Transmission sets permissions wrong but fixes them on restart with TRANSMISSION_UMASK

[Andrew-T-Smith]

Is there a pinned issue for this?

• [X] I have read the pinned issues and could not find my issue

Is there an existing or similar issue/discussion for this?

• [X] I have searched the existing issues
• [X] I have searched the existing discussions

Is there any comment in the documentation for this?

• [X] I have read the documentation, especially the FAQ and Troubleshooting parts

Is this related to a provider?

• [X] I have checked the provider repo for issues
• [X] My issue is NOT related to a provider

Are you using the latest release?

• [X] I am using the latest release

Have you tried using the dev branch latest?

• [ ] I have tried using dev branch

Docker run config used

version: '3.3' services: transmission-openvpn: cap_add:

• NET_ADMIN volumes:
• /mnt/media/torrents/downloading:/data/incomplete:rw
• /mnt/media/torrents/completed:/data/completed:rw
• /mnt/media/torrents/transmissionData:/config
• /etc/localtime:/etc/localtime:ro environment:
• OPENVPN_PROVIDER=NORDVPN
• OPENVPN_USERNAME=
• OPENVPN_PASSWORD=
• LOCAL_NETWORK=192.168.1.0/24
• NORDVPN_COUNTRY=US
• HEALTH_CHECK_HOST=github.com
• PUID=1003
• PGID=1003
• TRANSMISSION_UMASK=18 logging: driver: json-file options: max-size: 10m ports:
• '9091:9091' image: haugene/transmission-openvpn container_name: transmission-openvpn restart: unless-stopped

Current Behavior

Currently, newly added torrents are placed in /mnt/media/torrents/downloading, as expected, but the permissions for the folder containing the data is rwxrwxrw- (776). When the container is restarted (sudo -u dockeruser docker restart transmission-openvpn) the folder permissions are correct (rwxr-xr-x 755).

Expected Behavior

The folder permissions for added torrents should match TRANSMISSION_UMASK and should be 755 without the container needing to restart.

How have you tried to solve the problem?

