Pi-hole runs on podman

Hi

I managed to get pi-hole running in podman today. I don't think it will work with podman less than version 2.0.0 and podman-compose less than 0.1.7dev. This is way I'm using today:

$ podman-compose version
using podman version: podman version 2.0.0
podman-composer version  0.1.7dev
podman --version
podman version 2.0.0

$ uname -rsvm
Linux 5.7.2-2-ARCH #1 SMP Tue Jun 16 12:48:51 UTC 2020 aarch64

The lighttpd fails to start with the example docker-compose.yml file on the docker hub page for pihole

sudo: getrlimit: Operation not permitted
[...skip ahead...]
2020-06-21 19:30:49: (server.c.970) couldn't get 'max filedescriptors' Operation not permitted 
Stopping lighttpd

Adding privileged: true to the docker-compose.yml appears to be one way to get lighttpd to start. This issue was reported by docker users so it does not appear to be specific to podman.

I think that there should be a way to make it work with fewer added capabilities than the set which is added when --privileged is used but I have not figured out which one are needed. I tried adding just --cap-add SYS_RESOURCE but that wasn't enough.

Does anyone have the minimum set of capabilities required to get the container to start?

DISCLAIMER: On my system (which is acting as the lan gateway), this opens port 53 and port 80 to the public despite my firewalld configuration blocking all external connections. Please don't use this configuration in production!

I was able to get pihole running with podman and systemd with the following service unit in /etc/systemd/system/pihole.service:

[Unit]
Description=Podman pihole.service
Documentation=man:podman-generate-systemd(1)
Wants=network.target
After=network-online.target

[Service]
Type=simple
User=root
Environment=PODMAN_SYSTEMD_UNIT=%n
EnvironmentFile=/etc/sysconfig/pihole
ExecStartPre=/bin/rm -f %t/container-pihole.pid %t/container-pihole.ctr-id
ExecStart=/usr/bin/podman run --env-file=/etc/sysconfig/pihole --pull=always --cidfile %t/container-pihole.ctr-id --cgroups=no-conmon --replace --name pihole -p ${PIFACE}:53:53/tcp -p ${PIFACE}:53:53/udp -p ${PIFACE}:80:80 -p ${PIFACE}:443:443 -v /etc/pihole/:/etc/pihole/:z -v /etc/pihole/dnsmasq.d/:/etc/dnsmasq.d/:z --dns=127.0.0.1 --dns=9.9.9.9 --hostname ${HOSTNAME} docker.io/pihole/pihole:latest
TimeoutStartSec=30s
TimeoutStopSec=30s
ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-pihole.ctr-id
#CapabilityBoundingSet=SYS_RESOURCE NET_ADMIN # this didn't work for me

[Install]
WantedBy=multi-user.target default.target

And my environment file in /etc/sysconfig/pihole (replace pi.hole with your hostname and change the password ofc):

TZ=America/New_York
WEBPASSWORD=password123
DNS1=8.8.8.8
DNS2=9.9.9.9
DNSSEC=rue
HOSTNAME=pi.hole
VIRTUAL_HOST=pi.hole
PROXY_LOCATION=pi.hole
ServerIP=192.168.1.1
PIFACE=192.168.1.1
1 Like

Are any capabilities needed for DHCP server options?

Edit: Oh, this is running as root, not as podman without root?

Yeah, it's running as root. I haven't ventured into rootless territory yet. If you do that then for one, you will have to bind to ports higher than 1024. There's likely to be other problems too.

Also, big disclaimer, I have no idea how its happening, but when I run this service, it appears to open ports 80 and 53 on the host despite my external firewall zone explicitly blocking everything. I verified this with a public port scanning tool that those ports were open. When I stop the pihole service, the port scanner shows nothing, so it's definitely pihole. Thus, I can't recommend the above configuration until I figure out why that's happening.

1 Like

Got some help from reddit on this one. The issue is that doing -p 53:53 binds to all interfaces. If I specify just the local interface (127.0.0.1), then it won't expose the port externally. Will update the code above accordingly (adding PIFACE environment variable to sysconfig file).

For

This issue was solved. The root cause is major bugs in seccomp (libseccomp) on 64-bit ARM ( aarch64) prior to seccomp version 2.4.3.

Did you ever get this fixed?

Yeah, it's running as root. I haven't ventured into rootless territory yet. If you do that then for one, you will have to bind to ports higher than 1024.

False.

To allow non-root to open ports 53, 67, 80 and 443:

$ sudo sh -c "echo 52 > /proc/sys/net/ipv4/ip_unprivileged_port_start"

If you want to see how it works look at the github page

I'd rather run this as rootfull. I want it to have it's OWN IP address.