have multiple download clients because you’re using torrents and usenet, having a single <code>/downloads</code> path means they’ll be mixed up. Because the Radarr in one container will ask the NZBGet in its own container where files are, using the same path in both means it will all just work. If you don’t, you’d need to fix it with a remote path map.

So pick ''one'' path layout and use it for all of them. I’m a fan of <code>/data</code>, but there are other great names like <code>/shared</code>, <code>/media</code> or <code>/dvr</code>. If this can be the same on the outside ''and'' inside, your setup will be simpler: one path to remember or if integrating docker and native software. But if not, that’s fine too. For example, Synology might use <code>/Volume1/data</code> and unRAID might use <code>/mnt/user/data</code> on the outside, but <code>/data</code> on the inside is fine.

It is also important to remember that you’ll need to setup or re-configure paths in the software running ''inside'' these Docker containers. If you change the paths for your download client, you’ll need to edit its settings to match. If you change your library path, you’ll need to change those settings in Sonarr, Radarr, Lidarr and/or Plex.

===== Examples =====

What matters here is the general structure, not the names. You are free to pick folder names that make sense to you. And there are other ways of arranging things too. For example, you’re not likely to download and run into conflicts of identical releases between usenet and torrents, so you ''could'' put both in <code>/data/downloads/{movies|music|tv}</code> folders. Downloads don’t even have to be sorted into sub-folders either, since movies, music and tv will rarely conflict.

This example <code>data</code> folder has sub-folders for torrents and usenet and each of these have sub-folders for tv, movie and music downloads to keep things neat. The <code>media</code> folder has nicely named <code>TV</code>, <code>Movies</code> and <code>Music</code> sub-folders, this is your library and what you’d pass to Plex or Emby.

<pre>data
├── torrents
│ ├── movies
│ ├── music
│ └── tv
├── usenet
│ ├── movies
│ ├── music
│ └── tv
└── media
├── Movies
├── Music
└── TV</pre>
The path for each Docker container can be as specific as needed while still maintaining the correct structure:

====== Torrents ======

<pre>data
└── torrents
├── movies
├── music
└── tv</pre>
Torrents only needs access to torrent files, so pass it <code>-v /host/data/torrents:/data/torrents</code>. In the torrent software settings, you’ll need to reconfigure paths and you can sort into sub-folders like<code>/data/torrents/{tv|movies|music}</code>.

====== Usenet ======

<pre>data
└── usenet
├── movies
├── music
└── tv</pre>
Usenet only needs access to usenet files, so pass it <code>-v /host/data/usenet:/data/usenet</code>. In the usenet software settings, you’ll need to reconfigure paths and you can sort into sub-folders like<code>/data/usenet/{tv|movies|music}</code>.

====== Media Server ======

<pre>data
└── media
├── Movies
├── Music
└── TV</pre>
Plex/Emby only needs access to your media library, so pass <code>-v /host/data/media:/data/media</code>, which can have any number of sub folders like <code>Movies</code>, <code>Kids Movies</code>, <code>TV</code>, <code>Documentary TV</code> and/or <code>Music</code> as sub folders.

====== Sonarr, Radarr and Lidarr ======

<pre>data
├── torrents
│ ├── movies
│ ├── music
│ └── tv
├── usenet
│ ├── movies
│ ├── music
│ └── tv
└── media
├── Movies
├── Music
└── TV</pre>
Sonarr, Radarr and Lidarr get everything using <code>-v /host/data:/data</code> because the ''download'' folder(s) and ''media'' folder will look like and ''be'' one file system. Hard links will work and moves will be atomic, instead of copy + delete.

===== Issues =====

There are a couple minor issues w/ not following the Docker image’s suggested paths.

The biggest is that volumes defined in the <code>Dockerfile</code> will get created if they’re not specified, this means they’ll pile up as you delete and re-create the containers. If they end up w/ data in them, they can consume space unexpectedly and likely in an unsuitable place. You can find a [https://old.reddit.com/r/usenet/wiki/docker#wiki_prune_docker cleanup command] in the helpful commands section below. This could also be mitigated by passing in an empty folder for all the volumes you don’t want to use, like <code>/data/empty:/movies</code> and <code>/data/empty:/downloads</code>. Maybe even put a file named <code>DO NOT USE THIS FOLDER</code> inside, to remind yourself.

Another problem is that some images are pre-configured to use the documented volumes, so you’ll need to change settings in the software inside the Docker container. Thankfully, since configuration persists outside the container this is a one time issue. You might also pick a path like <code>/data</code> or <code>/media</code> which some images already define for a specific use. It shouldn’t be a problem, but will be a little more confusing when combined w/ the previous issues. In the end, it is worth it for working hard links and fast moves. The consistency and simplicity are welcome side effects as well.

If you use the latest version of the abandoned [https://github.com/Sperryfreak01/RadarrSync RadarrSync] to synchronize two Radarr instances, it ''depends'' on mapping the ''same'' path inside to a different path on the outside, for example <code>/movies</code> for one instance would point at <code>/data/media/Movies</code> and the other at <code>/data/media/Movies 4k</code>. This breaks ''everything'' you’ve read above. There is no good solution, you either use the old version which isn’t as good, do your mapping in a way that is ugly and breaks hard links or just don’t use it at all.

==== Running containers using ====

===== Docker-compose =====

This is the best option for most users, it lets you control and configure many containers and their interdependence in one file. A good starting place is docker’s own [https://docs.docker.com/compose/gettingstarted/ Get started with Docker Compose]. You can use [https://composerize.com composerize] or [https://old.reddit.com/r/usenet/wiki/docker#wiki_get_docker-compose red5d/docker-autocompose]to convert <code>docker run</code> commands into a single <code>docker-compose.yml</code> file.

The below is ''not'' a complete working example! The containers only have PID, UID, UMASK and example paths defined to keep it simple.

<pre># sonarr
Sonarr:
image: "hotio/sonarr"
volumes:
- /path/to/config/sonarr:/config
- /host/data:/data
environment:
- PUID=111
- PGID=321
- UMASK=002

# deluge
Deluge:
image: binhex/arch-delugevpn
volumes:
- /path/to/config/deluge:/config
- /host/data/torrents:/data/torrents
environment:
- PUID=222
- PGID=321
- UMASK=002

# sabnzbd
SABnzbd:
image: binhex/arch-sabnzbd
volumes:
- /path/to/config/sabnzbd:/config
- /host/data/usenet:/data/usenet
environment:
- PUID=333
- PGID=321
- UMASK=002

# plex
Plex:
image: binhex/arch-plex
volumes:
- /path/to/config/plex:/config
- /host/data/media:/data/media

environment:
- PUID=444
- PGID=321
- UMASK=002</pre>
====== Update all images and containers ======

<pre>docker-compose pull
docker-compose up -d</pre>
====== Update individual image and container ======

<pre>docker-compose pull NAME
docker-compose up -d NAME</pre>
===== Docker Run =====

Like the Docker Compose example above, the following <code>docker run</code> commands are stripped down to ''only'' the PUID, PGID, UMASK and volumes in order to act as an obvious example.

