New install QNAP not 100% working, no access to GUI->Settings

Expected Behaviour:

New install on QNAP TVS-471, QTS 4.3.5, Container Station 1.9.35.27
DNS available to LAN on eth1 (not eth0).

All help appreciated.

Actual Behaviour:

Pi-hole is running and blocking sites, activity is showing on the GUI Query Log.
When accessing the GUI Settings I receive a red banner:
Error
There was a problem applying your settings.
Debugging information:
PHP error (2): parse_ini_file(/etc/pihole/setupVars.conf): failed to open stream: Permission denied in /var/www/html/admin/settings.php:11

Reading through debug shows apparent errors with PHP permissions ... ? The docker bridge and container were built with the script below.
Pi-hole process daemons not active ... ?
IPv4 bound to eth0. I don't understand how this works at all looking at the bridge image below, however I when i try docker run with '-e INTERFACE=eth1' i am unable to see pi-hole from the LAN.

Build script:
#!/bin/sh

# pi-hole data persist in current working directory

DOCKER_CONFIGS="$(pwd)"
DOCKER_BRIDGE=pihole-static-bridge
DOCKER_BRIDGE_NIC=eth1
DOCKER_IP=192.168.1.202
DOCKER_PASSWORD=tempblah

# Not using DHCP, not sure if needed but this avoids an error in the run log

# cp ${DOCKER_CONFIGS}/pihole/dhcp.leases.blank ${DOCKER_CONFIGS}/pihole/dhcp.leases

# Create a Static IP 

docker network create \
	-d qnet \
	--ipam-driver=qnet \
	--ipam-opt=iface=${DOCKER_BRIDGE_NIC} \
	--subnet=192.168.1.0/24 \
	--gateway=192.168.1.1 \
	${DOCKER_BRIDGE}

# Create Container
#	-e INTERFACE=${DOCKER_BRIDGE_NIC} \

docker run --name pihole \
	-h PIHOLE \
	-v ${DOCKER_CONFIGS}/pihole/:/etc/pihole/:rw \
	-v ${DOCKER_CONFIGS}/dnsmasq.d/:/etc/dnsmasq.d/:rw \
	-p ${DOCKER_IP}:53:53/tcp \
	-p ${DOCKER_IP}:53:53/udp \
	-p ${DOCKER_IP}:80:80 \
	-p ${DOCKER_IP}:443:443 \
	-e ServerIP=${DOCKER_IP} \
	-e TZ=Australia/Melbourne \
	-e IPv6=False \
	-e WEBPASSWORD=${DOCKER_PASSWORD} \
	--net ${DOCKER_BRIDGE} \
	--ip=${DOCKER_IP} \
	--dns=127.0.0.1 \
	--dns=1.1.1.1 \
	--restart=unless-stopped \
	-d -t -i \
	pihole/pihole:latest

Container networking:

Debug Token:

hv3wryj4lp

docker info reports what? Wondering if container station is older docker and doesn't like the newer images.

Thanks for looking into this.

docker info:
    Containers: 1
     Running: 1
     Paused: 0
     Stopped: 0
    Images: 1
    Server Version: 17.09.1-ce
    Storage Driver: overlay2
     Backing Filesystem: extfs
     Supports d_type: true
     Native Overlay Diff: false
    Logging Driver: json-file
    Cgroup Driver: cgroupfs
    Plugins:
     Volume: local
     Network: bridge host macvlan null overlay qnet
     Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
    Swarm: inactive
    Runtimes: runc
    Default Runtime: runc
    Init Binary: docker-init
    containerd version: 06b9cb35161009dcb7123345749fef02f7cea8e0
    runc version: 3f2f8b84a77f73d38244dd690525642a72156c64
    init version: 949e6fa
    Security Options:
     seccomp
      Profile: default
    Kernel Version: 4.2.8
    Operating System: QTS 4.3.5 (20181013)
    OSType: linux
    Architecture: x86_64
    CPUs: 4
    Total Memory: 3.742GiB
    Name: NAS054D32
    ID: KOQM:4D6K:FB2B:HV5C:7654:YYGS:FFMU:7DUX:TPXX:47L6:53JD:ZIPQ
    Docker Root Dir: /share/CACHEDEV1_DATA/Container/container-station-data/lib/docker
    Debug Mode (client): false
    Debug Mode (server): true
     File Descriptors: 39
     Goroutines: 44
     System Time: 2018-10-27T06:23:40.420478798+11:00
     EventsListeners: 1
    Registry: https://index.docker.io/v1/
    Experimental: false
    Insecure Registries:
     127.0.0.0/8
    Live Restore Enabled: false

