Pihole + Unbound in docker

broomwalker · March 27, 2023, 11:09pm

Hi all, I've been following this guide where I've been re-doing my Pi4B 8GB in docker/portainer:

My understanding is that this creates a "Stack" which contains both unbound and pihole containers.

Essentially, I made it up to the part where you start the pihole container - sudo docker-compose up -d pihole & I've received the following error:

Creating pihole ... error

ERROR: for pihole  Cannot start service pihole: driver failed programming external connectivity on endpoint pihole (da94e9808bcd046e32c4f396db0fea2428d97b1804821c9b9269ac7b12d4491f): Bind for 0.0.0.0:443 failed: port is already allocated

ERROR: for pihole  Cannot start service pihole: driver failed programming external connectivity on endpoint pihole (da94e9808bcd046e32c4f396db0fea2428d97b1804821c9b9269ac7b12d4491f): Bind for 0.0.0.0:443 failed: port is already allocated
ERROR: Encountered errors while bringing up the project.

I do have other containers running, and I believe the 443 port clashes with Deconz/Phoscon:

CONTAINER ID   IMAGE                               COMMAND         CREATED          STATUS                    PORTS                                                                                                     NAMES
957e59bb8e1f   mvance/unbound-rpi:latest           "/unbound.sh"   41 minutes ago   Up 41 minutes             53/tcp, 53/udp, 0.0.0.0:5053->5053/tcp, 0.0.0.0:5053->5053/udp                                            unbound
cf1de4906f43   deconzcommunity/deconz:stable       "/start.sh"     11 hours ago     Up 20 minutes (healthy)   0.0.0.0:80->80/tcp, 5900/tcp, 0.0.0.0:443->443/tcp, 6080/tcp                                              deconz
86ceae69ec71   oznu/homebridge:latest              "/init"         11 hours ago     Up 21 minutes                                                                                                                       homebridge_homebridge_1
3193de7d0272   lscr.io/linuxserver/deluge:latest   "/init"         12 hours ago     Up 21 minutes             0.0.0.0:6881->6881/tcp, 58846/tcp, 0.0.0.0:8112->8112/tcp, 0.0.0.0:6881->6881/udp, 58946/tcp, 58946/udp   deluge
de7cd14d3787   portainer/portainer-ce:latest       "/portainer"    14 hours ago     Up 9 hours                8000/tcp, 9443/tcp, 0.0.0.0:9000->9000/tcp                                                                portainer

I've managed to install the pihole container if I stop the deconz container as a test, but it doesn't fully work. In Portainer it as a state of "Healthy" rather than "Running", and when I go to the expected address - 192.168.1.10:8080, I get a "403 Forbidden" error.

My docker compose file is the following:

version: '3'

networks:
  dns_net:
    driver: bridge
    ipam:
        config:
        - subnet: 172.22.0.0/16

services:
  pihole:
    container_name: pihole
    hostname: pihole
    image: pihole/pihole:latest
    networks:
      dns_net:
        ipv4_address: 172.22.0.6
    ports:
    - "53:53/tcp"
    - "53:53/udp"
    - "8080:80/tcp"
    - "443:443/tcp"
    environment:
    - 'TZ=Australia/Sydney'
    - 'WEBPASSWORD=password'
    - 'DNS1=172.20.0.7#5053'
    - 'DNS2=no'
    volumes:
    - '/home/pi/pihole/etc-pihole/:/etc/pihole/'
    - '/home/pi/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/'
    restart: unless-stopped
  unbound:
    container_name: unbound
    image: mvance/unbound-rpi:latest
    networks:
      dns_net:
        ipv4_address: 172.22.0.7
    volumes:
    - /home/pi/unbound:/opt/unbound/etc/unbound
    ports:
    - "5053:5053/tcp"
    - "5053:5053/udp"
    healthcheck:
      disable: true
    restart: unless-stopped

I did find a similar topic on this previously, but I couldn't quite follow:

Thanks for your help!

wblew · March 28, 2023, 12:10am

There are two containers using the docker host's port 443/tcp. Hence your error. Port 443/tcp is used by the https protocol, to securely access Pi-hole's admin interface.

Solution A

Me? I would remove the pihole service's "433:433/tcp" port. It''s conflicting with your other deconzcommunity/deconz container's use of your raspi host's 433/tcp port.

Just use http (insecure web) to administer your Pi-hole service. For example, perhaps you would access your Pi-Hole service at http://raspi.example.com:8080/.

Solution B

If you are intending to use securely administer your Pi-hole service... You do have a SSL certificate, probably from Let's Encrypt, for your Pi-hole container, right?

Likely not, as within home networks, that level of Pi-hole security is likely unnecessary. Are you worried about cyber attacks from within your own home network?

In any event, if you insist on using https to more securely administer your Pi-hole service, you could just publish its 433/tcp port to some other docker host (i.e. your raspberry pi) port. Maybe to 8443/tcp? i.e. Change the pihole service's "443:443/tcp" to "8443:443/tcp".

Voila, no more double booking your raspi host's 443/tcp port?

Then you could administer your Pi-hole service at http://raspi.example.com:8443/.

But, you also need a SSL certificate for rasp.example.com. You would also have to customize the Pi-hole service to both a) offer https service, and b) use that acquired SSL cert, including managing its renewal. ugh

Final note: There are other ways to solve this problem. E.G. a macvlan docker network. But they are MUCH more complicated. Maybe in a few months, as an advanced exercise, if you want to dive that far into docker?

rdwebdesign · March 28, 2023, 12:18am

This is expected.

The correct URL should use /admin:
http://192.168.1.10:8080/admin

wblew · March 28, 2023, 12:22am

Agreed. There is no need to assign your Pi-hole service host any domain name. With http you can just directly access Pi-hole's admin page by IP address. That is surely keeping it simple.

rdwebdesign · March 28, 2023, 12:24am

The link you posted has 3 answer saying almost the same thing:

Note that Pi-hole's UI does not use port 443, only port 80.

As said before, Pi-hole does not require port 443 for its operation at all.

There's no need to bind the host tcp/443 to the container...

Remove the line containing "443:443/tcp" from Pi-hole container.

broomwalker · March 28, 2023, 1:34am

Thank you - this is a very considerate and kind response. Appreciate your time & effort with responding, and providing multiple solutions.

I will be trying a SSL certificate in the future, but this is for another time.
Edit: looks like I forgot that I set this up years ago on my Asus router which uses Let's Encrypt & has an SSL server certificate active

Yep, that's right - I've had it push me onto the '/admin' page though in the past though.

Yes, I knew this was related and relevant, but I couldn't follow it.

Thank you - this is what the thread didn't say! I'm not competent enough to understand a statement and then understand what the required action is. I can however follow an instruction.

I'll give it a whirl and see how I go, thanks everyone

Bucking_Horn · March 28, 2023, 6:09am

From that topic:

broomwalker · March 28, 2023, 6:23am

Not sure I follow - are you implying the answer was in the topic?

Either way, it doesn't matter - by removing the 443 port, I was able to get it up and running.

Thanks again everyone.

system · April 19, 2023, 5:25am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.