Home Assistant Docker with Pihole -> DNS error?

Help Community Help
1

I have the following setup which was running smooth but recently added pihole to the mix:

Debian VM (192.168.178.110) running Docker with:

  • Portainer
  • Home Assistant
  • Pihole

Fritzbox with added local DNS server -> pihole.

Now I tried to update my containers running in portainer with the following command:

ssh root@192.168.178.110 docker run --rm \
    --name WatchTower \
    -v /var/run/docker.sock:/var/run/docker.sock \
    containrrr/watchtower \
    --run-once \
    --cleanup \
    --include-restarting \
    --rolling-restart \
    --include-stopped

... usually it runs fine but now there were some errors ("Could not do a head request", ..):

time="2023-02-17T08:27:57Z" level=info msg="Watchtower 1.5.3"
time="2023-02-17T08:27:57Z" level=info msg="Using no notifications"
time="2023-02-17T08:27:57Z" level=info msg="Checking all containers (except explicitly disabled with label)"
time="2023-02-17T08:27:57Z" level=info msg="Running a one time update."
time="2023-02-17T08:28:17Z" level=warning msg="Could not do a head request for \"containrrr/watchtower:latest\", falling back to regular pull." container=/WatchTower image="containrrr/watchtower:latest"
time="2023-02-17T08:28:17Z" level=warning msg="Reason: Get \"https://index.docker.io/v2/\": dial tcp: lookup index.docker.io on 192.168.178.110:53: read udp 172.17.0.9:55012->192.168.178.110:53: i/o timeout" container=/WatchTower image="containrrr/watchtower:latest"
time="2023-02-17T08:28:38Z" level=warning msg="Could not do a head request for \"homeassistant/home-assistant:latest\", falling back to regular pull." container=/homeassistant image="homeassistant/home-assistant:latest"
time="2023-02-17T08:28:38Z" level=warning msg="Reason: Get \"https://index.docker.io/v2/\": dial tcp: lookup index.docker.io on 192.168.178.110:53: read udp 172.17.0.9:52709->192.168.178.110:53: i/o timeout" container=/homeassistant image="homeassistant/home-assistant:latest"
time="2023-02-17T08:28:59Z" level=warning msg="Could not do a head request for \"pihole/pihole:latest\", falling back to regular pull." container=/pihole image="pihole/pihole:latest"
time="2023-02-17T08:28:59Z" level=warning msg="Reason: Get \"https://index.docker.io/v2/\": dial tcp: lookup index.docker.io on 192.168.178.110:53: read udp 172.17.0.9:58471->192.168.178.110:53: i/o timeout" container=/pihole image="pihole/pihole:latest"
time="2023-02-17T08:29:20Z" level=warning msg="Could not do a head request for \"jlesage/jdownloader-2:latest\", falling back to regular pull." container=/jdownloader2 image="jlesage/jdownloader-2:latest"
time="2023-02-17T08:29:20Z" level=warning msg="Reason: Get \"https://index.docker.io/v2/\": dial tcp: lookup index.docker.io on 192.168.178.110:53: read udp 172.17.0.9:36953->192.168.178.110:53: i/o timeout" container=/jdownloader2 image="jlesage/jdownloader-2:latest"
time="2023-02-17T08:29:41Z" level=warning msg="Could not do a head request for \"linuxserver/heimdall:latest\", falling back to regular pull." container=/heimdall image="linuxserver/heimdall:latest"
time="2023-02-17T08:29:41Z" level=warning msg="Reason: Get \"https://index.docker.io/v2/\": dial tcp: lookup index.docker.io on 192.168.178.110:53: read udp 172.17.0.9:52642->192.168.178.110:53: i/o timeout" container=/heimdall image="linuxserver/heimdall:latest"
time="2023-02-17T08:30:02Z" level=warning msg="Could not do a head request for \"deconzcommunity/deconz:latest\", falling back to regular pull." container=/deconz image="deconzcommunity/deconz:latest"
time="2023-02-17T08:30:02Z" level=warning msg="Reason: Get \"https://index.docker.io/v2/\": dial tcp: lookup index.docker.io on 192.168.178.110:53: read udp 172.17.0.9:59635->192.168.178.110:53: i/o timeout" container=/deconz image="deconzcommunity/deconz:latest"
time="2023-02-17T08:30:24Z" level=warning msg="Could not do a head request for \"linuxserver/resilio-sync:latest\", falling back to regular pull." container=/resilio-sync image="linuxserver/resilio-sync:latest"
time="2023-02-17T08:30:24Z" level=warning msg="Reason: Get \"https://index.docker.io/v2/\": dial tcp: lookup index.docker.io on 192.168.178.110:53: read udp 172.17.0.9:58646->192.168.178.110:53: i/o timeout" container=/resilio-sync image="linuxserver/resilio-sync:latest"
time="2023-02-17T08:30:45Z" level=warning msg="Could not do a head request for \"eclipse-mosquitto:latest\", falling back to regular pull." container=/mosquitto image="eclipse-mosquitto:latest"
time="2023-02-17T08:30:45Z" level=warning msg="Reason: Get \"https://index.docker.io/v2/\": dial tcp: lookup index.docker.io on 192.168.178.110:53: read udp 172.17.0.9:58302->192.168.178.110:53: i/o timeout" container=/mosquitto image="eclipse-mosquitto:latest"
time="2023-02-17T08:31:06Z" level=warning msg="Could not do a head request for \"portainer/portainer-ce:latest\", falling back to regular pull." container=/portainer image="portainer/portainer-ce:latest"
time="2023-02-17T08:31:06Z" level=warning msg="Reason: Get \"https://index.docker.io/v2/\": dial tcp: lookup index.docker.io on 192.168.178.110:53: read udp 172.17.0.9:48851->192.168.178.110:53: i/o timeout" container=/portainer image="portainer/portainer-ce:latest"
time="2023-02-17T08:31:27Z" level=warning msg="Could not do a head request for \"octoprint/octoprint:latest\", falling back to regular pull." container=/octoprint image="octoprint/octoprint:latest"
time="2023-02-17T08:31:27Z" level=warning msg="Reason: Get \"https://index.docker.io/v2/\": dial tcp: lookup index.docker.io on 192.168.178.110:53: read udp 172.17.0.9:46556->192.168.178.110:53: i/o timeout" container=/octoprint image="octoprint/octoprint:latest"
time="2023-02-17T08:31:28Z" level=info msg="Session done" Failed=0 Scanned=10 Updated=0 notify=no
time="2023-02-17T08:31:28Z" level=info msg="Waiting for the notification goroutine to finish" notify=no