I'm not too concerned about the strange networking since the error is permission denied on a file, lets focus on that.

The customized installation of Container station is not something I'm familiar with and any non default docker install always gives me concerns. Not owning a container station or having seen this exact problem before I'm afraid I'm not much help and can only make guesses.

Permission denied in /var/www/html/admin/settings.php:11 - /var/www, not being a volume, stores all it's data in Docker's root dir. Your docker info reports : Docker Root Dir: /share/CACHEDEV1_DATA/Container/container-station-data/lib/docker - so that directory has some some-folder for container data, and under some container ID folder is probably the /var/www/html/admin/settings.php file.

There maybe some security or permission mechanism in place causing this permission denied. You could try looking into container station forums for similar errors within docker (search generically leaving off paths to files).

If you're comfortable docker try using docker exec -it <pihole_container> bash to jump into the container and poke around looking at permissions and trying to manipulate files by hand after installing vim or something similar.

Here is how it looks from a clean install. Debug token lnab3j6exs

Nether user pihole or www-data appear to have permission to access the pihole directory. I did not have any luck manually changing permissions on /etc/pihole/ &/or setupVars.conf, the admin gui continued to throw up the error parsing /etc/pihole/setupVars.conf.
Which user is active for the GUI process and should have permission?
Is the FTL processes supposed to be running as root:dip?