<pre># sonarr
docker run -v /path/to/config/sonarr:/config \
-v /host/data:/data \
-e PUID=111 -e PGID=321 -e UMASK=002 \
hotio/sonarr

# deluge
docker run -v /path/to/config/deluge:/config \
-v /host/data/torrents:/data/torrents \
-e PUID=222 -e PGID=321 -e UMASK=002 \
binhex/arch-delugevpn

# sabnzbd
docker run -v /path/to/config/sabnzbd:/config \
-v /host/data/usenet:/data/usenet \
-e PUID=333 -e PGID=321 -e UMASK=002 \
binhex/arch-sabnzbd

# plex
docker run -v /path/to/config/plex:/config \
-v /host/data/media:/data/media \
-e PUID=444 -e PGID=321 -e UMASK=002 \
binhex/arch-plex</pre>
===== Systemd =====

I don’t run a full Docker setup, so I manage my few Docker containers with individual systemd service files. It standardizes control and makes dependencies simpler for both native and docker services. The generic example below can be adapted to any container by adjusting or adding the various values and options.

<pre># /etc/systemd/system/thing.service
[Unit]
Description=Thing
Requires=docker.service
After=network.target docker.service

[Service]
ExecStart=/usr/bin/docker run --rm \
--name=thing \
-v /path/to/config/thing:/config \
-v /host/data:/data
-e PUID=111 -e PGID=321 -e UMASK=002 \
nobody/thing

ExecStop=/usr/bin/docker stop -t 30 thing

[Install]
WantedBy=default.target</pre>
==== Helpful commands ====

===== List running containers =====

<pre>docker ps</pre>
===== Shell ''inside'' a container =====

<pre>docker exec -it CONTAINER_NAME /bin/bash</pre>
For more information, see the [https://docs.docker.com/engine/reference/commandline/exec/ docker exec] documentation.

===== Prune docker =====

<pre>docker system prune --all --volumes</pre>
Remove unused containers, networks, volumes, images and build cache. As the WARNING this command gives says, this will remove all of the previously mentioned items for anything not in use by a running container. In a correctly configured environment, this is fine. But be aware and proceed cautiously the first time. See the [https://docs.docker.com/engine/reference/commandline/system_prune/ docker system prune] documentation for more details.

===== Get docker run command =====

Getting the <code>docker run</code> command from GUI managers can be hard, this docker image makes it easy for a running container ([https://stackoverflow.com/questions/32758793/how-to-show-the-run-command-of-a-docker-container source]).

<pre>docker run --rm -v /var/run/docker.sock:/var/run/docker.sock assaflavie/runlike CONTAINER_NAME</pre>
===== Get docker-compose =====

Getting a <code>docker-compose.yml</code> from running instances is possible w/ [https://hub.docker.com/r/red5d/docker-autocompose red5d/docker-autocompose], in case you’ve already started your containers w/ <code>docker run</code> or <code>docker create</code> and want to change to <code>docker-compose</code> style. It is also great for sharing your settings with others, since it doesn’t matter what management software you’re using.

<pre>docker run --rm -v /var/run/docker.sock:/var/run/docker.sock red5d/docker-autocompose CONTAINER_NAME [CONTAINER_NAME] ... [CONTAINER_NAME]</pre>
===== Troubleshoot networking =====

Most Docker images don’t have many useful tools in them for troubleshooting, but you can [https://success.docker.com/article/troubleshooting-container-networking attach a network troubleshooting type image] to an existing container to help with that.

<pre>docker run -it --rm --network container:CONTAINER_NAME nicolaka/netshoot</pre>
===== Recursively chown user and group =====

<pre>chown -R user:group /some/path/here</pre>
===== Recursively chmod to 775/664 =====

<pre>chmod -R a=,a+rX,u+w,g+w /some/path/here
^ ^ ^ ^ adds write to group
| | | adds write to user
| | adds read to all and execute to all folders (which controls access)
| sets all to `000`</pre>
===== Find UID/GID for user =====

<pre>id <username></pre>

===== Examine files for hard links =====
<pre>ls -alhi
42207934 -rw-r--r-- 2 user group 0 Sep 11 11:55 hardlink
42207936 -rw-r--r-- 1 user group 0 Sep 11 11:55 nohardlinks
42207934 -rw-r--r-- 2 user group 0 Sep 11 11:55 original
</pre>

<pre>stat original
File: original
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: 803h/2051d Inode: 42207934 Links: 2
Access: (0644/-rw-r--r--) Uid: ( 1000/ user) Gid: ( 1001/ group)
Access: 2020-09-11 11:55:43.803327144 -0500
Modify: 2020-09-11 11:55:43.803327144 -0500
Change: 2020-09-11 11:55:49.706660476 -0500
Birth: 2020-09-11 11:55:43.803327144 -0500
</pre>

==== Interesting docker images ====

* [https://hub.docker.com/r/rasmunk/sshfs rasmunk/sshfs] let you create an sshfs volume, ''perfect'' for a seedbox setup using a remote mount instead of sync. Better documentation, including examples can be found at the github [https://github.com/rasmunk/docker-volume-sshfs rasmunk/docker-volume-sshfs] repository. This is a more recently maintained fork of [https://hub.docker.com/p/vieux/sshfs vieux/sshfs].
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/sonarr sonarr], [https://hub.docker.com/r/hotio/radarr radarr] and [https://hub.docker.com/r/hotio/lidarr lidarr] images let you run the built in version ''or'' specify an alternative via environment variable. The documentation and Dockerfile also don’t make any poor path suggestions.
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/ombi ombi], [https://hub.docker.com/r/hotio/jackett jackett], [https://hub.docker.com/r/hotio/nzbhydra2 nzbhydra2] and [https://hub.docker.com/r/hotio/bazarr bazarr] are useful too, but don’t really require any special permissions or paths.
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/unpackerr unpackerr] is useful for packed torrent extraction across a variety of torrent clients where unpacking is lacking or missing entirely.
* [https://hub.docker.com/u/binhex binhex’s] [https://hub.docker.com/r/binhex/arch-qbittorrentvpn/ qbittorrent], [https://hub.docker.com/r/binhex/arch-delugevpn/ deluge] and [https://hub.docker.com/r/binhex/arch-rtorrentvpn/ rtorrent] are popular torrent clients with built in VPN support. For usenet, there is [https://hub.docker.com/r/binhex/arch-sabnzbd/ sabnzbd] and [https://hub.docker.com/r/binhex/arch-nzbget/ nzbget].
* [https://hub.docker.com/u/binhex binhex’s] [https://hub.docker.com/r/binhex/arch-sonarr/ sonarr], [https://hub.docker.com/r/binhex/arch-radarr/ radarr] and [https://hub.docker.com/r/binhex/arch-lidarr/ lidarr] images suggest default paths that don’t allow for hard linking, instead follow the process described above and pass in a single volume.
* [https://hub.docker.com/u/linuxserver linuxserver.io’s] images also suggest default paths that don’t allow for hard linking, instead follow the process described above and pass in a single volume. But they do have images for a ''lot'' of software and they’re well maintained.
* [https://hub.docker.com/r/pyouroboros/ouroboros pyouroboros/ouroboros] or [https://hub.docker.com/r/containrrr/watchtower containrrr/watchtower] automatically update your running Docker containers to the latest available image. These are not recommended if you use Docker Compose.

==== Custom Docker Network and DNS ====

One interesting feature of a [https://docs.docker.com/network/network-tutorial-standalone/#use-user-defined-bridge-networks custom Docker network] is that it gets its own DNS server. If you create a bridge network for your containers, you can use their hostnames in your configuration. For example, if you <code>docker run --network=isolated --hostname=deluge binhex/arch-deluge</code> and <code>docker run --network=isolated --hostname=radarr binhex/arch-radarr</code>, you can then configure the Download Client in Radarr to point at just <code>deluge</code> and it’ll work ''and'' communicate on its own private network. Which means if you wanted to be even more secure, you could ''stop'' forwarding that port too. If you put your reverse proxy container on the same network, you can even stop forwarding the web interface ports and make them even more secure.