But the containers were updated. But home assistant also throws now a bunch of errors looking at the logs:

2023-02-17 09:37:45.654 WARNING (MainThread) [homeassistant.bootstrap] Waiting on integrations to complete setup: fritz, brother, hacs, mqtt, mobile_app
2023-02-17 09:38:13.134 ERROR (SyncWorker_8) [homeassistant.util.package] Unable to install package addict: WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f23b99cc3a0>: Failed to establish a new connection: [Errno -3] Try again')': /musllinux/
WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f23b99cc550>: Failed to establish a new connection: [Errno -3] Try again')': /musllinux/
WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f23b99ccaf0>: Failed to establish a new connection: [Errno -3] Try again')': /musllinux/
WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f23b99ccca0>: Failed to establish a new connection: [Errno -3] Try again')': /musllinux/
WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f23b99cce50>: Failed to establish a new connection: [Errno -3] Try again')': /musllinux/
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f23b99cd1b0>: Failed to establish a new connection: [Errno -3] Try again')': /simple/addict/
WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f23b99cd5d0>: Failed to establish a new connection: [Errno -3] Try again')': /simple/addict/
WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f23b9b32fb0>: Failed to establish a new connection: [Errno -3] Try again')': /simple/addict/
WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f23b99ccbe0>: Failed to establish a new connection: [Errno -3] Try again')': /simple/addict/
WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7f23b99cc9d0>: Failed to establish a new connection: [Errno -3] Try again')': /simple/addict/
ERROR: Could not find a version that satisfies the requirement addict (from versions: none)
ERROR: No matching distribution found for addict
WARNING: There was an error checking the latest version of pip.

... any ideas?