[/share/appdata/pihole] # docker exec -it piholecon bash
root@PIHOLE:/# cat /etc/pihole/setupVars.conf
QUERY_LOGGING=true
INSTALL_WEB_SERVER=true
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=
IPV4_ADDRESS=192.168.1.202
IPV6_ADDRESS=
WEBPASSWORD=204ce7e2b57299c4bb27d7e300d8601ad4004475494f238e3bfa013a488ebf3d
PIHOLE_DNS_1=8.8.8.8
PIHOLE_DNS_2=8.8.4.4
PIHOLE_INTERFACE=eth0
root@PIHOLE:/#
root@PIHOLE:/# ls -la  /etc/pi*
total 7552
drwxr-x---+ 2 pihole pihole    4096 Nov  1 08:37 .
drwxrwxr-x  1 root   root      4096 Nov  1 08:03 ..
-rw-rw----+ 1 root   root        14 Nov  1 07:58 GitHubVersions
-rw-rw----+ 1 root   root       381 Nov  1 07:55 adlists.list
-rw-rw----+ 1 root   root   2948746 Nov  1 07:57 gravity.list
-rw-------  1 root   root   1631979 Nov  1 07:57 list.0.raw.githubusercontent.com.domains
-rw-------  1 root   root    595008 Nov  1 07:56 list.1.mirror1.malwaredomains.com.domains
-rw-------  1 root   root    638705 Nov  1 07:56 list.2.sysctl.org.domains
-rw-------  1 root   root      7199 Nov  1 07:56 list.3.zeustracker.abuse.ch.domains
-rw-------  1 root   root       613 Nov  1 07:56 list.4.s3.amazonaws.com.domains
-rw-------  1 root   root     43642 Nov  1 07:56 list.5.s3.amazonaws.com.domains
-rw-------  1 root   root   1772415 Nov  1 07:56 list.6.hosts-file.net.domains
-rw-rw----+ 1 root   root        43 Nov  1 07:57 local.list
-rw-rw----+ 1 root   root        14 Nov  1 08:30 localbranches
-rw-rw----+ 1 root   root        37 Nov  1 08:30 localversions
-rw-r--r--  1 pihole pihole       0 Nov  1 07:55 pihole-FTL.conf
-rw-r-----+ 1 root   root     36864 Nov  1 08:37 pihole-FTL.db
-rwxrwxrwx  1 pihole pihole       0 Nov  1 07:55 regex.list
-rw-rw----+ 1 root   root       270 Nov  1 07:57 setupVars.conf
-rw-rw----+ 1 root   root       270 Nov  1 07:57 setupVars.conf.update.bak
root@PIHOLE:/# ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0    192     4 pts/0    Ss+  07:57   0:00 s6-svscan -t0 /var/run/s6/services
root        28  0.0  0.0    192     4 pts/0    S+   07:57   0:00 s6-supervise s6-fdholderd
root       479  0.0  0.0    192     4 pts/0    S+   07:57   0:00 s6-supervise cron
root       480  0.0  0.0    192     4 pts/0    S+   07:57   0:00 s6-supervise lighttpd
root       481  0.0  0.0    192     4 pts/0    S+   07:57   0:00 s6-supervise pihole-FTL
root       483  0.0  0.0  17952  2868 ?        Ss   07:57   0:00 bash ./run
root       485  0.0  0.0  17952  2836 ?        Ss   07:57   0:00 bash ./run
root       486  0.0  0.0  17952  2836 ?        Ss   07:57   0:00 bash ./run
www-data   492  0.0  0.1  75380  6732 ?        S    07:57   0:00 lighttpd -D -f /etc/lighttpd/lighttpd.conf
root       496  0.0  0.7 285300 30648 ?        Sl   07:57   0:00 pihole-FTL no-daemon
root       497  0.0  0.0  27992  2392 ?        S    07:57   0:00 /usr/sbin/cron -f
www-data   515  0.0  0.5 207472 23484 ?        Ss   07:57   0:00 /usr/bin/php-cgi
www-data   527  0.0  0.3 207744 11832 ?        S    07:57   0:00 /usr/bin/php-cgi
www-data   528  0.0  0.2 207744  9880 ?        S    07:57   0:00 /usr/bin/php-cgi
www-data   529  0.0  0.2 207680  8304 ?        S    07:57   0:00 /usr/bin/php-cgi
www-data   530  0.0  0.2 207744  8996 ?        S    07:57   0:00 /usr/bin/php-cgi
root       716  0.0  0.0  18192  3268 pts/1    Ss   08:01   0:00 bash
root      1142  0.0  0.0  36636  2852 pts/1    R+   08:05   0:00 ps aux
root@PIHOLE:/# exit
exit
[/share/appdata/pihole] # docker exec -it -u pihole piholecon bash
pihole@PIHOLE:/$ cat /etc/pihole/setupVars.conf
cat: /etc/pihole/setupVars.conf: Permission denied
pihole@PIHOLE:/$
pihole@PIHOLE:/$ exit
exit
[/share/appdata/pihole] # docker exec -it -u www-data piholecon bash
www-data@PIHOLE:/$ cat /etc/pihole/setupVars.conf
cat: /etc/pihole/setupVars.conf: Permission denied
www-data@PIHOLE:/$
www-data@PIHOLE:/$ exit
exit

Other stuff at least answers the question of eth0 vs eth1, but raises the question of why there is an IP mismatch error in the debug results.
It is possible there is confusion over frame of reference, ie.one test is looking at the container eth0 (192.168.1.202) and another test is looking at the host eth0 (192.168.1.12)?
edit: Similar confusion could explain the blank debug response to pihole processes?

root@PIHOLE:/# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
43: eth0@if44: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 02:42:76:3f:cd:3d brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.1.202/24 scope global eth0
       valid_lft forever preferred_lft forever

root@PIHOLE:/# netstat -tanp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.11:35167        0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      -
tcp6       0      0 :::53                   :::*                    LISTEN      -

