Docker Pi-Hole keeps restarting - error message about sudoers permission

jphil · May 3, 2020, 11:23pm

Expected Behaviour:

Docker-compose should run pi-hole in a container

Actual Behaviour:

Pi-hole starts, but something in the startup process blocks it from running and being stable, so it restarts after every few seconds. It looks like a permissions issue but I don't know how to fix it.

No debug token available since pi-hole doesn't run long enough to connect to. Here's the log of the startup process (which repeats over and over if I let it):

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying... 
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 20-start.sh: executing... 
 ::: Starting docker specific checks & setup for docker pihole/pihole
WARNING Misconfigured DNS in /etc/resolv.conf: Two DNS servers are recommended, 127.0.0.1 and any backup server
WARNING Misconfigured DNS in /etc/resolv.conf: Primary DNS should be 127.0.0.1 (found 127.0.0.11)

nameserver 127.0.0.11
options ndots:0
  [i] Existing PHP installation detected : PHP version 7.0.33-0+deb9u7

  [i] Installing configs from /etc/.pihole...
  [i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
  [i] Copying 01-pihole.conf to /etc/dnsmasq.d/01-pihole.conf...
  [✓] Copying 01-pihole.conf to /etc/dnsmasq.d/01-pihole.conf
chown: cannot access '/etc/pihole/dhcp.leases': No such file or directory
::: Pre existing WEBPASSWORD found
Using default DNS servers: 8.8.8.8 & 8.8.4.4
DNSMasq binding to default interface: eth0
Added ENV to php:
			"PHP_ERROR_LOG" => "/var/log/lighttpd/error.log",
			"ServerIP" => "0.0.0.0",
			"VIRTUAL_HOST" => "0.0.0.0",
Using IPv4 and IPv6
::: Preexisting ad list /etc/pihole/adlists.list detected ((exiting setup_blocklists early))
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://mirror1.malwaredomains.com/files/justdomains
http://sysctl.org/cameleon/hosts
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://hosts-file.net/ad_servers.txt
**sudo: unable to open /etc/sudoers: Permission denied**
**sudo: no valid sudoers sources found, quitting**
**sudo: unable to initialize policy plugin**
::: Testing pihole-FTL DNS: [cont-init.d] 20-start.sh: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

I bolded the lines that I think are the problem. Any help would be appreciated. I've tried checking the ownership and permissions settings for docker and sudo and I far as I can tell they're configured correctly (I've followed the steps to add the docker group and give it sudo permissions).

FWIW I do have two other containers running without issue so far, so I'm not sure if this is a pi-hole misconfiguration or something with docker, but my instinct is with the former. I'm happy to share my docker-compose config if that helps, which is very lightly edited from here: GitHub - pi-hole/docker-pi-hole: Pi-hole in a docker container
I plan to configure pi-hole more extensively once I get it up and running properly.

DanSchaper · May 3, 2020, 11:26pm

What are your volume mounts?

jphil · May 3, 2020, 11:31pm

I hope this is what you're looking for - I'm fairly new to both docker and linux.

I used the defaults from the docker-compose file:

 volumes:
      - './etc-pihole/:/etc/pihole/'
      - './etc-dnsmasq.d/:/etc/dnsmasq.d/'

The docker-compose.yml file is not on my main drive - I've been trying to get everything docker-related running from a slightly larger drive. It's on a drive I've labeled /media/drive1 (so the full directory is /media/drive1/docker-compose.yml)

DanSchaper · May 3, 2020, 11:34pm

Okay, can we get the output from the following, inside the directory you are running docker-compose up from?

ls -lac ./etc-pihole/
ls -lac ./etc-dnsmasq.d/

docker info

And then the contents of the docker compose yaml file, along with the exact docker-compose command you are using to start the composure.

jphil · May 3, 2020, 11:40pm

jphilippine@philippine-server:/media/drive1$ ls -lac ./etc-pihole/
total 32
drwxr-xr-x+ 2 systemd-coredump systemd-coredump 4096 May  3 16:03 .
drwxrwxr-x+ 7 root             root             4096 May  3 15:40 ..
-rw-rw-r--+ 1 root             root              313 May  3 15:40 adlists.list
-rw-rw-r--+ 1 root             root              596 May  3 16:03 dns-servers.conf
-rw-rw-r--+ 1 root             root               20 May  3 16:03 localbranches
-rw-rw-r--+ 1 root             root               40 May  3 16:03 localversions
-rw-r--r--  1 systemd-coredump systemd-coredump    0 May  3 16:03 pihole-FTL.conf
-rwxrwxrwx  1 systemd-coredump systemd-coredump    0 May  3 16:03 regex.list
-rw-rw-r--+ 1 root             root              421 May  3 16:03 setupVars.conf
-rw-rw-r--+ 1 root             root              421 May  3 16:03 setupVars.conf.update.bak
jphilippine@philippine-server:/media/drive1$ ls -lac ./etc-dnsmasq.d/
total 12
drwxr-xr-x+ 2 root root 4096 May  3 16:03 .
drwxrwxr-x+ 7 root root 4096 May  3 15:40 ..
-rwxrwxr-x+ 1 root root 1420 May  3 16:03 01-pihole.conf
jphilippine@philippine-server:/media/drive1$
jphilippine@philippine-server:/media/drive1$ docker info
Client:
 Debug Mode: false