==== Common Problems ====

===== Correct ''outside'' paths, incorrect ''inside'' paths =====

Many people read this and think they understand, but they end up seeing the outside path correctly to something like <code>/data/usenet</code>, but then they miss the point and set the ''inside'' path to <code>/downloads</code> still.

===== Running Docker containers as root or changing users around =====

If you find yourself running your containers as <code>root:root</code>, you’re doing something wrong. If you’re not passing in a UID and GID, you’ll be using what ever the default is for the image and ''that'' will be unlikely to line up w/ a reasonable user on your system. And if you’re changing the user and group your Docker containers are running as, you’ll probably end up w/ permissions issues on folders like the <code>/config</code> folder which will likely have files and folders in them that got created the first time w/ the UID/GID you used the first time.

===== Running Docker containers w/ umask 000 =====

If you find yourself setting a UMASK of <code>000</code> (which is 777 for folders and 666 for files), you’re ''also'' doing something wrong. It leaves your files and folders read/write to ''everyone'', which is poor Linux hygiene.

==== LinuxServer.io ====

The ''entire'' reason this article even exists is [https://hub.docker.com/u/linuxserver linuxserver.io]’s documentation and default path suggestions. They’re singlehandedly responsible for the <code>/tv</code>, <code>/movies</code> and <code>/downloads</code> paths which ''break'' hard links and atomic moves. It is for this reason that ''none'' of them are ''specifically'' recommended by this article. That said, once you understand the problem with those paths and that you ''don’t'' have to use them, their images are fine. So feel free to use them and ''most'' of their documentation. Just ''ignore'' their path suggestions.

==== Getting Help ====

Need some help? For real time, chat style support try the [https://discord.gg/xyRwnyB Sonarr] or [https://discord.gg/SRBnFmX Radarr] Discord servers. If you prefer forum style support, make a post in [http://reddit.com/r/sonarr /r/sonarr] or [http://reddit.com/r/radarr /r/radarr].

Docker Guide

2020-09-11T17:03:14Z

Fryfrog: /* Find UID/GID for user */

=== The Best Docker Setup ===

'''TL; DR''': An [https://www.lexico.com/en/definition/eponymous eponymous] user per daemon and a shared group with a umask of <code>002</code>. Consistent path definitions between ''all'' containers that maintains the folder structure. Using one volume for Sonarr, Radarr and Lidarr so the download folder and library folder are on the same file system which makes hard links and instant moves possible. And most of all, ignore ''most'' of the Docker image’s path documentation!

==== Introduction ====

This article will not show you specifics about the best Docker setup, but it describes an overview that you can use to make your own setup the best that it can be. The idea is that you run each docker container as its own user, with a shared group and consistent volumes so every container sees the same path layout. This is easy to say, but difficult to understand and explain.

==== Multiple users and a shared group ====

===== Permissions =====

Ideally, each software runs as its own user user and they’re all part of a shared group with folder permissions set to <code>775</code> (<code>drwxrwxr-x</code>) and files set to <code>664</code> (<code>-rw-rw-r--</code>), which is a umask of <code>002</code>. A sane alternative to this is a single shared user, which would use <code>755</code> and <code>644</code> which is a umask of <code>022</code>. You can restrict permissions even more by denying read from “other”, which would be a umask of <code>007</code> for a user per daemon or <code>077</code> for a single shared user. For a deeper explanation, try the Arch Linux wiki articles about [https://wiki.archlinux.org/index.php/File_permissions_and_attributes File permissions and attributes] and [https://wiki.archlinux.org/index.php/Umask Umask].

===== UMASK =====

Many docker images accept a <code>-e UMASK=002</code> environment variable and some software inside can be configured with a user, group and umask (NZBGet) or folder/file permission (Sonarr/Radarr). This will ensure that files and folders created by ''one'' can be read and written by the others. If you’re using existing folders and files, you’ll need to fix their current ownership and permissions too, but going forward they’ll be correct because you set each software up right.

===== PUID and PGID =====

Many docker images also take a <code>-e PUID=123</code> and <code>-e PGID=321</code> that lets you change the UID/GID used inside to that of an account on the outside. If you ever peak in, you’ll find that username is something like <code>abc</code> or <code>nobody</code>, but because it uses the UID/GID you pass in, on the outside it looks like the expected user. If you’re using storage from another system via NFS or CIFS, it will make your life easier if ''that'' system also has matching users and group. Perhaps let one system pick the UID/GIDs, then re-use those on the other system, assuming they don’t conflict.

===== Example =====

You run [https://github.com/Sonarr/Sonarr/releases Sonarr] using [https://github.com/hotio/docker-sonarr hotio/sonarr], you’ve created a <code>sonarr</code> user with uid <code>123</code> and a shared group <code>media</code> with gid <code>321</code> which the <code>sonarr</code> user is a member of. You configure the Docker image to run with <code>-e PUID=123 -e PGID=321 -e UMASK=002</code>. Sonarr also lets you configured user, group as well as folder and file permissions. The previous settings should negate these, but you could configure them if you wanted. Folders would be <code>775</code>, files <code>664</code> and the user/group are a little tricky because ''inside'' the container, they have a different name. Maybe <code>abc</code> or <code>nobody</code>. I’d leave all these blank unless you find you need them for some reason.

==== Single user and optional shared group ====

Another popular and arguably easier option is a single, shared user. Perhaps even ''your'' user. It isn’t as secure and doesn’t follow best practices, but in the end it is easier to understand and implement. The UMASK for this is <code>022</code> which results in <code>755</code> (<code>drwxr-xr-x</code>) for folders and <code>644</code> (<code>-rw-r--r--</code>) for files. The group no longer really matters, so you’ll probably just use the group named after the user. This does make it harder to share with ''other'' users, so you may still end up wanting a UMASK of <code>002</code> even w/ this setup.

==== Ownership and permissions of /config ====

Don’t forget that your <code>/config</code> volume will ''also'' need to have correct ownership and permissions, usually the daemon’s user and that user’s group like <code>sonarr:sonarr</code> and a umask of <code>022</code> or <code>077</code> so ''only'' that user has access. In a single user setup, this would of course be the one user you’ve chosen.

==== Consistent and well planned paths ====

The easiest and most important detail is to create unified path definitions across all the containers.

If you’re wondering why hard links aren’t working or why a simple move is taking far longer than it should, this section explains it. The paths you use on the ''inside'' matter. Because of how Docker’s volumes work, passing in two volumes such as the commonly suggested <code>/tv</code> and <code>/downloads</code> makes them look like two file systems, even if they aren’t. This means hard links won’t work ''and'' instead of an instant move, a slower and more io intensive copy + delete is used. If you have multiple download clients because you’re using torrents and usenet, having a single <code>/downloads</code> path means they’ll be mixed up. Because the Radarr in one container will ask the NZBGet in its own container where files are, using the same path in both means it will all just work. If you don’t, you’d need to fix it with a remote path map.

So pick ''one'' path layout and use it for all of them. I’m a fan of <code>/data</code>, but there are other great names like <code>/shared</code>, <code>/media</code> or <code>/dvr</code>. If this can be the same on the outside ''and'' inside, your setup will be simpler: one path to remember or if integrating docker and native software. But if not, that’s fine too. For example, Synology might use <code>/Volume1/data</code> and unRAID might use <code>/mnt/user/data</code> on the outside, but <code>/data</code> on the inside is fine.

It is also important to remember that you’ll need to setup or re-configure paths in the software running ''inside'' these Docker containers. If you change the paths for your download client, you’ll need to edit its settings to match. If you change your library path, you’ll need to change those settings in Sonarr, Radarr, Lidarr and/or Plex.