Edit follow-up:

Looking further I opened all permissions and still get the parsing error on setupVars.conf, along with errors accessing the long term database.

root@PIHOLE:/# chmod -R 777 /etc/pi*
root@PIHOLE:/# ls -la /etc/pi*
total 7508
drwxrwxrwx+ 2 pihole pihole    4096 Nov  2 14:23 .
drwxrwxr-x  1 root   root      4096 Nov  2 14:11 ..
-rwxrwxrwx+ 1 root   root        14 Nov  2 14:11 GitHubVersions
-rwxrwxrwx+ 1 root   root       381 Nov  2 14:04 adlists.list
-rwxrwxrwx+ 1 root   root   2933646 Nov  2 14:11 gravity.list
-rwxrwxrwx+ 1 root   root      1297 Nov  2 14:11 install.log
-rwxrwxrwx  1 root   root   1606823 Nov  2 14:11 list.0.raw.githubusercontent.com.domains
-rwxrwxrwx  1 root   root    595071 Nov  2 14:11 list.1.mirror1.malwaredomains.com.domains
-rwxrwxrwx  1 root   root    638705 Nov  2 14:11 list.2.sysctl.org.domains
-rwxrwxrwx  1 root   root      7199 Nov  2 14:11 list.3.zeustracker.abuse.ch.domains
-rwxrwxrwx  1 root   root       613 Nov  2 14:11 list.4.s3.amazonaws.com.domains
-rwxrwxrwx  1 root   root     43642 Nov  2 14:11 list.5.s3.amazonaws.com.domains
-rwxrwxrwx  1 root   root   1772415 Nov  2 14:11 list.6.hosts-file.net.domains
-rwxrwxrwx+ 1 root   root        43 Nov  2 14:11 local.list
-rwxrwxrwx+ 1 root   root        14 Nov  2 14:20 localbranches
-rwxrwxrwx+ 1 root   root        37 Nov  2 14:20 localversions
-rwxrwxrwx+ 1 root   root       234 Nov  2 14:11 logrotate
-rwxrwxrwx  1 pihole pihole       0 Nov  2 14:04 pihole-FTL.conf
-rwxrwxrwx+ 1 root   root     24576 Nov  2 14:23 pihole-FTL.db
-rwxrwxrwx  1 pihole pihole       0 Nov  2 14:04 regex.list
-rwxrwxrwx+ 1 root   root       274 Nov  2 14:11 setupVars.conf
-rwxrwxrwx+ 1 root   root       270 Nov  2 14:11 setupVars.conf.update.bak
root@PIHOLE:/# pihole -r

A somewhat similar permission issue came up here :

The fix was a reinstall of container station. QNAP Container station has been hit or miss for several people, I don't know what causes it exactly but they do some special directory / permission setup for docker.

Stock docker is all I have to work with unfortunately so if there are any code fixes that are needed I'll need some direction from community members custom hacking the image (or maybe container station) to see what fixes things.

This may turn out to be one of those Doh!! moments, I realized I have not entered the webpassword anywhere, and cannot find anywhere in the gui to login.
Three different browsers, all take me straight to the gui without login.
Entering a blank password makes no differences to the gui error.

Are you trying to reset the web interface password? Run pihole -a -p

No, simply opening the admin web page there is no prompt to enter a password and I cannot see where to enter the password.

It made me think it was part working due to processes running as root, and part not working due to lack of a password.
This made me try 'pihole -a -p' to blank/remove the password, but this made no difference, I still get the error on the Settings menu from a couple of posts above.

Ok, you don't have a web interface password set, so you don't need to log in. That is not related to the error you are seeing. Have you visited the link @diginc shared?

I think you misunderstood, I do have a password set in the 'docker run' command in the first post, but was not able to enter it anywhere.

Then I tried removing the password with the 'pihole' command, no change to the error.

