just removed all v5 related from docker and the host, removed the "privileged: true" from docker_compose and did a clean docker pull.
After the pull I tried to add a domain to the whitelist, still getting the error; https://tricorder.pi-hole.net/cufdubt8kd
I see a readonly error in the log.
On this clean install I ran the 2 sql commands;
root@pihole:/# sudo -u pihole sqlite3 /etc/pihole/gravity.db "INSERT INTO domainlist (domain) VALUES ('test.domain1');"
root@pihole:/# sudo -u www-data sqlite3 /etc/pihole/gravity.db "INSERT INTO domainlist (domain) VALUES ('test.domain2');"
Error: attempt to write a readonly database
root@pihole:/#
I see only 1 whitelist test domain in the debug log, despite the 2 commands.
So the readonly error is really preventing it to write to the database.
Looks like gravity.db is now created with owner pihole;
root@pihole:/etc/pihole# ls -all
total 7088
drwxrwxr-x+ 3 pihole pihole 4096 May 13 07:27 .
drwxrwxr-x 1 root root 4096 May 13 07:18 ..
-rw-r--r--+ 1 root root 14 May 13 07:19 GitHubVersions
-rw-r--r--+ 1 root root 596 May 13 07:18 dns-servers.conf
-rw-rw-r--+ 1 pihole pihole 5189632 May 13 07:23 gravity.db
-rw-r--r--+ 1 root root 1136412 May 13 07:18 list.0.raw.githubusercontent.com.domains
-rw-r--r--+ 1 root root 594672 May 13 07:18 list.1.mirror1.malwaredomains.com.domains
-rw-r--r--+ 1 root root 521 May 13 07:18 list.2.s3.amazonaws.com.domains
-rw-r--r--+ 1 root root 43529 May 13 07:18 list.3.s3.amazonaws.com.domains
-rw-r--r--+ 1 root root 31 May 13 07:18 local.list
-rw-r--r--+ 1 root root 20 May 13 07:20 localbranches
-rw-r--r--+ 1 root root 37 May 13 07:20 localversions
drwxrwxr-x+ 2 root root 4096 May 13 07:18 migration_backup
-rw-r--r-- 1 pihole pihole 0 May 13 07:18 pihole-FTL.conf
-rw-r--r--+ 1 root root 237568 May 13 07:27 pihole-FTL.db
-rw-rw-r--+ 1 root root 445 May 13 07:18 setupVars.conf
-rw-rw-r--+ 1 root root 0 May 13 07:18 setupVars.conf.update.bak
So the privileged line is probably the cause of the root ownerships.
But even though the default ownership is fixed, I still get the readonly errors.
Last thing i did is run "pihole -g -r" and restart the container. Then I tried to add something to the whitelist, still getting the error and here's a log again; https://tricorder.pi-hole.net/l6e5z9yz2p
-rw-r--r-- 1 www-data www-data 277 May 13 18:46 /var/log/lighttpd/error.log
2020-05-13 20:45:14: (log.c.217) server started
2020-05-13 20:46:13: (mod_fastcgi.c.2543) FastCGI-stderr: PHP Warning: SQLite3Stmt::execute(): Unable to execute statement: attempt to write a readonly database in /var/www/html/admin/scripts/pi-hole/php/groups.php on line 507
The docker container should "just work", so this is confusing me here. Just in case he did not see the assignment, I'll ping @diginc to take a closer look at this thread, he is the docker guru!
I am using this version of the container and not seeing any issues.
FWIW my compose file: (though you ignore the traefik labels and probably the dependency on unbound - note I am using macvlan - hence MAC address - also I'm not very good at docker, so there is probably superflous stuff in there!)
Nothing stood out to me so far. Since no one suggested it one thing worth attempting is running FTL as non-root (probably need to remove all volume data again for the switch) which we have a env var for:
ok add "DNSMASQ_USER=pihole" to my compose file, removed everything related to Pihole 5.0 and it makes no difference.
I'm running a reasonable up2date "Ubuntu 20.04" with "Docker version 19.03.6, build 369ce74a3c", could this be a problem?
Maybe other people running Pihole 5.0 on these versions?
ah 20.04...the latest ubuntu which is not officially 'docker supported' (as in Docker Inc) yet and untested by myself. There have been a few other negative reports coming in for 20.04.
If its not above your head could you attempt querying apparmor for any sort of denies it might be doing in pihole's container?
Apparmor has been my #1 theory for permission issues in Pi-hole docker 20.04
Another easy test to see if its to blame is disable docker's apparmor
After applying these settings I ran "sudo aa-status | grep FTL" and it return nothing.
While without these settings it returned "/usr/bin/pihole-FTL docker-default".
From that I conclude that the settings do what the should do; disable AppArmor for PiHole.
With or without AppArmor disabled, I always get the write to readonly database error.
Also tried dozens of combination on gid/uid, privileged, dns_masq, nothing is working...
YES....found something.... Don't know if i'm happy with it, but its looks like a start to solve this.
User www-data is causing the problem looking at the sql statement executed with -u www-data.
So I search a lot on "docker write permission www-data" and looks like "www-data" has "troubles" to writing to a docker volume/share directory and/or sqlite don't like to have a database on a docker volume.
So I unshared the /etc/pihole directory and everything is working as a charme.
If you search on stuff like database on docker volumes you find a load of problems.
maybe its an idea to move the database to a different directory?
For what its worth for now;
xxx@xxx-xxx:/opt/docker$ dpkg -l | grep docker
ii docker-ce 5:19.03.6~3-0~ubuntu-disco amd64 Docker: the open-source application container engine
ii docker-ce-cli 5:19.03.6~3-0~ubuntu-disco amd64 Docker CLI: the open-source application container engine
Have a look at the ACLs of your shared /etc/pihole directory. Your directory listing shows by the + sign at the end of the permissions that ACLs are set. This might prevent docker to have write access.
Is this good or bad and what command should I run to fix it?
Did some fiddeling and couldn't find a working solution with ACL.
So I decided to "reset" ACL on the volume dir; sudo setfacl -Rbn /opt/docker/pihole_v5/
So the error "attempt to write a readonly database" was in my case solved by resetting the ACL with this command; sudo setfacl -Rbn /opt/docker/pihole_v5/