Unable to download blocklist from github from initial setup

Nopka · February 5, 2025, 6:02pm

Hello everyone,
so I was trying to install pi-hole using the docker compose given from the docker-pihole repository. The installation works perfectly until it tries to pull different configurations from github, and I don't understand why.
Here is the logs I get in the terminal from running the docker compose :

pihole  | 
pihole  | fatal: unable to access 'https://github.com/pi-hole/pi-hole/': Failed to connect to github.com port 443: Network is unreachable
pihole  | fatal: unable to access 'https://github.com/pi-hole/web/': Failed to connect to github.com port 443: Network is unreachable
pihole  | fatal: unable to access 'https://github.com/pi-hole/FTL/': Failed to connect to github.com port 443: Network is unreachable
pihole  |   Pi-hole version is v5.18.3 (Latest: N/A)
pihole  |   web version is v5.21 (Latest: N/A)
pihole  |   FTL version is v5.25.2 (Latest: N/A)
pihole  |   Container tag is: 2024.07.0

When I ping google.com I can't reach it from the container, so I don't realy know what should be my next step, maybe i've missed somthing from the configuration but i don't see what ? Also, here is the exact docker compose file that i'm using if that help :

# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
    ports:
      - 53:53/tcp
      - 53:53/udp
      - 67:67/udp # Only required if you are using Pi-hole as your DHCP server
      - 80:80/tcp
    environment:
      TZ: Europe/Paris
      WEBPASSWORD: ${WEBPASSWORD}
    # Volumes store your data between container upgrades
    volumes:
      - ./etc-pihole:/etc/pihole
      - ./etc-dnsmasq.d:/etc/dnsmasq.d
    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    cap_add:
      - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
    restart: unless-stopped

I've also tried to get rid of the parts for dhcp since I don't think I'll need it, but it doesn't change anything

rdwebdesign · February 5, 2025, 6:07pm

The error message shows the issue:

Network is unreachable

Your container can't connect to the Internet.

You need to check if there is a firewall or something else blocking the container access to the internet.

Nopka · February 5, 2025, 9:18pm

Hey, so i've checked a bit more and yes my container indeed doesn't have access to the internet, but I can't seem to be able to fix this, for some reason, Docker is generating the /etc/resolv.conf like this :

# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.

nameserver 127.0.0.11
search lan
options ndots:0

# Based on host file: '/etc/resolv.conf' (internal resolver)
# ExtServers: [8.8.8.8]
# Overrides: [nameservers]
# Option ndots from: internal

If I understood what I've read so far I shouldn't have this "nameserver 127.0.0.11" if my container is supposed to access the internet ? But then again this file is generated by docker so I don't understand why it isn't doing so correctly, since my host has access to the internet.

So far I tried :

Creating the file /etc/docker/daemon.json like so :

{
"dns":["8.8.8.8"]
}

restarting docker and installed pihole again, without success.

I tried running a docker run command with the "--network=host" and pinging the google ip

docker run --rm --network=host busybox ping -c 2 142.250.186.142

I can't ping it, tried differents ips too. So it seems that every container can't access internet in my server.

I've also looked this up : https://superuser.com/a/1274161, but on my host machine (debian 12) the NetworkManager.conf file doesn't have the "dns=dsnmasq" line at all so I can't do this trick

I've tried a few things from different posts on forums but nothing worked for me. It's the first time that I have problems like this with dockers so i'm totally lost

rdwebdesign · February 5, 2025, 10:41pm

This is the default /etc/resolv.conf file for every container, but usually the container works as expected.

If this is not working, probably there is something on the host blocking the container or an issue with your docker installation.

You could try to use the --dns option in your docker run command (with the default bridge network):

docker run -rm --dns=8.8.8.8 ...

Nopka · February 6, 2025, 2:49pm

I tried running a container using the --dns=8.8.8.8 like you said, it doesn't work either.
I inspected my pihole container and on the network section, this is what I have :

"Networks": {
  "bridge": {
      "IPAMConfig": null,
      "Links": null,
      "Aliases": null,
      "MacAddress": "02:42:ac:11:00:02",
      "DriverOpts": null,
      "NetworkID": "IDISPRESENT",
      "EndpointID": "IDISPRESENT",
      "Gateway": "172.17.0.1",
      "IPAddress": "172.17.0.2",
      "IPPrefixLen": 16,
      "IPv6Gateway": "",
      "GlobalIPv6Address": "",
      "GlobalIPv6PrefixLen": 0,
      "DNSNames": null
  }
}

With this I know that the container ip address is 172.17.0.2. Then I checked the iptables to see if the firewall was blocking this ip, but I don't think it is. Here is the command I used:

 - sudo iptables -n -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  0    --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION-STAGE-1  0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (5 references)
target     prot opt source               destination
ACCEPT     6    --  0.0.0.0/0            172.18.0.2           tcp dpt:5001
ACCEPT     6    --  0.0.0.0/0            172.20.0.2           tcp dpt:80
ACCEPT     6    --  0.0.0.0/0            172.17.0.2           tcp dpt:53
ACCEPT     17   --  0.0.0.0/0            172.17.0.2           udp dpt:53
ACCEPT     17   --  0.0.0.0/0            172.17.0.2           udp dpt:67
ACCEPT     6    --  0.0.0.0/0            172.17.0.2           tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  0    --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION-STAGE-2  0    --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION-STAGE-2  0    --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION-STAGE-2  0    --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION-STAGE-2  0    --  0.0.0.0/0            0.0.0.0/0
RETURN     0    --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (5 references)
target     prot opt source               destination
DROP       0    --  0.0.0.0/0            0.0.0.0/0
DROP       0    --  0.0.0.0/0            0.0.0.0/0
DROP       0    --  0.0.0.0/0            0.0.0.0/0
DROP       0    --  0.0.0.0/0            0.0.0.0/0
DROP       0    --  0.0.0.0/0            0.0.0.0/0
RETURN     0    --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     0    --  0.0.0.0/0            0.0.0.0/0

So if I read this correctly, under the section "Chain DOCKER (5 references)" I find the ip of my container, so can I assume that my firewall isn't blocking my container's internet connections ?

Also now when I re install the pihole docker compose, I get this message (which is different from before) and I can't run theupdate gravity at all anymore :

pihole  | s6-rc: info: service _postFTL successfully started
pihole  |   Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
pihole  | s6-rc: info: service legacy-services: starting
pihole  | s6-rc: info: service legacy-services successfully started
pihole  |   [i] Creating new gravity database
pihole  |   [i] Migrating content of /etc/pihole/adlists.list into new database
pihole  |   [✗] DNS resolution is currently unavailable

I don't know what could block my container on my host machine, I also went over the install process of docker for debian once again and I didn't miss any steps.
I take every hints you may have as I'm at a total loss

Nopka · February 7, 2025, 5:18pm

Hey !
After all of this, I was getting frustrated so I completly reinstaller the OS on my server, and it works fine, so my assumption is that I totally broke something / something went wrong when I installed my OS the first time .
Sorry for the useless post, and thanks for your help anyway !