===== Examples =====

What matters here is the general structure, not the names. You are free to pick folder names that make sense to you. And there are other ways of arranging things too. For example, you’re not likely to download and run into conflicts of identical releases between usenet and torrents, so you ''could'' put both in <code>/data/downloads/{movies|music|tv}</code> folders. Downloads don’t even have to be sorted into sub-folders either, since movies, music and tv will rarely conflict.

This example <code>data</code> folder has sub-folders for torrents and usenet and each of these have sub-folders for tv, movie and music downloads to keep things neat. The <code>media</code> folder has nicely named <code>TV</code>, <code>Movies</code> and <code>Music</code> sub-folders, this is your library and what you’d pass to Plex or Emby.

<pre>data
├── torrents
│ ├── movies
│ ├── music
│ └── tv
├── usenet
│ ├── movies
│ ├── music
│ └── tv
└── media
├── Movies
├── Music
└── TV</pre>
The path for each Docker container can be as specific as needed while still maintaining the correct structure:

====== Torrents ======

<pre>data
└── torrents
├── movies
├── music
└── tv</pre>
Torrents only needs access to torrent files, so pass it <code>-v /host/data/torrents:/data/torrents</code>. In the torrent software settings, you’ll need to reconfigure paths and you can sort into sub-folders like<code>/data/torrents/{tv|movies|music}</code>.

====== Usenet ======

<pre>data
└── usenet
├── movies
├── music
└── tv</pre>
Usenet only needs access to usenet files, so pass it <code>-v /host/data/usenet:/data/usenet</code>. In the usenet software settings, you’ll need to reconfigure paths and you can sort into sub-folders like<code>/data/usenet/{tv|movies|music}</code>.

====== Media Server ======

<pre>data
└── media
├── Movies
├── Music
└── TV</pre>
Plex/Emby only needs access to your media library, so pass <code>-v /host/data/media:/data/media</code>, which can have any number of sub folders like <code>Movies</code>, <code>Kids Movies</code>, <code>TV</code>, <code>Documentary TV</code> and/or <code>Music</code> as sub folders.

====== Sonarr, Radarr and Lidarr ======

<pre>data
├── torrents
│ ├── movies
│ ├── music
│ └── tv
├── usenet
│ ├── movies
│ ├── music
│ └── tv
└── media
├── Movies
├── Music
└── TV</pre>
Sonarr, Radarr and Lidarr get everything using <code>-v /host/data:/data</code> because the ''download'' folder(s) and ''media'' folder will look like and ''be'' one file system. Hard links will work and moves will be atomic, instead of copy + delete.

===== Issues =====

There are a couple minor issues w/ not following the Docker image’s suggested paths.

The biggest is that volumes defined in the <code>Dockerfile</code> will get created if they’re not specified, this means they’ll pile up as you delete and re-create the containers. If they end up w/ data in them, they can consume space unexpectedly and likely in an unsuitable place. You can find a [https://old.reddit.com/r/usenet/wiki/docker#wiki_prune_docker cleanup command] in the helpful commands section below. This could also be mitigated by passing in an empty folder for all the volumes you don’t want to use, like <code>/data/empty:/movies</code> and <code>/data/empty:/downloads</code>. Maybe even put a file named <code>DO NOT USE THIS FOLDER</code> inside, to remind yourself.

Another problem is that some images are pre-configured to use the documented volumes, so you’ll need to change settings in the software inside the Docker container. Thankfully, since configuration persists outside the container this is a one time issue. You might also pick a path like <code>/data</code> or <code>/media</code> which some images already define for a specific use. It shouldn’t be a problem, but will be a little more confusing when combined w/ the previous issues. In the end, it is worth it for working hard links and fast moves. The consistency and simplicity are welcome side effects as well.

If you use the latest version of the abandoned [https://github.com/Sperryfreak01/RadarrSync RadarrSync] to synchronize two Radarr instances, it ''depends'' on mapping the ''same'' path inside to a different path on the outside, for example <code>/movies</code> for one instance would point at <code>/data/media/Movies</code> and the other at <code>/data/media/Movies 4k</code>. This breaks ''everything'' you’ve read above. There is no good solution, you either use the old version which isn’t as good, do your mapping in a way that is ugly and breaks hard links or just don’t use it at all.

==== Running containers using ====

===== Docker-compose =====

This is the best option for most users, it lets you control and configure many containers and their interdependence in one file. A good starting place is docker’s own [https://docs.docker.com/compose/gettingstarted/ Get started with Docker Compose]. You can use [https://composerize.com composerize] or [https://old.reddit.com/r/usenet/wiki/docker#wiki_get_docker-compose red5d/docker-autocompose]to convert <code>docker run</code> commands into a single <code>docker-compose.yml</code> file.

The below is ''not'' a complete working example! The containers only have PID, UID, UMASK and example paths defined to keep it simple.

<pre># sonarr
Sonarr:
image: "hotio/sonarr"
volumes:
- /path/to/config/sonarr:/config
- /host/data:/data
environment:
- PUID=111
- PGID=321
- UMASK=002

# deluge
Deluge:
image: binhex/arch-delugevpn
volumes:
- /path/to/config/deluge:/config
- /host/data/torrents:/data/torrents
environment:
- PUID=222
- PGID=321
- UMASK=002

# sabnzbd
SABnzbd:
image: binhex/arch-sabnzbd
volumes:
- /path/to/config/sabnzbd:/config
- /host/data/usenet:/data/usenet
environment:
- PUID=333
- PGID=321
- UMASK=002

# plex
Plex:
image: binhex/arch-plex
volumes:
- /path/to/config/plex:/config
- /host/data/media:/data/media

environment:
- PUID=444
- PGID=321
- UMASK=002</pre>
====== Update all images and containers ======

<pre>docker-compose pull
docker-compose up -d</pre>
====== Update individual image and container ======

<pre>docker-compose pull NAME
docker-compose up -d NAME</pre>
===== Docker Run =====

Like the Docker Compose example above, the following <code>docker run</code> commands are stripped down to ''only'' the PUID, PGID, UMASK and volumes in order to act as an obvious example.

<pre># sonarr
docker run -v /path/to/config/sonarr:/config \
-v /host/data:/data \
-e PUID=111 -e PGID=321 -e UMASK=002 \
hotio/sonarr

# deluge
docker run -v /path/to/config/deluge:/config \
-v /host/data/torrents:/data/torrents \
-e PUID=222 -e PGID=321 -e UMASK=002 \
binhex/arch-delugevpn

# sabnzbd
docker run -v /path/to/config/sabnzbd:/config \
-v /host/data/usenet:/data/usenet \
-e PUID=333 -e PGID=321 -e UMASK=002 \
binhex/arch-sabnzbd

# plex
docker run -v /path/to/config/plex:/config \
-v /host/data/media:/data/media \
-e PUID=444 -e PGID=321 -e UMASK=002 \
binhex/arch-plex</pre>
===== Systemd =====

I don’t run a full Docker setup, so I manage my few Docker containers with individual systemd service files. It standardizes control and makes dependencies simpler for both native and docker services. The generic example below can be adapted to any container by adjusting or adding the various values and options.

<pre># /etc/systemd/system/thing.service
[Unit]
Description=Thing
Requires=docker.service
After=network.target docker.service

[Service]
ExecStart=/usr/bin/docker run --rm \
--name=thing \
-v /path/to/config/thing:/config \
-v /host/data:/data
-e PUID=111 -e PGID=321 -e UMASK=002 \
nobody/thing

ExecStop=/usr/bin/docker stop -t 30 thing

[Install]
WantedBy=default.target</pre>
==== Helpful commands ====

===== List running containers =====

<pre>docker ps</pre>
===== Shell ''inside'' a container =====

<pre>docker exec -it CONTAINER_NAME /bin/bash</pre>
For more information, see the [https://docs.docker.com/engine/reference/commandline/exec/ docker exec] documentation.