Yes I looked at the link, I have removed/reinstalled container station and directories several times along the way to clean up after I have manually changed permissions.

The web password rendering is definitely weird but I'm thinking it's confused since it can't even read your settings still most likely.

Do you use volumes on a QNAP folder share for pi-hole's data? Also is it NFS or CIFS? After you ran chmod 777 did you re-try your docker exec test of docker exec -it -u www-data piholecon bash ? That should work for sure and is the crux of our problem having the web interface parse your setupVars.

Sorry for so many questions, I started digging around QNAP forums a bit. This post caught my eye and makes a bit of sense to me.

Pointing a docker volume to a QNAP-NAS shared folder may have permission issues depending on the guest access. I think guest access is roughly equivalent to the last permission bit / other permission which at a minimum has to be read for setupVars.conf.

NAS ACL permission systems may have higher priority than linux file permissions, hence 777 linux perms still resulting in permission denied.

So I'd say make sure guest have at least read priv on your shared folder containing volumes to see if that fixes it.

Another useful command you might have on your QNAP os (but no inside pi-hole container) is getfacl to inspect permissions of your volume folder, or the docker root storage for containers ing eneral (part of your docker info output: Docker Root Dir: /share/CACHEDEV1_DATA/Container/container-station-data/lib/docker)

2 Likes

Your last post sent me in the right direction.
After many false attempts I found this thread write in shared volumes docker - Stack Overflow which was part way there.
The remaining step was to remove ACLs on the QNAP host directory, as they appear to also be propagated into the docker with the bind mount.
Success!! I now get the login screen and subsequent functions, inc donation button :wink:
Thanks very much for your help.

#!/bin/sh

# For installation on QNAP, assuming you do not use these ports for other services
#       free up port 443 by Control Panel -> System -> System Administration -> HTTPS port number=<not_443>
#       free up port 80 by Control Panel -> Applications -> Web Server -> Enable Web Server -> Port number=<not_80>
#       stop redirect of <qnap_ip>:80 to <qnap_ip>:8080 by placing an empty or valid php file at /share/Web/index.php

# pi-hole data persist in current working directory

DOCKER_CONFIGS="$(pwd)"
DOCKER_BRIDGE=pihole-static-bridge
DOCKER_BRIDGE_NIC=eth1
DOCKER_BRIDGE_IP=192.168.1.202
DOCKER_HOST_IP=192.168.1.202
DOCKER_PASSWORD=tempblah

# Open permissions and remove ACL before the bind mount

chmod 777 ${DOCKER_CONFIGS}
setfacl -b ${DOCKER_CONFIGS}

# Create a Static IP

docker network create \
        -d qnet \
        --ipam-driver=qnet \
        --ipam-opt=iface=${DOCKER_BRIDGE_NIC} \
        --subnet=192.168.1.0/24 \
        --gateway=192.168.1.1 \
        ${DOCKER_BRIDGE}

# Create Container
#       -e PH_VERBOSE=1 \

docker run -d \
        -h PIHOLE \
        -p 53:53/tcp \
        -p 53:53/udp \
        -p 80:80 \
        -p 443:443 \
        -e ServerIP=${DOCKER_HOST_IP} \
        -e TZ=Australia/Melbourne \
        -e IPv6=False \
        -e DNS1=1.1.1.1 \
        -e DNS2=1.0.0.1 \
        -e WEBPASSWORD=${DOCKER_PASSWORD} \
        --name piholecon \
        --net ${DOCKER_BRIDGE} \
        --ip=${DOCKER_BRIDGE_IP} \
        --restart=unless-stopped \
        --cap-add=NET_ADMIN \
        --dns=127.0.0.1 \
        --dns=1.1.1.1 \
        -v ${DOCKER_CONFIGS}/pihole/:/etc/pihole/:rw \
        -v ${DOCKER_CONFIGS}/dnsmasq.d/:/etc/dnsmasq.d/:rw \
        pihole/pihole:latest
2 Likes

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.