Use pihole in `network_mode: host`

recursive · October 22, 2022, 2:03pm

Hi guys, I would like to see the client stats on the pihole dashboard and thus tried to use the pihole-unbound-container with the host network. However, after adding network_mode: host to the stack, it keeps repeating the following error:

lighttpd: no process found
2022-10-22 15:52:07: network.c.369) can't bind to socket: 192.168.178.10:80: Cannot assign requested address
Stopping lighttpd

EDIT: This error does not seem to be related to the issue. It disappears if I set FTLCONF_LOCAL_IPV4 to 127.0.0.1 instead of 192.168.178.10, although it is supposed to be Set to your server's LAN IP, used by web block modes and lighttpd bind address. After setting it to 127.0.0.1 the pihole still works with the default network and the container logs no longer show an error with the host network. However, the pihole still won't actually work with the host network and sudo ss -ltmp shows that pihole doesn't even bind port 53 or 80.

How do I use pihole-unbound with the host network?

_

This is the stack I am trying to use (and which works with the default network and open ports):

version: '3.0'

volumes:
  etc_pihole-unbound:
  etc_pihole_dnsmasq-unbound:

services:
  pihole:
    container_name: pihole
    image: cbcrowe/pihole-unbound:latest
    hostname: ${HOSTNAME}
    domainname: ${DOMAIN_NAME}
    environment:
      - FTLCONF_LOCAL_IPV4=${FTLCONF_LOCAL_IPV4}
      - TZ=${TZ:-UTC}
      - WEBPASSWORD=${WEBPASSWORD}
      - WEBTHEME=${WEBTHEME:-default-light}
      - REV_SERVER=${REV_SERVER:-false}
      - REV_SERVER_TARGET=${REV_SERVER_TARGET}
      - REV_SERVER_DOMAIN=${REV_SERVER_DOMAIN}
      - REV_SERVER_CIDR=${REV_SERVER_CIDR}
      - PIHOLE_DNS_=127.0.0.1#5335
      - DNSSEC="true"
      - DNSMASQ_LISTENING=single
    volumes:
      - etc_pihole-unbound:/etc/pihole:rw
      - etc_pihole_dnsmasq-unbound:/etc/dnsmasq.d:rw
    restart: unless-stopped
    network_mode: host

rdwebdesign · October 22, 2022, 5:57pm

Using network_mode: host means you are actually using the host ports.

This means the port "80" is already in use (usually means apache or nginx, but could be other web servers or another container).
You need to disable the service to free up this port before start your container.

recursive · October 22, 2022, 7:31pm

First of all: thank you for your help @rdwebdesign!

That's what I thought at first, but no other container uses port 80 and sudo ss -ltmp gives me:

State                 Recv-Q                Send-Q                               Local Address:Port                                        Peer Address:Port               Process                                                                        
LISTEN                0                     4096                                       0.0.0.0:42589                                            0.0.0.0:*                   users:(("vpnkit-bridge",pid=2086,fd=9),("com.docker.back",pid=2059,fd=27))
	 skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)                                               
LISTEN                0                     128                                        0.0.0.0:ssh                                              0.0.0.0:*                   users:(("sshd",pid=839,fd=3))
	 skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)
LISTEN                0                     128                                      127.0.0.1:ipp                                              0.0.0.0:*                   users:(("cupsd",pid=814,fd=7))
	 skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)
LISTEN                0                     10                                               *:ms-wbt-server                                          *:*                   users:(("gnome-remote-de",pid=984,fd=14))
	 skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)
LISTEN                0                     4096                                             *:8000                                                   *:*                   users:(("com.docker.back",pid=2059,fd=123))
	 skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)
LISTEN                0                     4096                                             *:9443                                                   *:*                   users:(("com.docker.back",pid=2059,fd=122))
	 skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)
LISTEN                0                     128                                           [::]:ssh                                                 [::]:*                   users:(("sshd",pid=839,fd=4))
	 skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)
LISTEN                0                     128                                          [::1]:ipp                                                 [::]:*                   users:(("cupsd",pid=814,fd=6))
	 skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)

EDIT: as explained in the edit of my initial post, the error does not seem to originate from the actual issue. It stops if one sets FTLCONF_LOCAL_IPV4 to 127.0.0.1, but this doesn't fix the pihole.

