Radarr service wouldn't start until I removed some hardening

Fresh install of Radarr through dietpi installer would not auto start through systemctl.

This is the error I kept getting in the systemctl logs through journalctl

Mar 20 23:03:21 radarr systemd[548]: radarr.service: Failed to set up mount
namespacing: No such file or directory
Mar 20 23:03:21 radarr systemd[548]: radarr.service: Failed at step NAMESPAC
E spawning /opt/radarr/Radarr: No such file or directory

The directory /opt/radarr/ does exist and so did the file Radarr in there. I was able to start Radarr manually using

sudo -u radarr /opt/radarr/Radarr -nobrowser -data=/mnt/dietpi_userdata/radarr

After some more research I tried turning off some of the hardening settings, and it looks like this specific setting
ReadWritePaths=/opt/radarr /mnt /media /var/log/radarr /tmp
is causing the failure.

I don’t know why because as far as I can see this setting should make all the paths after it read/write to the radarr service.

Right now I’m running with all the hardening rules except for
ProtectSystem=Strict and ReadWritePaths.

Also how come y’all don’t use these same hardening rules for sonarr?


hmm I’m not realy able to replicate your issue with radarr. I did a test installation on a RPi3B+ 32bit without issues. Radarr service is working ootb without any changes made. :thinking:

Have you moved /opt ot /mnt/dietpi_userdata to any special mount point? I saw once the letter being mounted to /home/user which would not only break or Sonarr/Radarr/…arr (all the same), but also the default Debian MariaDB package and others.

Which SBC/platform are you using? Debian Stretch or Buster (or Bullseye)?

Thank you for the responses y’all!

I use dietpi on my VMs on proxmox. I always do a vanilla install of the dietpi UEFI image.
Debian buster, though I do force the kernel to update to the latest version, I think it updated to 5.11.

No directories were moved, everything is where it is installed by default. Also everything is on one volume/‘drive’. I don’t move any part of the VM to other drives. I have a data storage for my media files, that’s provided by OMV through SMB. I mount that network folder to the VM, no issues there accessing the files.

I did force it to install Radarr V3, but I was having the issue even before then. I figured Radarr V3 would fix it, but nah, either way at the end of the day it was the hardening rules that prevented it from running. I did also make sure the radarr user had permission to read/write/execute everything inside /opt/radarr and mnt/dietpie_userdata/radarr

It should not prevent the service start, but where is the SMB drive mounted?

Indeed the underlying Mono/.NET library had or has issues to write to directories that are not owned by the executing user and do not support POSIX permissions. But Radarr v3 AFAIK worked around that. That however still should not break the whole service to start :thinking:.

I used the dietpi config to setup the network mounts.

I mounted two network folders, both are in /mnt

For the radarr v3 install I went with the .net core variant instead of mono.

Here is what the service file looks like right now

Description=Radarr Daemon (DietPi)
After=network-online.target dietpi-boot.service

ExecStart=/opt/radarr/Radarr -nobrowser -data=/mnt/dietpi_userdata/radarr

# Hardening
#ReadWritePaths=/opt/radarr /mnt /media /var/log/radarr /tmp


and the contents of /mnt

dietpi@radarr:~$ ls -halt /mnt
total 20K
drwxr-xr-x 18 root   root   4.0K Mar 22 02:17 ..
drwxrwxr-x  7 dietpi dietpi 4.0K Mar 20 22:19 dietpi_userdata
drwxr-xr-x  7 root   root   4.0K Mar 20 22:17 .
drwxrwx---  2 radarr dietpi    0 Mar  9 11:03 movies
drwxrwx---  2 radarr dietpi    0 Feb  2 21:41 downloads
drwxrwxr-x  2 dietpi dietpi 4.0K Sep 17  2020 nfs_client
drwxrwxr-x  2 dietpi dietpi 4.0K Sep 17  2020 ftp_client

I had to modify UID and GID on the fstab entries so that the radarr user could read/write to the two mounts.
I had to make the same change on my sonarr VM, except with the sonarr user.

usually it should be enough to put all user into dietpi user group and to assign r/w permission to this group

If you’re talking about the changes I had to make to fstab, that’s because of how I have the shares setup in Open Media Vault. The dietpi group doesn’t exist in OMV and I think the ACLs on there cause issues to read/write. I can connect to the share without issues, but anything else requires setting the UID/GID on fstab to the specific user.

Which I’m okay with, I’d rather have those folders accessible by specific users rather than a group.