Verified umask is set properly in logs

Log output

2024-04-04 15:40:48 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA 2024-04-04 15:40:48 VERIFY OK: depth=1, O=NordVPN, CN=NordVPN CA9 2024-04-04 15:40:48 VERIFY KU OK 2024-04-04 15:40:48 Validating certificate extended key usage 2024-04-04 15:40:48 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2024-04-04 15:40:48 VERIFY EKU OK 2024-04-04 15:40:48 VERIFY X509NAME OK: CN=us6304.nordvpn.com 2024-04-04 15:40:48 VERIFY OK: depth=0, CN=us6304.nordvpn.com 2024-04-04 15:40:48 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key 2024-04-04 15:40:48 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication 2024-04-04 15:40:48 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key 2024-04-04 15:40:48 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication 2024-04-04 15:40:48 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512 2024-04-04 16:07:01 event_wait : Interrupted system call (code=4) 2024-04-04 16:07:01 /etc/openvpn/tunnelDown.sh tun0 1500 1659 10.7.3.2 255.255.255.0 init resolv.conf was restored Sending kill signal to transmission-daemon Waiting 5s for transmission-daemon to die Sending kill signal (SIGKILL) to transmission-daemon 2024-04-04 16:07:06 net_route_v4_del: 172.93.177.179/32 via 172.18.0.1 dev [NULL] table 0 metric -1 2024-04-04 16:07:06 net_route_v4_del: 0.0.0.0/1 via 10.7.3.1 dev [NULL] table 0 metric -1 2024-04-04 16:07:06 net_route_v4_del: 128.0.0.0/1 via 10.7.3.1 dev [NULL] table 0 metric -1 2024-04-04 16:07:06 Closing TUN/TAP interface 2024-04-04 16:07:06 net_addr_v4_del: 10.7.3.2 dev tun0 2024-04-04 16:07:06 SIGTERM[hard,] received, process exiting Starting container with revision: 07f5a2b9aea5028c9bb75438c1552708e91dde71 TRANSMISSION_HOME is currently set to: /config/transmission-home Creating TUN device /dev/net/tun Using OpenVPN provider: NORDVPN Running with VPN_CONFIG_SOURCE auto Provider NORDVPN has a bundled setup script. Defaulting to internal config Executing setup script for NORDVPN /etc/openvpn/nordvpn/.. INFO: OVPN: Checking curl installation INFO: OVPN: DNS resolution ok INFO: OVPN: ok, configurations download site reachable INFO: OVPN: Removing existing configs in /etc/openvpn/nordvpn Checking NORDPVN API responses INFO: OVPN:Selecting the best server... INFO: OVPN: Searching for country : US (228) WARNING: OVPN: empty or invalid NORDVPN_CATEGORY (value=). ignoring this parameter. Possible values are: legacy_double_vpn,legacy_onion_over_vpn,legacy_ultra_fast_tv,legacy_anti_ddos,legacy_dedicated_ip,legacy_standard,legacy_netflix_usa,legacy_p2p,legacy_obfuscated_servers,europe,the_americas,asia_pacific,africa_the_middle_east_and_india,anycast-dns,geo_dns,grafana,kapacitor,legacy_socks5_proxy,fastnetmon,. Please check https://haugene.github.io/docker-transmission-openvpn/provider-specific/#nordvpn INFO: OVPN:Searching for technology: openvpn_tcp INFO: OVPN: Best server : us9840.nordvpn.com, load: null Best server : us9840.nordvpn.com INFO: OVPN: Downloading config: us9840.nordvpn.com.ovpn INFO: OVPN: Downloading from: https://downloads.nordcdn.com/configs/files/ovpn_tcp/servers/us9840.nordvpn.com.tcp.ovpn OVPN: NORDVPN: selected: us9840.nordvpn.com, VPN_PROVIDER_HOME: /etc/openvpn/nordvpn Starting OpenVPN using config us9840.nordvpn.com.ovpn Modifying /etc/openvpn/nordvpn/us9840.nordvpn.com.ovpn for best behaviour in this container Modification: Point auth-user-pass option to the username/password file Modification: Change ca certificate path Modification: Change ping options Modification: Update/set resolv-retry to 15 seconds Modification: Change tls-crypt keyfile path Modification: Set output verbosity to 3 Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop Modification: Updating status for config failure detection Setting OpenVPN credentials... adding route to local network 192.168.1.0/24 via 172.18.0.1 dev eth0 2024-04-04 16:07:13 OpenVPN 2.5.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 29 2023 2024-04-04 16:07:13 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10 2024-04-04 16:07:13 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2024-04-04 16:07:13 NOTE: --fast-io is disabled since we are not using UDP 2024-04-04 16:07:13 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2024-04-04 16:07:13 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2024-04-04 16:07:13 TCP/UDP: Preserving recently used remote address: [AF_INET]181.215.195.180:443 2024-04-04 16:07:13 Socket Buffers: R=[131072->131072] S=[16384->16384] 2024-04-04 16:07:13 Attempting to establish TCP connection with [AF_INET]181.215.195.180:443 [nonblock] 2024-04-04 16:07:13 TCP connection established with [AF_INET]181.215.195.180:443 2024-04-04 16:07:13 TCP_CLIENT link local: (not bound) 2024-04-04 16:07:13 TCP_CLIENT link remote: [AF_INET]181.215.195.180:443 2024-04-04 16:07:13 TLS: Initial packet from [AF_INET]181.215.195.180:443, sid=a1ac1c2d b3b148c4 2024-04-04 16:07:13 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2024-04-04 16:07:13 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA 2024-04-04 16:07:13 VERIFY OK: depth=1, O=NordVPN, CN=NordVPN CA9 2024-04-04 16:07:13 VERIFY KU OK 2024-04-04 16:07:13 Validating certificate extended key usage 2024-04-04 16:07:13 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2024-04-04 16:07:13 VERIFY EKU OK 2024-04-04 16:07:13 VERIFY X509NAME OK: CN=us9840.nordvpn.com 2024-04-04 16:07:13 VERIFY OK: depth=0, CN=us9840.nordvpn.com 2024-04-04 16:07:13 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512 2024-04-04 16:07:13 [us9840.nordvpn.com] Peer Connection Initiated with [AF_INET]181.215.195.180:443 2024-04-04 16:07:13 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,explicit-exit-notify,comp-lzo no,route-gateway 10.7.2.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.2.4 255.255.255.0,peer-id 0,cipher AES-256-CBC' 2024-04-04 16:07:13 OPTIONS IMPORT: timers and/or timeouts modified 2024-04-04 16:07:13 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp 2024-04-04 16:07:13 OPTIONS IMPORT: compression parms modified 2024-04-04 16:07:13 OPTIONS IMPORT: --ifconfig/up options modified 2024-04-04 16:07:13 OPTIONS IMPORT: route options modified 2024-04-04 16:07:13 OPTIONS IMPORT: route-related options modified 2024-04-04 16:07:13 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2024-04-04 16:07:13 OPTIONS IMPORT: peer-id set 2024-04-04 16:07:13 OPTIONS IMPORT: adjusting link_mtu to 1659 2024-04-04 16:07:13 OPTIONS IMPORT: data channel crypto options modified 2024-04-04 16:07:13 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key 2024-04-04 16:07:13 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication 2024-04-04 16:07:13 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key 2024-04-04 16:07:13 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication 2024-04-04 16:07:13 net_route_v4_best_gw query: dst 0.0.0.0 2024-04-04 16:07:13 net_route_v4_best_gw result: via 172.18.0.1 dev eth0 2024-04-04 16:07:13 ROUTE_GATEWAY 172.18.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:12:00:02 2024-04-04 16:07:13 TUN/TAP device tun0 opened 2024-04-04 16:07:13 net_iface_mtu_set: mtu 1500 for tun0 2024-04-04 16:07:13 net_iface_up: set tun0 up 2024-04-04 16:07:13 net_addr_v4_add: 10.7.2.4/24 dev tun0 2024-04-04 16:07:13 net_route_v4_add: 181.215.195.180/32 via 172.18.0.1 dev [NULL] table 0 metric -1 2024-04-04 16:07:13 net_route_v4_add: 0.0.0.0/1 via 10.7.2.1 dev [NULL] table 0 metric -1 2024-04-04 16:07:13 net_route_v4_add: 128.0.0.0/1 via 10.7.2.1 dev [NULL] table 0 metric -1 Up script executed with device=tun0 ifconfig_local=10.7.2.4 Updating TRANSMISSION_BIND_ADDRESS_IPV4 to the ip of tun0 : 10.7.2.4 Enforcing ownership on transmission directories Applying permissions to transmission directories Setting owner for transmission paths to 1003:1003 Setting permissions for download and incomplete directories umask: 22 Directories: 755 Files: 644 Setting permission for watch directory (775) and its files (664)

