Could not activate remote peer.

PromoFaux · February 24, 2020, 11:11am

I wonder, then, are there files for it's configuration in /etc/dnsmasq.d? Or even within the file /etc/dnsmasq.conf? Could you please try for another debug token? thanks

docbill · February 24, 2020, 11:15am

Same error uploading the debug log. If there is a way to upload it manually, I could try that.

libvirt uses a different config file:

/var/lib/libvirt/dnsmasq/default.conf

PromoFaux · February 24, 2020, 11:17am

You can DM it to me here, or you can email it to me at adam.warner@pi-hole.net

Failing that, use something like pastebin and share the link

docbill · February 24, 2020, 2:10pm

The dnsmasq is a complete red herring. It turns out the traffic appears to stop when I went in to test service, because while testing I tend to connect my laptop to vpn. And it turns out 99% of my dns traffic comes from my laptop repeating queries over and over when I'm not connected to vpn.

I still don't know what the impact of "Could not activate remote peer." I think it means that pihole is using google dns instead of opendns.

PromoFaux · February 24, 2020, 2:59pm

@DL6ER, you've got the best working knowledge of the dnsmasq/FTL internals, any thoughts on this one please?

Bucking_Horn · February 24, 2020, 3:39pm

Be aware that *libvirt* starts a *new* instance of `dnsmasq` for each virtual network (click for more)

This will very likely cause conflicts with Pi-hole’s dnsmasq instance if both instances try to bind the same network interface.

By default, dnsmasq will try to bind all addresses, even if configured to listen only on specific interfaces - it just discards requests from unconfigured interfaces.

To avoid such conflicts, you have to force dnsmasq to bind only the very interfaces it is listening to. You can do that via the bind-interfaces option within dnsmasq.

Whether you should apply this to libvrt’s dnsmasq or Pi-hole’s or both and what interfaces would go where will likely depend on your specfific configuration needs.

I have come across a similar issue a while ago, slightly differing by involving NetworkManager and a KVM virtual machine in addition to libvirt, but the solution may be relevant here as well - have a look at deHakkelaar's solution for Can't get pihole to work on br0 interface - #18 by deHakkelaar.
EDIT: (short summary: OP did reconfigure bridge interface to static, deinstalled dnsmasq and removed left-over references to bind-interfaces.)
In addition, with regards to your error, make sure that systemd-resolved is up and running.

DanSchaper · February 24, 2020, 4:09pm

I just ran a cursory Google search to see what that could be. I found references to VPN/Wireguard and permissions problems on the configuration files. What are the permissions for the /etc/dnsmasq.d directory and the /etc/dnsmasq.conf file?

docbill · February 24, 2020, 5:20pm

[briemers@briemers ~]$ ls -laZR /etc/dnsmasq.*
-rw-r--r--. 1 root dnsmasq system_u:object_r:dnsmasq_etc_t:s0 27503 Aug 28 13:41 /etc/dnsmasq.conf

/etc/dnsmasq.d:
total 16
drwxr-xr-x.   2 root dnsmasq system_u:object_r:dnsmasq_etc_t:s0  4096 Aug 28 13:41 .
drwxr-xr-x. 161 root root    system_u:object_r:etc_t:s0         12288 Feb 24 08:20 ..

My rabbit hole took me to:

systemd-resolved.service

In that I found a vpn package that does not work unless this service is running. But installing and running this did not have any effect.

DanSchaper · February 24, 2020, 5:32pm

Are you SELinux enforcing?

Edit: None of the 01-pihole.conf files or anything like that in /etc/dnsmasq.d either?

docbill · February 24, 2020, 7:40pm

Always. Anything else would be like running Windows with the virus scanner, and windows defender turned off. It is never a good idea. There have been a few times when I've risked turning it off just to find out if SELinux was the problem.

Nope. That part surprised me too. But maybe the 4.3.3 version doesn't use that file?

docbill · February 24, 2020, 7:54pm

I ran the uninstall and install again. Not only is the 01-pihole.conf file back again, but the custom file I created has also been restored.

But pihole-FTL still reports the same error...

[root@media1 automated install]# ls -latZ /etc/dnsmasq.*
-rw-r--r--  1 root root    ?                                    24 Feb 24 14:47 /etc/dnsmasq.conf
-rw-r--r--  1 root root    ?                                    24 Feb 24 14:47 /etc/dnsmasq.conf.old

/etc/dnsmasq.d:
total 24
-rw-r--r--    1 root root    ?                                   1404 Feb 24 14:47 01-pihole.conf
drwxr-xr-x.   2 root dnsmasq system_u:object_r:dnsmasq_etc_t:s0  4096 Feb 24 14:47 .
drwxr-xr-x. 164 root root    system_u:object_r:etc_t:s0         12288 Feb 24 14:47 ..
-rw-r--r--    1 root root    ?                                     56 Feb 23 12:57 01-pihole-custom.conf

DanSchaper · February 24, 2020, 8:10pm

If you run SEL enforcing then you will have to write your own policy files and configure that aspect. We intentionally do not change anything with SEL and have a large notice during installation that says SEL enforce is not supported. I think you actually have to positively confirm that the notice was read?

