I managed to get pi-hole running in podman today. I don't think it will work with podman less than version 2.0.0 and podman-compose less than 0.1.7dev. This is way I'm using today:
$ podman-compose version
using podman version: podman version 2.0.0
podman-composer version 0.1.7dev
podman --version
podman version 2.0.0
$ uname -rsvm
Linux 5.7.2-2-ARCH #1 SMP Tue Jun 16 12:48:51 UTC 2020 aarch64
sudo: getrlimit: Operation not permitted
[...skip ahead...]
2020-06-21 19:30:49: (server.c.970) couldn't get 'max filedescriptors' Operation not permitted
Stopping lighttpd
Adding privileged: true to the docker-compose.yml appears to be one way to get lighttpd to start. This issue was reported by docker users so it does not appear to be specific to podman.
I think that there should be a way to make it work with fewer added capabilities than the set which is added when --privileged is used but I have not figured out which one are needed. I tried adding just --cap-add SYS_RESOURCE but that wasn't enough.
Does anyone have the minimum set of capabilities required to get the container to start?
DISCLAIMER: On my system (which is acting as the lan gateway), this opens port 53 and port 80 to the public despite my firewalld configuration blocking all external connections. Please don't use this configuration in production!
I was able to get pihole running with podman and systemd with the following service unit in /etc/systemd/system/pihole.service:
Yeah, it's running as root. I haven't ventured into rootless territory yet. If you do that then for one, you will have to bind to ports higher than 1024. There's likely to be other problems too.
Also, big disclaimer, I have no idea how its happening, but when I run this service, it appears to open ports 80 and 53 on the host despite my external firewall zone explicitly blocking everything. I verified this with a public port scanning tool that those ports were open. When I stop the pihole service, the port scanner shows nothing, so it's definitely pihole. Thus, I can't recommend the above configuration until I figure out why that's happening.
Got some help from reddit on this one. The issue is that doing -p 53:53 binds to all interfaces. If I specify just the local interface (127.0.0.1), then it won't expose the port externally. Will update the code above accordingly (adding PIFACE environment variable to sysconfig file).
Yeah, it's running as root. I haven't ventured into rootless territory yet. If you do that then for one, you will have to bind to ports higher than 1024.
False.
To allow non-root to open ports 53, 67, 80 and 443:
$ sudo sh -c "echo 52 > /proc/sys/net/ipv4/ip_unprivileged_port_start"