Docker image on Fedora 35 - Ports not binding

Good day folks!

I'm running Docker/Pihole on a Fedora 35 machine. I have several containers running usually in this configuration, but I have stopped and removed all containers besides Pihole for these tests. I am using much of the same configuration I have running on a Raspi zero W on the same network which I have turned off for these tests as well.

version: '3'

services:
  pihole:
    image: pihole/pihole
    container_name: pihole
    restart: unless-stopped
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "67:67/udp"
      - "8082:80/tcp"
    volumes:
      - /home/admin/pihole/etc-pihole:/etc/pihole:z
      - /home/admin/pihole/etc-dnsmasq:/etc/dnsmasq.d:z
    environment:
      - TZ
      - WEBPASSWD
      - PIHOLE_DNS_=9.9.9.9;149.112.112.112
      - DHCP_ACTIVE=true
      - DHCP_START=192.168.1.2
      - DHCP_END=192.168.1.200
      - DHCP_ROUTER=192.168.1.1
      - DHCP_rapid_commit=true
    cap_add:
      - NET_ADMIN

I attempted to run the above docker compose file using recommended settings. I have also modified the setting in Settings->DNS->Interface Settings to "Permit All Origins", and enabled DHCP for IPv6 and added in the Quad9 DNS servers for IPv6. My router is set to resolve DNS to the LAN IP address of this machine, and turned off DHCP on said router and enabled it on the Raspi. I also applied the adjustments in this page because Fedora35 also has systemd-resolved, so I wasn't able to get the container to run without that adjustment.

When I run the container with the ports settings in the YML file, I cannot connect to the internet but there is query traffic occurring on the Raspi, but only from the router and localhost. If I disable the Raspi running Pihole on my network as well (which is acting as a fallback DNS resolver), then my server can no longer connect to the WiFi at all. Running lsof on the ports assigned shows that the only things assigned to those ports are pihole-related processes. What I had expected was that I would receive DNS queries from my whole network on the Pihole, and that the server it is running on would be able to connect to the internet through WiFi.

I also tried running the container running with the network mode set to host instead of using ports. Regrettably I saw the same behavior in this case.

Debug Token:

https://tricorder.pi-hole.net/nDdVXXr6/

@bcambl If you find a moment can you look this over?

1 Like

Here are a few things you can try:

  • try temporarily stopping the firewall on your fedora container host
    sudo systemctl stop firewalld
    
  • allow binding to priv port 53 via sysctl
    echo 'net.ipv4.ip_unprivileged_port_start=53' | sudo tee -a /etc/sysctl.d/pihole.conf  
    sudo sysctl -p /etc/sysctl.d/pihole.conf
    
  • add NET_RAW to your compose cap_add section

I was able to successfully get your compose config to work with the above tweaks.
View my full test notes/script here: pihole in a container with podman on fedora · GitHub

1 Like

Thank you much for your response. Here's the outcome of applying these configs:

Disabling the firewall led to a most unexpected problem, turns out that whenever I would attempt to restart the container I'd get this curious error:
"Error response from daemon: Cannot restart container pihole: driver failed programming external connectivity on endpoint pihole: (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 8082 -j DNAT --to-destination 172.19.0.2:80 ! -i br-dc4544b8b83f: iptables: No chain/target/match by that name."

So for the remaining experiments I left the firewall on, so moving on the binding via systctl. In short I didn't notice any difference in the debug log generated following running this on the fedora host. I attempted running this step with NET_RAW added and got what appeared to be the same result. For the sake of clarity I also disabled DHCP and am letting my router handle that until the core issue is resolved. Here's a debug token: https://tricorder.pi-hole.net/SaXY2yqM/

It is also worth noting a few bonus details for clarity:

  1. To add to the complexity a bit, quite literally today I changed routers. I don't believe this is a source of the problem but is worth noting anyways.
  2. I am using Docker instead of Podman to run commands, I didn't know about Podman when I starting using containerized workflows and haven't changed that workflow yet.

Thanks for your assistance, let me know if you need more information

As fas as DHCP is concerned, note that a DHCP server can only see same-link client's broadcasts. So if you are using a Docker network mode that would isolate your Pi-hole container's network from the host running Docker (like Docker's default bridge network), then your clients' broadcasts won't make it to Pi-hole's DHCP server.
See also Docker DHCP and Network Modes - Pi-hole documentation.

If you'd stopped your router's DHCP service while your Pi-hole container would be running in a Docker bridge network, then a client would lose connectivity as soon as its DHCP lease expired, due to lack of a DHCP server's availability on the same link.

That doesn't seem to be the cause of your issue, as running your container in host mode didn't change your observation, but it may still contribute to it.

With regards to IPv6, note that Docker would be strictly IPv4 by default.
(And also, IPv6 is not required for Pi-hole to be operational.)

I feel I fail to understand the significance of the wifi connection.
Does that mean it would work when you configure it on an ethernet connection?

Good to know, I had read through this page but missed that port forwarding alone likely isn't sufficient. I'll have to give some thought on how to approach DHCP since I have a Traefik container running on this same server that I don't want to take off of port 80. If you know of a way to move port 80 elsewhere while allowing the container to run in the host network mode (whether in Docker or Pihole), please let me know!

As for the Wifi, from what I recall neither Wifi nor ethernet worked in this case. I am uncertain if it is relevant or not, but it correlated very strongly with the issue so I figured I mention it in the interests of giving as many leads as possible :slight_smile:.

At this point I'm not sure how to proceed. I have been intending to change the operating on this system to something more server-oriented because it is currently running Fedora 35 Workstation rather than Fedora 35 Server. Have folks had any issues with any of the Red Hat distros like Fedora CoreOS, Fedora IoT, Fedora Server, CentOS Stream, or RHEL? I'd be interested in knowing if any of these OSes would have any hard-blocking issues that would prevent PiHole from playing nice in a Podman container, especially since I quite enjoy Fedora as a daily-driver OS so I'd like to stay in that ballpark if possible.

Of course if anybody can find out what the issue is with my current installation that's great too, but if I'm changing out installations anyways I might as well get it over with. Thanks again for the help, I'll be eagerly awaiting replies.