DanSchaper · February 24, 2020, 8:13pm

The configuration files are unlabeled and will not be read/write by the daemons. That's most likely why the error as pihole-FTL can not use the configurations. The remote peer error comes when you can not write to the files.

Edit: If you want to check, try labeling the *.conf's to system_u:object_r:dnsmasq_etc_t:s0, may need to make them user objects but the idea is what I'm proposing.

docbill · February 24, 2020, 8:33pm

I noticed my first ls -latZ was on the host briemers, the secound on media1. So it looks like I ran the command in the wrong terminal window the first time.

docbill · February 24, 2020, 8:40pm

I can confirm I did not see such a notice... But it would be a great idea to add one. Generally if I see such a notice, I will simply abort the install, unless it is clear what policy is needed to be added. Just if I go to install software on Windows and it tells me to turn off my virus scanner, I abort the install.

But in this case I doubt SELinux is the culprit:

[root@media1 automated install]# ausearch -m AVC,USER_AVC -ts recent
<no matches>

No actions are being denied. I see why. It looks like I did actually disable it a few yours ago and forgot to reenable it... So I correct my self. SELinux is not in enforcement mode.

[root@media1 automated install]# ./basic-install.sh 

  [✓] Root user check

        .;;,.
        .ccccc:,.
         :cccclll:.      ..,,
          :ccccclll.   ;ooodc
           'ccll:;ll .oooodc
             .;cll.;;looo:.
                 .. ','.
                .',,,,,,'.
              .',,,,,,,,,,.
            .',,,,,,,,,,,,....
          ....''',,,,,,,'.......
        .........  ....  .........
        ..........      ..........
        ..........      ..........
        .........  ....  .........
          ........,,,,,,,'......
            ....',,,,,,,,,,,,.
               .',,,,,,,,,'.
                .',,,,,,'.
                  ..'''.

  [✓] Disk space check
  [✓] Update local cache of available packages

  [✓] Checking dnf for upgraded packages... 19 updates available
  [i] It is recommended to update your OS after installing the Pi-hole!

  [i] Installer Dependency checks...
  [✓] Checking for chkconfig

  [i] SELinux mode detected: Disabled
  [i] Using interface: enp0s25
  [i] Using OpenDNS (ECS)
  [i] Static IP already configured
  [i] Found IPv6 GUA address, using it for blocking IPv6 ads
  [i] IPv4 address: 172.31.253.119/22
  [i] IPv6 address: 2001:1970:50ec:b000:3e13:3379:d0ba:7cf7
  [i] Web Interface On
  [i] Web Server On
  [i] Logging On.
  [✗] Check for existing repository in /etc/.pihole
  [✓] Clone https://github.com/pi-hole/pi-hole.git into /etc/.pihole

  [✗] Check for existing repository in /var/www/html/admin
  [✓] Clone https://github.com/pi-hole/AdminLTE.git into /var/www/html/admin

  [i] Main Dependency checks...
  [✓] Checking for php-json
  [✓] Enabling lighttpd service to start on reboot...
  [✓] Creating user 'pihole'

  [i] FTL Checks...

  [✓] Detected x86_64 architecture
  [i] Checking for existing FTL binary...
  [✓] Downloading and Installing FTL
  [✓] Checking for user 'pihole'
  [i] Warning: 'lighty-enable-mod' utility not found
      Please ensure fastcgi is enabled if you experience issues
  [✓] Installing scripts from /etc/.pihole

  [i] Installing configs from /etc/.pihole...
  [i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
  [✓] Copying 01-pihole.conf to /etc/dnsmasq.d/01-pihole.conf

  [i] Installing blocking page...
  [✓] Creating directory for blocking page, and copying files
  [✗] Backing up index.lighttpd.html
      No default index.lighttpd.html file found... not backing up

  [✓] Installing sudoer file

  [✓] Installing latest Cron script

  [✓] Installing latest logrotate script
  [i] Backing up /etc/dnsmasq.conf to /etc/dnsmasq.conf.old

  [✓] Configuring FirewallD for httpd and pihole-FTL
Warning: ALREADY_ENABLED: http
Warning: ALREADY_ENABLED: dns
success
success
  [✓] man pages installed and database updated
  [i] Testing if systemd-resolved is enabled
  [✓] Disabling systemd-resolved DNSStubListener and restarting systemd-resolved
  [✓] Restarting lighttpd service...
  [✓] Enabling lighttpd service to start on reboot...
  [i] Restarting services...
  [✓] Enabling pihole-FTL service to start on reboot...
  [✓] Restarting pihole-FTL service...
  [✓] Deleting existing list cache
  [i] Pi-hole blocking is enabled
  [i] Neutrino emissions detected...
  [✓] Pulling blocklist source list into range