===== Prune docker =====

<pre>docker system prune --all --volumes</pre>
Remove unused containers, networks, volumes, images and build cache. As the WARNING this command gives says, this will remove all of the previously mentioned items for anything not in use by a running container. In a correctly configured environment, this is fine. But be aware and proceed cautiously the first time. See the [https://docs.docker.com/engine/reference/commandline/system_prune/ docker system prune] documentation for more details.

===== Get docker run command =====

Getting the <code>docker run</code> command from GUI managers can be hard, this docker image makes it easy for a running container ([https://stackoverflow.com/questions/32758793/how-to-show-the-run-command-of-a-docker-container source]).

<pre>docker run --rm -v /var/run/docker.sock:/var/run/docker.sock assaflavie/runlike CONTAINER_NAME</pre>
===== Get docker-compose =====

Getting a <code>docker-compose.yml</code> from running instances is possible w/ [https://hub.docker.com/r/red5d/docker-autocompose red5d/docker-autocompose], in case you’ve already started your containers w/ <code>docker run</code> or <code>docker create</code> and want to change to <code>docker-compose</code> style. It is also great for sharing your settings with others, since it doesn’t matter what management software you’re using.

<pre>docker run --rm -v /var/run/docker.sock:/var/run/docker.sock red5d/docker-autocompose CONTAINER_NAME [CONTAINER_NAME] ... [CONTAINER_NAME]</pre>
===== Troubleshoot networking =====

Most Docker images don’t have many useful tools in them for troubleshooting, but you can [https://success.docker.com/article/troubleshooting-container-networking attach a network troubleshooting type image] to an existing container to help with that.

<pre>docker run -it --rm --network container:CONTAINER_NAME nicolaka/netshoot</pre>
===== Recursively chown user and group =====

<pre>chown -R user:group /some/path/here</pre>
===== Recursively chmod to 775/664 =====

<pre>chmod -R a=,a+rX,u+w,g+w /some/path/here
^ ^ ^ ^ adds write to group
| | | adds write to user
| | adds read to all and execute to all folders (which controls access)
| sets all to `000`</pre>
===== Find UID/GID for user =====

<pre>id <username></pre>

===== Examine files for hard links =====
<pre>ls -alhi
42207934 -rw-r--r-- 2 user group 0 Sep 11 11:55 hardlink
42207936 -rw-r--r-- 1 user group 0 Sep 11 11:55 nohardlinks
42207934 -rw-r--r-- 2 user group 0 Sep 11 11:55 original
</pre>

<pre>stat original
File: original
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: 803h/2051d Inode: 42207934 Links: 2
Access: (0644/-rw-r--r--) Uid: ( 1000/ user) Gid: ( 1001/ group)
Access: 2020-09-11 11:55:43.803327144 -0500
Modify: 2020-09-11 11:55:43.803327144 -0500
Change: 2020-09-11 11:55:49.706660476 -0500
Birth: 2020-09-11 11:55:43.803327144 -0500
</pre>

==== Interesting docker images ====

* [https://hub.docker.com/r/rasmunk/sshfs rasmunk/sshfs] let you create an sshfs volume, ''perfect'' for a seedbox setup using a remote mount instead of sync. Better documentation, including examples can be found at the github [https://github.com/rasmunk/docker-volume-sshfs rasmunk/docker-volume-sshfs] repository. This is a more recently maintained fork of [https://hub.docker.com/p/vieux/sshfs vieux/sshfs].
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/sonarr sonarr], [https://hub.docker.com/r/hotio/radarr radarr] and [https://hub.docker.com/r/hotio/lidarr lidarr] images let you run the built in version ''or'' specify an alternative via environment variable. The documentation and Dockerfile also don’t make any poor path suggestions.
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/ombi ombi], [https://hub.docker.com/r/hotio/jackett jackett], [https://hub.docker.com/r/hotio/nzbhydra2 nzbhydra2] and [https://hub.docker.com/r/hotio/bazarr bazarr] are useful too, but don’t really require any special permissions or paths.
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/unpackerr unpackerr] is useful for packed torrent extraction across a variety of torrent clients where unpacking is lacking or missing entirely.
* [https://hub.docker.com/u/binhex binhex’s] [https://hub.docker.com/r/binhex/arch-qbittorrentvpn/ qbittorrent], [https://hub.docker.com/r/binhex/arch-delugevpn/ deluge] and [https://hub.docker.com/r/binhex/arch-rtorrentvpn/ rtorrent] are popular torrent clients with built in VPN support. For usenet, there is [https://hub.docker.com/r/binhex/arch-sabnzbd/ sabnzbd] and [https://hub.docker.com/r/binhex/arch-nzbget/ nzbget].
* [https://hub.docker.com/u/binhex binhex’s] [https://hub.docker.com/r/binhex/arch-sonarr/ sonarr], [https://hub.docker.com/r/binhex/arch-radarr/ radarr] and [https://hub.docker.com/r/binhex/arch-lidarr/ lidarr] images suggest default paths that don’t allow for hard linking, instead follow the process described above and pass in a single volume.
* [https://hub.docker.com/u/linuxserver linuxserver.io’s] images also suggest default paths that don’t allow for hard linking, instead follow the process described above and pass in a single volume. But they do have images for a ''lot'' of software and they’re well maintained.
* [https://hub.docker.com/r/pyouroboros/ouroboros pyouroboros/ouroboros] or [https://hub.docker.com/r/containrrr/watchtower containrrr/watchtower] automatically update your running Docker containers to the latest available image. These are not recommended if you use Docker Compose.

==== Custom Docker Network and DNS ====

One interesting feature of a [https://docs.docker.com/network/network-tutorial-standalone/#use-user-defined-bridge-networks custom Docker network] is that it gets its own DNS server. If you create a bridge network for your containers, you can use their hostnames in your configuration. For example, if you <code>docker run --network=isolated --hostname=deluge binhex/arch-deluge</code> and <code>docker run --network=isolated --hostname=radarr binhex/arch-radarr</code>, you can then configure the Download Client in Radarr to point at just <code>deluge</code> and it’ll work ''and'' communicate on its own private network. Which means if you wanted to be even more secure, you could ''stop'' forwarding that port too. If you put your reverse proxy container on the same network, you can even stop forwarding the web interface ports and make them even more secure.

==== Common Problems ====

===== Correct ''outside'' paths, incorrect ''inside'' paths =====

Many people read this and think they understand, but they end up seeing the outside path correctly to something like <code>/data/usenet</code>, but then they miss the point and set the ''inside'' path to <code>/downloads</code> still.

===== Running Docker containers as root or changing users around =====

If you find yourself running your containers as <code>root:root</code>, you’re doing something wrong. If you’re not passing in a UID and GID, you’ll be using what ever the default is for the image and ''that'' will be unlikely to line up w/ a reasonable user on your system. And if you’re changing the user and group your Docker containers are running as, you’ll probably end up w/ permissions issues on folders like the <code>/config</code> folder which will likely have files and folders in them that got created the first time w/ the UID/GID you used the first time.

===== Running Docker containers w/ umask 000 =====

If you find yourself setting a UMASK of <code>000</code> (which is 777 for folders and 666 for files), you’re ''also'' doing something wrong. It leaves your files and folders read/write to ''everyone'', which is poor Linux hygiene.