Server:
 Containers: 3
  Running: 2
  Paused: 0
  Stopped: 1
 Images: 3
 Server Version: 19.03.8
 Storage Driver: overlay2
  Backing Filesystem: <unknown>
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version:
 runc version:
 init version:
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 5.4.0-28-generic
 Operating System: Ubuntu 20.04 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 7.672GiB
 Name: [redacted]
 ID: [redacted] (let me know if you need this)
 Docker Root Dir: /media/drive1/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

Here's the command I'm running to launch docker-compose:

docker-compose -f /media/drive1/docker-compose.yml up -d ; docker-compose logs -tf --tail="50" pihole

EDIT: and the yml file


version: "3.6"
services:

  portainer:
    image: portainer/portainer
    container_name: portainer
    restart: always
    command: -H unix:///var/run/docker.sock
    ports:
      - "9000:9000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /media/drive1/docker/portainer/data:/data
      - /media/drive1/docker/shared:/shared
    environment:
      - TZ=${TZ}

# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/

  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "67:67/udp"
      - "80:80/tcp"
      - "443:443/tcp"
    environment:
      - TZ=${TZ}
      - WEBPASSWORD=[redacted]
    # Volumes store your data between container upgrades
    volumes:
      - './etc-pihole/:/etc/pihole/'
      - './etc-dnsmasq.d/:/etc/dnsmasq.d/'
    dns:
      - 127.0.0.1
      - 1.1.1.1
    # Recommended but not required (DHCP needs NET_ADMIN)
    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    cap_add:
      - NET_ADMIN
    restart: unless-stopped

DanSchaper · May 3, 2020, 11:46pm

And the contents of the yaml file as well please?

jphil · May 3, 2020, 11:58pm

Sorry - submitted the post a bit too quickly. I edited the yml contents into the post above.

DanSchaper · May 4, 2020, 12:09am

Does the error still happen when you use the full path in the volume mounts, and without staring Portainer at the same time?

jphil · May 4, 2020, 4:17pm

Hello - thanks for your quick replies yesterday.

I've tried commenting out the portainer entries in the yaml file and adding the full path for the volume mounts-same results, unfortunately.

Bucking_Horn · May 4, 2020, 5:39pm

This looks verfy similar to a recent issue with a Docker Pi-hole hosted on OpenMediaVault (OMV 5).

That specific issue could be solved by adjusting the host system's file permissions.

jphil · May 4, 2020, 5:47pm

Hi Bucking_Horn,

Thanks, I saw that, but I'm not sure how to actually implement that solution (I'm not even sure exactly what the solution is). That user seemed to have a deeper understanding of permissions than I do. I'd be grateful for any additional information on what files/permissions to modify.

Thanks!

Bucking_Horn · May 4, 2020, 6:04pm

It would help to know what system is hosting your Docker Pi-hole.

Depending on that information, we or some other users may or may not be able to provide specific instructions (To be honest, I wouldn't have a clue if it would be OMV or Synology NAS or the likes).

If you are indeed runnning OMV as well, feel free to reply to that post I linked, and maybe @Vejv-cz can help you. I think other users would benefit as well if you were able to work out the details.

jphil · May 4, 2020, 6:06pm

Sure! I'm running everything on Ubuntu 20.04 LTS (upgraded from 18.04, if that makes a difference).

diginc · May 4, 2020, 6:22pm

I haven't tried Ubuntu 20 yet, its on my list to upgrade, no other previous ubuntu have had permission
security issues out of the box but it isn't out of the question this is related to 20 somehow, maybe a new apparmour+docker issue or something.

Maybe strip down the docker run the just the bare basics and see if it also has the same error:

docker run -it --rm pihole/pihole

DanSchaper · May 4, 2020, 6:24pm

And, to be sure, it's not Ubuntu 20 on a virtualized environment or NAS, but bare metal?

jphil · May 4, 2020, 6:26pm

@diginc just tried it, same result Is there an AppArmor log I could look at/share?
@DanSchaper Correct - Ubuntu 20 on bare metal

DanSchaper · May 4, 2020, 9:05pm

How was docker installed? Did you use apt or did it install via the Snap store?

diginc · May 4, 2020, 9:18pm

Good point, the snap was terrible the one time I tried it and I mentally blocked out that experience.

Make sure you use the official install only .. which now that I glance at it, doesn't say it supports 20.04 yet (It might work anyway with 19.10's instructions and a modified codename though - might need to find a stackoverflow/exchange on that topic)

jphil · May 4, 2020, 9:58pm

I originally had docker installed with snap on 18.04. Ran into some issues, removed it, reinstalled using apt and the official install. That helped get a much smoother experience with my other containers (but I hadn't yet tried running pi-hole). Then, wanting to work on the latest LTS release, I updated the OS to 20.04.

Now that I think of it, there was a message about docker not having an image for the 20.04 release yet. I'll keep an eye out for that, and hopefully it'll clear up the issue-and if it does, I'll be sure to come back and post an update. Thank you all for your help!