  [i] Target: raw.githubusercontent.com (hosts)
  [✓] Status: Retrieval successful

  [i] Target: mirror1.malwaredomains.com (justdomains)
  [✓] Status: Retrieval successful

  [i] Target: sysctl.org (hosts)
  [✓] Status: Retrieval successful

  [i] Target: s3.amazonaws.com (simple_tracking.txt)
  [✓] Status: Retrieval successful

  [i] Target: s3.amazonaws.com (simple_ad.txt)
  [✓] Status: Retrieval successful

  [i] Target: hosts-file.net (ad_servers.txt)
  [✓] Status: Retrieval successful

  [✓] Consolidating blocklists
  [✓] Extracting domains from blocklists
  [i] Number of domains being pulled in by gravity: 147579
  [✓] Removing duplicate domains
  [i] Number of unique domains trapped in the Event Horizon: 125247
  [i] Nothing to whitelist!
  [i] Number of regex filters: 0
  [✓] Parsing domains into hosts format
  [✓] Cleaning up stray matter

  [✓] Force-reloading DNS service
  [✓] DNS service is running
  [i] Pi-hole blocking will be enabled
  [i] Enabling blocking
  [✓] Reloading DNS service
  [✓] Pi-hole Enabled
  [i] Web Interface password: ........
  [i] This can be changed using 'pihole -a -p'

  [i] View the web interface at http://pi.hole/admin or http://172.31.253.119/admin

  [i] You may now configure your devices to use the Pi-hole as their DNS server
  [i] Pi-hole DNS (IPv4): 172.31.253.119
  [i] Pi-hole DNS (IPv6): 2001:1970:50ec:b000:3e13:3379:d0ba:7cf7
  [i] If you set a new IP address, please restart the server running the Pi-hole

  [i] The install log is located at: /etc/pihole/install.log
Installation Complete!

PromoFaux · February 24, 2020, 8:41pm

Are you sure? The debug log you sent me earlier suggests otherwise:

*** [ DIAGNOSING ]: Operating system
✓Fedora 31 (Workstation Edition)

*** [ DIAGNOSING ]:e[0m SELinux
✓ Default SELinux: disabled
✓ Current SELinux: Disabled

DanSchaper · February 24, 2020, 8:42pm

github.com

pi-hole/pi-hole/blob/121c93e8228763c5d262065e04ca39f093e76996/automated install/basic-install.sh#L1957


checkSelinux() {
    # If the getenforce command exists,
    if is_command getenforce ; then
        # Store the current mode in a variable
        enforceMode=$(getenforce)
        printf "\\n  %b SELinux mode detected: %s\\n" "${INFO}" "${enforceMode}"
        # If it's enforcing,
        if [[ "${enforceMode}" == "Enforcing" ]]; then
            # Explain Pi-hole does not support it yet
            whiptail --defaultno --title "SELinux Enforcing Detected" --yesno "SELinux is being ENFORCED on your system! \\n\\nPi-hole currently does not support SELinux, but you may still continue with the installation.\\n\\nNote: Web Admin will not be fully functional unless you set your policies correctly\\n\\nContinue installing Pi-hole?" ${r} ${c} || \
            { printf "\\n  %bSELinux Enforcing detected, exiting installer%b\\n" "${COL_LIGHT_RED}" "${COL_NC}"; exit 1; }
            printf "  %b Continuing installation with SELinux Enforcing\\n" "${INFO}"
            printf "      %b Please refer to official SELinux documentation to create a custom policy\\n" "${INFO}"
        fi
    fi
}
# Installation complete message with instructions for the user
displayFinalMessage() {
    # If

bcambl · February 24, 2020, 9:32pm

Selinux should be permissive or disabled For the project to function properly.
Selinux file contexts displayed with the Z argument to the ls command should not matter when selinux is not enforcing.

jfb · February 24, 2020, 11:38pm

Are you still having this problem? What is the output of the following command from the Pi terminal:

sudo netstat -nltup | grep 'Proto\|:53 \|:5053 \|:5353 \|:8953 \|:67 \|:80 \|:471'

DL6ER · February 25, 2020, 7:57am

dnsmasq is handling the requests in this case. Not Pi-hole.

FTL uses the very same dnsmasq config lines as long as

/etc/dnsmasq.conf

points into

/etc/dnsmasq.d

How does

get involved here?

This is not a warning we generate (it is not contained in the source code anywhere), so it seems to come from the system itself masquerading as coming from our process. There is a ton of stuff on the wb on this message, however, it always seems to be related to VPN. Just pasing the first result from Google here (not necessarily the right answer to your problem!):

But I see the discussion already moved on and towards a different direction, I though leaving this here would be beneficial, nonetheless.