==== LinuxServer.io ====

The ''entire'' reason this article even exists is [https://hub.docker.com/u/linuxserver linuxserver.io]’s documentation and default path suggestions. They’re singlehandedly responsible for the <code>/tv</code>, <code>/movies</code> and <code>/downloads</code> paths which ''break'' hard links and atomic moves. It is for this reason that ''none'' of them are ''specifically'' recommended by this article. That said, once you understand the problem with those paths and that you ''don’t'' have to use them, their images are fine. So feel free to use them and ''most'' of their documentation. Just ''ignore'' their path suggestions.

==== Getting Help ====

Need some help? For real time, chat style support try the [https://discord.gg/xyRwnyB Sonarr] or [https://discord.gg/SRBnFmX Radarr] Discord servers. If you prefer forum style support, make a post in [http://reddit.com/r/sonarr /r/sonarr] or [http://reddit.com/r/radarr /r/radarr].

Docker Guide

2020-09-11T17:00:51Z

Fryfrog: Add section for examining files for hard links.

=== The Best Docker Setup ===

'''TL; DR''': An [https://www.lexico.com/en/definition/eponymous eponymous] user per daemon and a shared group with a umask of <code>002</code>. Consistent path definitions between ''all'' containers that maintains the folder structure. Using one volume for Sonarr, Radarr and Lidarr so the download folder and library folder are on the same file system which makes hard links and instant moves possible. And most of all, ignore ''most'' of the Docker image’s path documentation!

==== Introduction ====

This article will not show you specifics about the best Docker setup, but it describes an overview that you can use to make your own setup the best that it can be. The idea is that you run each docker container as its own user, with a shared group and consistent volumes so every container sees the same path layout. This is easy to say, but difficult to understand and explain.

==== Multiple users and a shared group ====

===== Permissions =====

Ideally, each software runs as its own user user and they’re all part of a shared group with folder permissions set to <code>775</code> (<code>drwxrwxr-x</code>) and files set to <code>664</code> (<code>-rw-rw-r--</code>), which is a umask of <code>002</code>. A sane alternative to this is a single shared user, which would use <code>755</code> and <code>644</code> which is a umask of <code>022</code>. You can restrict permissions even more by denying read from “other”, which would be a umask of <code>007</code> for a user per daemon or <code>077</code> for a single shared user. For a deeper explanation, try the Arch Linux wiki articles about [https://wiki.archlinux.org/index.php/File_permissions_and_attributes File permissions and attributes] and [https://wiki.archlinux.org/index.php/Umask Umask].

===== UMASK =====

Many docker images accept a <code>-e UMASK=002</code> environment variable and some software inside can be configured with a user, group and umask (NZBGet) or folder/file permission (Sonarr/Radarr). This will ensure that files and folders created by ''one'' can be read and written by the others. If you’re using existing folders and files, you’ll need to fix their current ownership and permissions too, but going forward they’ll be correct because you set each software up right.

===== PUID and PGID =====

Many docker images also take a <code>-e PUID=123</code> and <code>-e PGID=321</code> that lets you change the UID/GID used inside to that of an account on the outside. If you ever peak in, you’ll find that username is something like <code>abc</code> or <code>nobody</code>, but because it uses the UID/GID you pass in, on the outside it looks like the expected user. If you’re using storage from another system via NFS or CIFS, it will make your life easier if ''that'' system also has matching users and group. Perhaps let one system pick the UID/GIDs, then re-use those on the other system, assuming they don’t conflict.

===== Example =====

You run [https://github.com/Sonarr/Sonarr/releases Sonarr] using [https://github.com/hotio/docker-sonarr hotio/sonarr], you’ve created a <code>sonarr</code> user with uid <code>123</code> and a shared group <code>media</code> with gid <code>321</code> which the <code>sonarr</code> user is a member of. You configure the Docker image to run with <code>-e PUID=123 -e PGID=321 -e UMASK=002</code>. Sonarr also lets you configured user, group as well as folder and file permissions. The previous settings should negate these, but you could configure them if you wanted. Folders would be <code>775</code>, files <code>664</code> and the user/group are a little tricky because ''inside'' the container, they have a different name. Maybe <code>abc</code> or <code>nobody</code>. I’d leave all these blank unless you find you need them for some reason.

==== Single user and optional shared group ====

Another popular and arguably easier option is a single, shared user. Perhaps even ''your'' user. It isn’t as secure and doesn’t follow best practices, but in the end it is easier to understand and implement. The UMASK for this is <code>022</code> which results in <code>755</code> (<code>drwxr-xr-x</code>) for folders and <code>644</code> (<code>-rw-r--r--</code>) for files. The group no longer really matters, so you’ll probably just use the group named after the user. This does make it harder to share with ''other'' users, so you may still end up wanting a UMASK of <code>002</code> even w/ this setup.

==== Ownership and permissions of /config ====

Don’t forget that your <code>/config</code> volume will ''also'' need to have correct ownership and permissions, usually the daemon’s user and that user’s group like <code>sonarr:sonarr</code> and a umask of <code>022</code> or <code>077</code> so ''only'' that user has access. In a single user setup, this would of course be the one user you’ve chosen.

==== Consistent and well planned paths ====

The easiest and most important detail is to create unified path definitions across all the containers.

If you’re wondering why hard links aren’t working or why a simple move is taking far longer than it should, this section explains it. The paths you use on the ''inside'' matter. Because of how Docker’s volumes work, passing in two volumes such as the commonly suggested <code>/tv</code> and <code>/downloads</code> makes them look like two file systems, even if they aren’t. This means hard links won’t work ''and'' instead of an instant move, a slower and more io intensive copy + delete is used. If you have multiple download clients because you’re using torrents and usenet, having a single <code>/downloads</code> path means they’ll be mixed up. Because the Radarr in one container will ask the NZBGet in its own container where files are, using the same path in both means it will all just work. If you don’t, you’d need to fix it with a remote path map.

So pick ''one'' path layout and use it for all of them. I’m a fan of <code>/data</code>, but there are other great names like <code>/shared</code>, <code>/media</code> or <code>/dvr</code>. If this can be the same on the outside ''and'' inside, your setup will be simpler: one path to remember or if integrating docker and native software. But if not, that’s fine too. For example, Synology might use <code>/Volume1/data</code> and unRAID might use <code>/mnt/user/data</code> on the outside, but <code>/data</code> on the inside is fine.

It is also important to remember that you’ll need to setup or re-configure paths in the software running ''inside'' these Docker containers. If you change the paths for your download client, you’ll need to edit its settings to match. If you change your library path, you’ll need to change those settings in Sonarr, Radarr, Lidarr and/or Plex.

===== Examples =====

What matters here is the general structure, not the names. You are free to pick folder names that make sense to you. And there are other ways of arranging things too. For example, you’re not likely to download and run into conflicts of identical releases between usenet and torrents, so you ''could'' put both in <code>/data/downloads/{movies|music|tv}</code> folders. Downloads don’t even have to be sorted into sub-folders either, since movies, music and tv will rarely conflict.

This example <code>data</code> folder has sub-folders for torrents and usenet and each of these have sub-folders for tv, movie and music downloads to keep things neat. The <code>media</code> folder has nicely named <code>TV</code>, <code>Movies</code> and <code>Music</code> sub-folders, this is your library and what you’d pass to Plex or Emby.