2

"/etc/resolv.conf " in the docker vm reads:

domain fritz.box
search fritz.box
nameserver 192.168.178.110 # nameserver = pihole

"nslookup pi.hole" feedbacks:

Server:		192.168.178.110
Address:	192.168.178.110#53

Name:	pi.hole
Address: 192.168.178.110

Now if I:

  • remove pihole under local DNS of the fritzbox
  • reboot docker vm
  • start the watchtower script again, no errors:
time="2023-02-17T10:23:34Z" level=info msg="Watchtower 1.5.3"
time="2023-02-17T10:23:34Z" level=info msg="Using no notifications"
time="2023-02-17T10:23:34Z" level=info msg="Checking all containers (except explicitly disabled with label)"
time="2023-02-17T10:23:34Z" level=info msg="Running a one time update."
time="2023-02-17T10:23:42Z" level=info msg="Session done" Failed=0 Scanned=10 Updated=0 notify=no
time="2023-02-17T10:23:42Z" level=info msg="Waiting for the notification goroutine to finish" notify=no
3

Environment variable for the pihole container is set:

pihole-FTL.conf setting LOCAL_IPV4=192.168.178.110

Inside pihole ... if I try to Update Gravity (list of blocked domains) it throws also an error:

  [âś—] DNS resolution is currently unavailable
  [i] Time until retry: 104

When I open the command line in the pihole container and try "nslookup fritz.box" it also throws that error:

root@pihole:/# nslookup fritz.box
;; reply from unexpected source: 172.17.0.1#53, expected 192.168.178.110#53

;; reply from unexpected source: 172.17.0.1#53, expected 192.168.178.110#53

;; reply from unexpected source: 172.17.0.1#53, expected 192.168.178.110#53

;; connection timed out; no servers could be reached
4

Ok digging deeper into the topic .. I changed the port allowcations now in portainer from:

Bildschirm­foto 2023-02-17 um 12.50.01
Bildschirm­foto 2023-02-17 um 12.50.012520×354 82.1 KB

...to this:

Bildschirm­foto 2023-02-17 um 12.49.50
Bildschirm­foto 2023-02-17 um 12.49.502496×358 85.8 KB

If I now do an nslookup inside the pihole container it gives correct feedback:

root@pihole:/# nslookup fritz.box
Server:         192.168.178.110
Address:        192.168.178.110#53

Name:   fritz.box
Address: 192.168.178.1

...and gravitiy updates also work now:

Bildschirm­foto 2023-02-17 um 12.51.04
Bildschirm­foto 2023-02-17 um 12.51.042022×1576 304 KB

...trying to run watchtower also does not throw an error anymore:

time="2023-02-17T11:48:32Z" level=info msg="Watchtower 1.5.3"
time="2023-02-17T11:48:32Z" level=info msg="Using no notifications"
time="2023-02-17T11:48:32Z" level=info msg="Checking all containers (except explicitly disabled with label)"
time="2023-02-17T11:48:32Z" level=info msg="Running a one time update."
time="2023-02-17T11:48:41Z" level=info msg="Session done" Failed=0 Scanned=10 Updated=0 notify=no
time="2023-02-17T11:48:41Z" level=info msg="Waiting for the notification goroutine to finish" notify=no
5

We recommend NOT running watchtower to auto-update your Pi-hole install.

Read the release notes, decide if the update is something you want to install, then manually update.

Some releases are breaking, and you don't want to wake up to a failed Pi-hole.

1 Like
6

https://github.com/pi-hole/docker-pi-hole#note-on-watchtower

Note on Watchtower

We have noticed that a lot of people use Watchtower to keep their Pi-hole containers up to date. For the same reason we don't provide an auto-update feature on a bare metal install, you should not have a system automatically update your Pi-hole container. Especially unattended. As much as we try to ensure nothing will go wrong, sometimes things do go wrong - and you need to set aside time to manually pull and update to the version of the container you wish to run. The upgrade process should be along the lines of:

  • Important: Read the release notes. Sometimes you will need to make changes other than just updating the image
  • Pull the new image
  • Stop and remove the running Pi-hole container
    • If you care about your data (logs/customizations), make sure you have it volume-mapped or it will be deleted in this step.
  • Recreate the container using the new image

Pi-hole is an integral part of your network, don't let it fall over because of an unattended update in the middle of the night.

7

Yes thanks for the info!

I have daily backups of the NFS volumes mapped to all my docker containers. So I can roll back if necessary and watchtower is only "run once" manually so I make sure I run it when I have time to do damage control ... :wink:

The vital info for me was to map the full pihole IP directly to port 53 (UDP).

8

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.