---

Transmission will run as

User name: abc User uid: 1003 User gid: 1003

Updating Transmission settings.json with values from env variables Attempting to use existing settings.json for Transmission Successfully used existing settings.json /config/transmission-home/settings.json Overriding bind-address-ipv4 because TRANSMISSION_BIND_ADDRESS_IPV4 is set to 10.7.2.4 Overriding download-dir because TRANSMISSION_DOWNLOAD_DIR is set to /data/completed Overriding incomplete-dir because TRANSMISSION_INCOMPLETE_DIR is set to /data/incomplete Overriding rpc-password because TRANSMISSION_RPC_PASSWORD is set to [REDACTED] Overriding rpc-port because TRANSMISSION_RPC_PORT is set to 9091 Overriding rpc-username because TRANSMISSION_RPC_USERNAME is set to Overriding umask because TRANSMISSION_UMASK is set to 18 Overriding watch-dir because TRANSMISSION_WATCH_DIR is set to /data/watch sed'ing True to true STARTING TRANSMISSION Transmission startup script complete. 2024-04-04 16:07:13 Initialization Sequence Completed

HW/SW Environment

- OS: Debian 10 
- Docker: Docker version 26.0.0, build 2ae903e

Anything else?

No response

[pkishino]

Check here.. this doesn’t look like a container issue https://github.com/transmission/transmission/blob/3cd66899fe5c8434aef71e179024cf6eaa0d5691/docs/Editing-Configuration-Files.md#files-and-locations

[Andrew-T-Smith]

So here was the fix that I used. I deleted my settings.json (which previously had umask set to 001) while the container was down and when I brought it back up, the file was regenerated with the proper umask. My prior attempts to just change it directly did not work (they did not persist, which makes sense, but I was just trying everything).

I'm still not sure why this was an issue in the first place as the logs seem to imply this old value was being overridden with the appropriate value using the passed in variable, but the behavior of transmission matched the value in settings.json. This is my first time using docker so its possible I misunderstood something and did something weird during setup. Either way, I think something in the documentation needs to be updated.

[pkishino]

Editing the settings.json file on a running container doesn’t work.. settings changed in the UI obviously are persisted but if you want to modify the json it needs to be done when container is stopped

[Andrew-T-Smith]

The json was modified while the container was stopped. And I've just had this issue reemerge (in a way). I just moved a torrent's data through transmission's web ui itself by right clicking and choosing "set location". I had two similar torrents so I had it move both to a subfolder that didn't exist. Transmission created the subfolder and moved the data, but the newly created subfolder had 776 permissions. This was after everything else was working as expected. And restarting the container reset this subfolder to the appropriate permissions.

This could be my config just being bad (again, this is my first time using docker) but more realistically I think the documentation is either misrepresenting the purpose of the TRANSMISSION_UMASK variable (which is set to have 755 permissions) or the variable is not being used everywhere it should be. Looking at my settings.json now, it shows "umask" : "001" again. I certainly didn't manually change it back at any point. This is after I previously deleted the file and it regenerated with the expected value (weeks ago, with multiple restarts on the container since)