<pre>data
├── torrents
│ ├── movies
│ ├── music
│ └── tv
├── usenet
│ ├── movies
│ ├── music
│ └── tv
└── media
├── Movies
├── Music
└── TV</pre>
The path for each Docker container can be as specific as needed while still maintaining the correct structure:

====== Torrents ======

<pre>data
└── torrents
├── movies
├── music
└── tv</pre>
Torrents only needs access to torrent files, so pass it <code>-v /host/data/torrents:/data/torrents</code>. In the torrent software settings, you’ll need to reconfigure paths and you can sort into sub-folders like<code>/data/torrents/{tv|movies|music}</code>.

====== Usenet ======

<pre>data
└── usenet
├── movies
├── music
└── tv</pre>
Usenet only needs access to usenet files, so pass it <code>-v /host/data/usenet:/data/usenet</code>. In the usenet software settings, you’ll need to reconfigure paths and you can sort into sub-folders like<code>/data/usenet/{tv|movies|music}</code>.

====== Media Server ======

<pre>data
└── media
├── Movies
├── Music
└── TV</pre>
Plex/Emby only needs access to your media library, so pass <code>-v /host/data/media:/data/media</code>, which can have any number of sub folders like <code>Movies</code>, <code>Kids Movies</code>, <code>TV</code>, <code>Documentary TV</code> and/or <code>Music</code> as sub folders.

====== Sonarr, Radarr and Lidarr ======

<pre>data
├── torrents
│ ├── movies
│ ├── music
│ └── tv
├── usenet
│ ├── movies
│ ├── music
│ └── tv
└── media
├── Movies
├── Music
└── TV</pre>
Sonarr, Radarr and Lidarr get everything using <code>-v /host/data:/data</code> because the ''download'' folder(s) and ''media'' folder will look like and ''be'' one file system. Hard links will work and moves will be atomic, instead of copy + delete.

===== Issues =====

There are a couple minor issues w/ not following the Docker image’s suggested paths.

The biggest is that volumes defined in the <code>Dockerfile</code> will get created if they’re not specified, this means they’ll pile up as you delete and re-create the containers. If they end up w/ data in them, they can consume space unexpectedly and likely in an unsuitable place. You can find a [https://old.reddit.com/r/usenet/wiki/docker#wiki_prune_docker cleanup command] in the helpful commands section below. This could also be mitigated by passing in an empty folder for all the volumes you don’t want to use, like <code>/data/empty:/movies</code> and <code>/data/empty:/downloads</code>. Maybe even put a file named <code>DO NOT USE THIS FOLDER</code> inside, to remind yourself.

Another problem is that some images are pre-configured to use the documented volumes, so you’ll need to change settings in the software inside the Docker container. Thankfully, since configuration persists outside the container this is a one time issue. You might also pick a path like <code>/data</code> or <code>/media</code> which some images already define for a specific use. It shouldn’t be a problem, but will be a little more confusing when combined w/ the previous issues. In the end, it is worth it for working hard links and fast moves. The consistency and simplicity are welcome side effects as well.

If you use the latest version of the abandoned [https://github.com/Sperryfreak01/RadarrSync RadarrSync] to synchronize two Radarr instances, it ''depends'' on mapping the ''same'' path inside to a different path on the outside, for example <code>/movies</code> for one instance would point at <code>/data/media/Movies</code> and the other at <code>/data/media/Movies 4k</code>. This breaks ''everything'' you’ve read above. There is no good solution, you either use the old version which isn’t as good, do your mapping in a way that is ugly and breaks hard links or just don’t use it at all.

==== Running containers using ====

===== Docker-compose =====

This is the best option for most users, it lets you control and configure many containers and their interdependence in one file. A good starting place is docker’s own [https://docs.docker.com/compose/gettingstarted/ Get started with Docker Compose]. You can use [https://composerize.com composerize] or [https://old.reddit.com/r/usenet/wiki/docker#wiki_get_docker-compose red5d/docker-autocompose]to convert <code>docker run</code> commands into a single <code>docker-compose.yml</code> file.

The below is ''not'' a complete working example! The containers only have PID, UID, UMASK and example paths defined to keep it simple.

<pre># sonarr
Sonarr:
image: "hotio/sonarr"
volumes:
- /path/to/config/sonarr:/config
- /host/data:/data
environment:
- PUID=111
- PGID=321
- UMASK=002

# deluge
Deluge:
image: binhex/arch-delugevpn
volumes:
- /path/to/config/deluge:/config
- /host/data/torrents:/data/torrents
environment:
- PUID=222
- PGID=321
- UMASK=002

# sabnzbd
SABnzbd:
image: binhex/arch-sabnzbd
volumes:
- /path/to/config/sabnzbd:/config
- /host/data/usenet:/data/usenet
environment:
- PUID=333
- PGID=321
- UMASK=002

# plex
Plex:
image: binhex/arch-plex
volumes:
- /path/to/config/plex:/config
- /host/data/media:/data/media

environment:
- PUID=444
- PGID=321
- UMASK=002</pre>
====== Update all images and containers ======

<pre>docker-compose pull
docker-compose up -d</pre>
====== Update individual image and container ======

<pre>docker-compose pull NAME
docker-compose up -d NAME</pre>
===== Docker Run =====

Like the Docker Compose example above, the following <code>docker run</code> commands are stripped down to ''only'' the PUID, PGID, UMASK and volumes in order to act as an obvious example.

<pre># sonarr
docker run -v /path/to/config/sonarr:/config \
-v /host/data:/data \
-e PUID=111 -e PGID=321 -e UMASK=002 \
hotio/sonarr

# deluge
docker run -v /path/to/config/deluge:/config \
-v /host/data/torrents:/data/torrents \
-e PUID=222 -e PGID=321 -e UMASK=002 \
binhex/arch-delugevpn

# sabnzbd
docker run -v /path/to/config/sabnzbd:/config \
-v /host/data/usenet:/data/usenet \
-e PUID=333 -e PGID=321 -e UMASK=002 \
binhex/arch-sabnzbd

# plex
docker run -v /path/to/config/plex:/config \
-v /host/data/media:/data/media \
-e PUID=444 -e PGID=321 -e UMASK=002 \
binhex/arch-plex</pre>
===== Systemd =====

I don’t run a full Docker setup, so I manage my few Docker containers with individual systemd service files. It standardizes control and makes dependencies simpler for both native and docker services. The generic example below can be adapted to any container by adjusting or adding the various values and options.

<pre># /etc/systemd/system/thing.service
[Unit]
Description=Thing
Requires=docker.service
After=network.target docker.service

[Service]
ExecStart=/usr/bin/docker run --rm \
--name=thing \
-v /path/to/config/thing:/config \
-v /host/data:/data
-e PUID=111 -e PGID=321 -e UMASK=002 \
nobody/thing

ExecStop=/usr/bin/docker stop -t 30 thing

[Install]
WantedBy=default.target</pre>
==== Helpful commands ====

===== List running containers =====

<pre>docker ps</pre>
===== Shell ''inside'' a container =====

<pre>docker exec -it CONTAINER_NAME /bin/bash</pre>
For more information, see the [https://docs.docker.com/engine/reference/commandline/exec/ docker exec] documentation.

===== Prune docker =====

<pre>docker system prune --all --volumes</pre>
Remove unused containers, networks, volumes, images and build cache. As the WARNING this command gives says, this will remove all of the previously mentioned items for anything not in use by a running container. In a correctly configured environment, this is fine. But be aware and proceed cautiously the first time. See the [https://docs.docker.com/engine/reference/commandline/system_prune/ docker system prune] documentation for more details.

===== Get docker run command =====

Getting the <code>docker run</code> command from GUI managers can be hard, this docker image makes it easy for a running container ([https://stackoverflow.com/questions/32758793/how-to-show-the-run-command-of-a-docker-container source]).