Bucking_Horn · October 22, 2022, 10:48pm

The Pi-hole team originally offers purely Pi-hole images only.

As you are running some kind of image combining Pi-hole and unbound, did you consider consulting that image's maintainer yet?

recursive · October 22, 2022, 11:03pm

Yes: Use network_mode: host · Issue #175 · chriscrowe/docker-pihole-unbound · GitHub

I only posted here after not getting a response for three days. While another user replied a few hours ago, we have not made any significant progress.

Bucking_Horn · October 23, 2022, 10:06am

What's the result for the following command, run from your host machine (not from within a container):

sudo ss -tulpn sport = 80

recursive · October 23, 2022, 10:24am

Netid            State            Recv-Q            Send-Q                       Local Address:Port                        Peer Address:Port            Process

.
And if I have the pihole running with the default network:

Netid            State             Recv-Q            Send-Q                       Local Address:Port                       Peer Address:Port            Process            
tcp              LISTEN            0                 4096                                     *:80                                    *:*                users:(("com.docker.back",pid=2059,fd=134))

.
If I try to use it with the host network, the pihole won't even bind any port.

Bucking_Horn · October 24, 2022, 8:36am

I do not know what that unofficial image would recommend for constructing or populating its docker-compose file.

When using network_mode: host, could you try whether removing FTLCONF_LOCAL_IPV4=${FTLCONF_LOCAL_IPV4} would allow you to access Pi-hole's UI?

recursive · October 24, 2022, 9:27am

It also doesn't work without the FTLCONF_LOCAL_IPV4.

.
I've just tested the official image pihole/pihole:latest (without unbound) and the issue stays exactly the same:

no individual clients are shown on the dashboard using the pihole_default-network
pihole stops working as soon as network_mode: host is added to the stack
no ports are bound on the host by the pihole after adding network_mode: host to the stack

drastro · January 7, 2023, 5:47pm

Hi recursive did you ever resolve this? I'm facing the same issue with the pi-hole image and after much searching and tweaking I have run out of ideas. Your last comment sums up my situation. I'm on a Raspberry Pi.

recursive · January 7, 2023, 6:23pm

Yeah: install only Docker (Engine) (+ Portainer), not Docker Desktop

I had solved this issue after a lot of trial and error. I had installed both Docker (Engine) and Docker Desktop on the computer, expecting the latter to simply be a GUI for Docker. This is not the case. Docker Desktop generates its own containers in a special virtual machine that does not seem to be integrated in the host network. Therefore, I reset the host computer and this time installed only Docker (Engine) and Portainer. And lo and behold, it finally worked as it should.

Did you make the same mistake?

rdwebdesign · January 7, 2023, 6:51pm

You never said that before.

As you noticed, Docker Desktop runs inside a VM.
Running host network on this environment means the VM is the "host".

recursive · January 7, 2023, 7:05pm

Yeah. I had not understood that Docker Desktop is not just a GUI for Docker (Engine).

drastro · January 8, 2023, 12:37am

Ok thanks, I was on a Pi so was not using Desktop.

In case someone else stumbles here in my position: I found that I was having the same problem with an attempt of a Home Assistant install, so with a bit more reading and googling I came to the conclusion that something had gone wrong with the docker setup in terms of the sudo access - something was up in that it couldn't make the bindings.

As I was setting up a new Pi I was able to wipe and start again and followed the usual docker install instructions like those written here: Installing Docker on the Raspberry Pi - Pi My Life Up and this time it worked with no issues (64-bit Raspberry Pi OS). For the record, my working compose file for the pihole + unbound was as below. I kept it at a bare minimum and changed the Pi-hole DNS manually once it was running, but of course you may want to add those env settings back in (i.e. - PIHOLE_DNS_=127.0.0.1#5335).

volumes:
  etc_pihole-unbound:
  etc_pihole_dnsmasq-unbound:

services:
  pihole:
    container_name: pihole
    image: cbcrowe/pihole-unbound:latest
    network_mode: host
    environment:
      TZ: 'Europe/London'
    volumes:
      - etc_pihole-unbound:/etc/pihole:rw
      - etc_pihole_dnsmasq-unbound:/etc/dnsmasq.d:rw
    cap_add:
      - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
    restart: unless-stopped