I'm trying to deploy a Pi-Hole instance on a Ubuntu Server in a Docker container. Since port 53 is already in use on the machine I'm trying to deploy the container using another IP in the home network. When I run the docker compose file the container starts but no ports are being exposed.
This is the docker-compose.yaml file that I use.
version: "3.9"
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
pull_policy: always
networks:
pihole_net:
ipv4_address: "192.168.0.12"
# For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
ports:
- "53:53/tcp"
- "53:53/udp"
#- "67:67/udp" # Only required if you are using Pi-hole as your DHCP server
- "80:80/tcp"
environment:
TZ: '<my timezone>'
WEBPASSWORD: '<my pass>'
# Volumes store your data between container upgrades
volumes:
- './etc-pihole:/etc/pihole'
- './etc-dnsmasq.d:/etc/dnsmasq.d'
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
# cap_add:
# - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
restart: unless-stopped
networks:
pihole_net:
driver: macvlan
driver_opts:
parent: enp0s3
ipam:
config:
- subnet: "192.168.0.0/24"
gateway: "192.168.0.1"
ip_range: "192.168.0.12/32"
This is what I see when I run docker ps:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6de7bc53cddf pihole/pihole:latest "/s6-init" 15 minutes ago Up 15 minutes (healthy) pihole
What could be preventing the ports from being exposed? I also tried pinging the new IP, but I get no results.
The port 53 is used by docker I think and for the log this comes out from it.
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service cron: starting
s6-rc: info: service cron successfully started
s6-rc: info: service _uid-gid-changer: starting
s6-rc: info: service _uid-gid-changer successfully started
s6-rc: info: service _startup: starting
[i] Starting docker specific checks & setup for docker pihole/pihole
[i] Setting capabilities on pihole-FTL where possible
[i] Applying the following caps to pihole-FTL:
* CAP_CHOWN
* CAP_NET_BIND_SERVICE
* CAP_NET_RAW
[i] Ensuring basic configuration by re-running select functions from basic-install.sh
[i] Installing configs from /etc/.pihole...
[i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
[✓] Installed /etc/dnsmasq.d/01-pihole.conf
[✓] Installed /etc/dnsmasq.d/06-rfc6761.conf
[i] Installing latest logrotate script...
[i] Existing logrotate file found. No changes made.
[i] Assigning password defined by Environment Variable
[✓] New password set
[i] Added ENV to php:
"TZ" => "<my TZ>",
"PIHOLE_DOCKER_TAG" => "",
"PHP_ERROR_LOG" => "/var/log/lighttpd/error-pihole.log",
"CORS_HOSTS" => "",
"VIRTUAL_HOST" => "6de7bc53cddf",
[i] Using IPv4 and IPv6
[✓] Installing latest Cron script
[i] Preexisting ad list /etc/pihole/adlists.list detected (exiting setup_blocklists early)
[i] Existing DNS servers detected in setupVars.conf. Leaving them alone
[i] Applying pihole-FTL.conf setting LOCAL_IPV4=0.0.0.0
[i] FTL binding to default interface: eth0
[i] Enabling Query Logging
[i] Testing lighttpd config: Syntax OK
[i] All config checks passed, cleared for startup ...
[i] Docker start setup complete
[i] pihole-FTL (no-daemon) will be started as pihole
s6-rc: info: service _startup successfully started
s6-rc: info: service pihole-FTL: starting
s6-rc: info: service pihole-FTL successfully started
s6-rc: info: service lighttpd: starting
s6-rc: info: service lighttpd successfully started
s6-rc: info: service _postFTL: starting
s6-rc: info: service _postFTL successfully started
s6-rc: info: service legacy-services: starting Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
[i] Neutrino emissions detected...
s6-rc: info: service legacy-services successfully started
[✓] Pulling blocklist source list into range
[✓] Preparing new gravity database
[✓] Creating new gravity databases
[i] Using libz compression
[i] Target: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
[✗] Status: Connection Refused
[✗] List download failed: no cached list available
[✓] Building tree
[✓] Swapping databases
[✓] The old database remains available
[i] Number of gravity domains: 0 (0 unique domains)
[i] Number of exact blacklisted domains: 0
[i] Number of regex blacklist filters: 0
[i] Number of exact whitelisted domains: 0
[i] Number of regex whitelist filters: 0
[✓] Cleaning up stray matter
[✓] FTL is listening on port 53
[✓] UDP (IPv4)
[✓] TCP (IPv4)
[✓] UDP (IPv6)
[✓] TCP (IPv6)
[✓] Pi-hole blocking is enabled
fatal: unable to access 'https://github.com/pi-hole/pi-hole/': Failed to connect to github.com port 443: No route to host
fatal: unable to access 'https://github.com/pi-hole/web/': Failed to connect to github.com port 443: No route to host
Pi-hole version is v5.18.3 (Latest: N/A)
fatal: unable to access 'https://github.com/pi-hole/FTL/': Failed to connect to github.com port 443: No route to host
web version is v5.21 (Latest: N/A)
FTL version is v5.25.2 (Latest: N/A)
Container tag is: 2024.07.0
Nothing.
You are using macvlan network mode. You don't need to expose ports.
Actually ports: section is ignored in this mode, because they are already exposed.
I think you have a different issue:
When you create a macvlan network, it is isolated from the host network:
In Macvlan you are not able to ping or communicate with the default namespace IP address. For example, if you create a container and try to ping the Docker host’s eth0 it will not work. That traffic is explicitly filtered by the kernel modules themselves to offer additional provider isolation and security.
Note: Did you try to ping from the host OS? Does the ping work from a different machine?
But you can solve this easily, creating an "auxiliary" network interface on the host:
Ping doesn't work from both host OS or different machine, but the suggestion you provided seems like a solution that will suit my needs. Thank you!
I'm not very familiar with the different types of docker networks or what an "auxiliary" network interface is, so I will research that. If you are willing to provide some tips that would also be appreciated.
... this error message means your container cannot connect to the internet.
Did you create the macvlan in the same network range of your router?
If your router is not 192.168.0.1 (the macvlan gateway), the connection will fail. Another possibility is a firewall on the host OS blocking the container connections.
Thank you for your response!
192.168.0.1 is exactly my router's IP and since I'm running this on a plain Ubuntu Server install I don't think that there's a blocked port by the OS firewall since I haven't made any changes to it. I also verified that I'm using the correct network interface (enp0s3). I also used docker exec to execute some commands from the container. When running ip a I see the correct IP being assigned, but I can't ping anything from the container not even the gateway, so it's definitely a network issue.