<pre>docker run --rm -v /var/run/docker.sock:/var/run/docker.sock assaflavie/runlike CONTAINER_NAME</pre>
===== Get docker-compose =====

Getting a <code>docker-compose.yml</code> from running instances is possible w/ [https://hub.docker.com/r/red5d/docker-autocompose red5d/docker-autocompose], in case you’ve already started your containers w/ <code>docker run</code> or <code>docker create</code> and want to change to <code>docker-compose</code> style. It is also great for sharing your settings with others, since it doesn’t matter what management software you’re using.

<pre>docker run --rm -v /var/run/docker.sock:/var/run/docker.sock red5d/docker-autocompose CONTAINER_NAME [CONTAINER_NAME] ... [CONTAINER_NAME]</pre>
===== Troubleshoot networking =====

Most Docker images don’t have many useful tools in them for troubleshooting, but you can [https://success.docker.com/article/troubleshooting-container-networking attach a network troubleshooting type image] to an existing container to help with that.

<pre>docker run -it --rm --network container:CONTAINER_NAME nicolaka/netshoot</pre>
===== Recursively chown user and group =====

<pre>chown -R user:group /some/path/here</pre>
===== Recursively chmod to 775/664 =====

<pre>chmod -R a=,a+rX,u+w,g+w /some/path/here
^ ^ ^ ^ adds write to group
| | | adds write to user
| | adds read to all and execute to all folders (which controls access)
| sets all to `000`</pre>
===== Find UID/GID for user =====

<pre>id <username></pre>
===== Examine files for hard links =====
<pre>ls -alhi
42207934 -rw-r--r-- 2 user group 0 Sep 11 11:55 hardlink
42207936 -rw-r--r-- 1 user group 0 Sep 11 11:55 nohardlinks
42207934 -rw-r--r-- 2 user group 0 Sep 11 11:55 original
</pre>

<pre>stat original
File: original
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: 803h/2051d Inode: 42207934 Links: 2
Access: (0644/-rw-r--r--) Uid: ( 1000/ user) Gid: ( 1001/ group)
Access: 2020-09-11 11:55:43.803327144 -0500
Modify: 2020-09-11 11:55:43.803327144 -0500
Change: 2020-09-11 11:55:49.706660476 -0500
Birth: 2020-09-11 11:55:43.803327144 -0500
</pre>

==== Interesting docker images ====

* [https://hub.docker.com/r/rasmunk/sshfs rasmunk/sshfs] let you create an sshfs volume, ''perfect'' for a seedbox setup using a remote mount instead of sync. Better documentation, including examples can be found at the github [https://github.com/rasmunk/docker-volume-sshfs rasmunk/docker-volume-sshfs] repository. This is a more recently maintained fork of [https://hub.docker.com/p/vieux/sshfs vieux/sshfs].
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/sonarr sonarr], [https://hub.docker.com/r/hotio/radarr radarr] and [https://hub.docker.com/r/hotio/lidarr lidarr] images let you run the built in version ''or'' specify an alternative via environment variable. The documentation and Dockerfile also don’t make any poor path suggestions.
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/ombi ombi], [https://hub.docker.com/r/hotio/jackett jackett], [https://hub.docker.com/r/hotio/nzbhydra2 nzbhydra2] and [https://hub.docker.com/r/hotio/bazarr bazarr] are useful too, but don’t really require any special permissions or paths.
* [https://hub.docker.com/u/hotio hotio’s] [https://hub.docker.com/r/hotio/unpackerr unpackerr] is useful for packed torrent extraction across a variety of torrent clients where unpacking is lacking or missing entirely.
* [https://hub.docker.com/u/binhex binhex’s] [https://hub.docker.com/r/binhex/arch-qbittorrentvpn/ qbittorrent], [https://hub.docker.com/r/binhex/arch-delugevpn/ deluge] and [https://hub.docker.com/r/binhex/arch-rtorrentvpn/ rtorrent] are popular torrent clients with built in VPN support. For usenet, there is [https://hub.docker.com/r/binhex/arch-sabnzbd/ sabnzbd] and [https://hub.docker.com/r/binhex/arch-nzbget/ nzbget].
* [https://hub.docker.com/u/binhex binhex’s] [https://hub.docker.com/r/binhex/arch-sonarr/ sonarr], [https://hub.docker.com/r/binhex/arch-radarr/ radarr] and [https://hub.docker.com/r/binhex/arch-lidarr/ lidarr] images suggest default paths that don’t allow for hard linking, instead follow the process described above and pass in a single volume.
* [https://hub.docker.com/u/linuxserver linuxserver.io’s] images also suggest default paths that don’t allow for hard linking, instead follow the process described above and pass in a single volume. But they do have images for a ''lot'' of software and they’re well maintained.
* [https://hub.docker.com/r/pyouroboros/ouroboros pyouroboros/ouroboros] or [https://hub.docker.com/r/containrrr/watchtower containrrr/watchtower] automatically update your running Docker containers to the latest available image. These are not recommended if you use Docker Compose.

==== Custom Docker Network and DNS ====

One interesting feature of a [https://docs.docker.com/network/network-tutorial-standalone/#use-user-defined-bridge-networks custom Docker network] is that it gets its own DNS server. If you create a bridge network for your containers, you can use their hostnames in your configuration. For example, if you <code>docker run --network=isolated --hostname=deluge binhex/arch-deluge</code> and <code>docker run --network=isolated --hostname=radarr binhex/arch-radarr</code>, you can then configure the Download Client in Radarr to point at just <code>deluge</code> and it’ll work ''and'' communicate on its own private network. Which means if you wanted to be even more secure, you could ''stop'' forwarding that port too. If you put your reverse proxy container on the same network, you can even stop forwarding the web interface ports and make them even more secure.

==== Common Problems ====

===== Correct ''outside'' paths, incorrect ''inside'' paths =====

Many people read this and think they understand, but they end up seeing the outside path correctly to something like <code>/data/usenet</code>, but then they miss the point and set the ''inside'' path to <code>/downloads</code> still.

===== Running Docker containers as root or changing users around =====

If you find yourself running your containers as <code>root:root</code>, you’re doing something wrong. If you’re not passing in a UID and GID, you’ll be using what ever the default is for the image and ''that'' will be unlikely to line up w/ a reasonable user on your system. And if you’re changing the user and group your Docker containers are running as, you’ll probably end up w/ permissions issues on folders like the <code>/config</code> folder which will likely have files and folders in them that got created the first time w/ the UID/GID you used the first time.

===== Running Docker containers w/ umask 000 =====

If you find yourself setting a UMASK of <code>000</code> (which is 777 for folders and 666 for files), you’re ''also'' doing something wrong. It leaves your files and folders read/write to ''everyone'', which is poor Linux hygiene.

==== LinuxServer.io ====

The ''entire'' reason this article even exists is [https://hub.docker.com/u/linuxserver linuxserver.io]’s documentation and default path suggestions. They’re singlehandedly responsible for the <code>/tv</code>, <code>/movies</code> and <code>/downloads</code> paths which ''break'' hard links and atomic moves. It is for this reason that ''none'' of them are ''specifically'' recommended by this article. That said, once you understand the problem with those paths and that you ''don’t'' have to use them, their images are fine. So feel free to use them and ''most'' of their documentation. Just ''ignore'' their path suggestions.

==== Getting Help ====

Need some help? For real time, chat style support try the [https://discord.gg/xyRwnyB Sonarr] or [https://discord.gg/SRBnFmX Radarr] Discord servers. If you prefer forum style support, make a post in [http://reddit.com/r/sonarr /r/sonarr] or [http://reddit.com/r/radarr /r/radarr].