V5.0 Docker, Whitelist domain, writing to readonly database

PromoFaux · May 13, 2020, 8:07pm

The docker container should "just work", so this is confusing me here. Just in case he did not see the assignment, I'll ping @diginc to take a closer look at this thread, he is the docker guru!

I am using this version of the container and not seeing any issues.

FWIW my compose file: (though you ignore the traefik labels and probably the dependency on unbound - note I am using macvlan - hence MAC address - also I'm not very good at docker, so there is probably superflous stuff in there!)

version: '3.5'
services:

  pihole:
    container_name: pihole
    depends_on:
      - unbound
    image: pihole/pihole:v5.0
    environment:
      - TZ=Europe/London
      - ServerIP=192.168.1.253
      - DNS1=192.168.1.254#53
      - DNS2=no
      - DOMAIN=mydomain.tld
      - HOST_IP=192.168.1.253
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./pihole/resolv.conf:/etc/resolv.conf
      - ./pihole/configs/pihole/:/etc/pihole/
      - ./pihole/configs/dnsmasq.d:/etc/dnsmasq.d/
      # - ./pihole/01-conf-dnsmasq.sh:/etc/cont-init.d/01-conf-dnsmasq.sh
    ports:
      - "53:53/tcp"
      - "67:67/udp" # Uncomment if you want to use Pi-Hole for DHCP
      - "53:53/udp"
    expose:
      - "80"
    mac_address: d0:ca:ab:cd:ef:fe
    networks:
      home:
        ipv4_address: 192.168.1.253
    dns:
      - 127.0.0.1
    cap_add:
      - NET_ADMIN
    restart: always
    labels:
      - traefik.enable=true
      - traefik.docker.network=home
  ##### http
    ### services
      # backend port
      - traefik.http.services.svc_PiholeGui.loadbalancer.server.port=80
    ### middleware
      # redirecting pi.hole
      - traefik.http.middlewares.mdw_RedirectPihole.redirectregex.permanent=true
      - traefik.http.middlewares.mdw_RedirectPihole.redirectregex.regex=^.*pi\.hole(.*)
      - traefik.http.middlewares.mdw_RedirectPihole.redirectregex.replacement=https://pihole.mydomain.tld$$1
      # make sure `/admin` is there
      - traefik.http.middlewares.mdw_AddAdminPath.replacepathregex.regex=^/((?i:(admin)/{0,1}|.{0})(.*))
      - traefik.http.middlewares.mdw_AddAdminPath.replacepathregex.replacement=/admin/$$3
      # pihole chain
      - traefik.http.middlewares.mdw_PiholeChain.chain.middlewares=mdw_RedirectPihole,mdw_AddAdminPath,mdw_SecureHeaders@file
    ### routers
      # pihole dashboard
      - traefik.http.routers.rou_PiholeGui.entrypoints=web-secure
      - traefik.http.routers.rou_PiholeGui.rule=Host(`pihole.mydomain.tld`,`pi.hole`)
      - traefik.http.routers.rou_PiholeGui.tls=true
      - traefik.http.routers.rou_PiholeGui.tls.options=default
      - traefik.http.routers.rou_PiholeGui.middlewares=mdw_PiholeChain
      - traefik.http.routers.rou_PiholeGui.service=svc_PiholeGui
  ##### tcp
    ### services
      # backend port
      - traefik.tcp.services.svc_PiholeDns.loadbalancer.server.port=53
    ### routers
      # DoT forward
      - traefik.tcp.routers.rou_PiholeDot.entrypoints=dot
      - traefik.tcp.routers.rou_PiholeDot.rule=HostSNI(`dot.mydomain.tld`)
      - traefik.tcp.routers.rou_PiholeDot.tls=true
      - traefik.tcp.routers.rou_PiholeDot.tls.certresolver=le
      - traefik.tcp.routers.rou_PiholeDot.tls.options=default
      - traefik.tcp.routers.rou_PiholeDot.service=svc_PiholeDns

  unbound:
    container_name: unbound
    image: mvance/unbound:latest
    hostname: syn-unbound
    mac_address: d0:ca:ab:cd:ef:ff
    ports:
      - 53/tcp
      - 53/udp
    networks:
      home:
        ipv4_address: 192.168.1.254
    restart: always

networks:
  home:
    external: true

diginc · May 13, 2020, 8:29pm

Nothing stood out to me so far. Since no one suggested it one thing worth attempting is running FTL as non-root (probably need to remove all volume data again for the switch) which we have a env var for:

- DNSMASQ_USER=pihole

can be added to your environment: section - details in readme

This has NOT been necessary for my fairly similar stock setup in docker-compose - no Portainer though.

Freemann · May 13, 2020, 9:18pm

ok add "DNSMASQ_USER=pihole" to my compose file, removed everything related to Pihole 5.0 and it makes no difference.
I'm running a reasonable up2date "Ubuntu 20.04" with "Docker version 19.03.6, build 369ce74a3c", could this be a problem?

Maybe other people running Pihole 5.0 on these versions?

diginc · May 13, 2020, 9:36pm

ah 20.04...the latest ubuntu which is not officially 'docker supported' (as in Docker Inc) yet and untested by myself. There have been a few other negative reports coming in for 20.04.

If its not above your head could you attempt querying apparmor for any sort of denies it might be doing in pihole's container?

Apparmor has been my #1 theory for permission issues in Pi-hole docker 20.04

Another easy test to see if its to blame is disable docker's apparmor

juha · May 14, 2020, 6:52am

Same problem here:

Running pihole/pihole:latest (armhf) inside OMV4 on Armbian-Stretch (Debian based). AppArmor not running.

Freemann · May 14, 2020, 11:35am

this morning tried a lot of stuff as on uid/uid vars, privileged, aa stuff, dns_masq, etc. etc.

Tried to disable AA with these settings;

    security_opt:
      - seccomp:unconfined
      - apparmor:unconfined

After applying these settings I ran "sudo aa-status | grep FTL" and it return nothing.
While without these settings it returned "/usr/bin/pihole-FTL docker-default".

without sec.opt;

xxx@xxxx-xxx:/opt/docker$ sudo aa-status | grep FTL
   /usr/bin/pihole-FTL (119821) docker-default
xxx@xxxx-xxx:/opt/docker$

with sec.opt;

xxx@xxxx-xxx:/opt/docker$ sudo aa-status | grep FTL
xxx@xxxx-xxx:/opt/docker$

From that I conclude that the settings do what the should do; disable AppArmor for PiHole.
With or without AppArmor disabled, I always get the write to readonly database error.
Also tried dozens of combination on gid/uid, privileged, dns_masq, nothing is working...

I'm lost here..........

diginc · May 14, 2020, 2:04pm

Thanks for trying, I'll setup a 20.04 VM tonight to try to reproduce the problem.

Is this using the docker.io package? I think most people on 20.04 are using that but there is an alternative of trying to install bionic official docker on focal, though I haven't personally tried.

To help me setup the environment can you share your package name/version? dpkg -l | grep docker

The only other long shot idea I had is disable volumes completely (comment out) to see if removing the host FS volume solves this.

Freemann · May 14, 2020, 2:08pm

YES....found something.... Don't know if i'm happy with it, but its looks like a start to solve this.
User www-data is causing the problem looking at the sql statement executed with -u www-data.
So I search a lot on "docker write permission www-data" and looks like "www-data" has "troubles" to writing to a docker volume/share directory and/or sqlite don't like to have a database on a docker volume.
So I unshared the /etc/pihole directory and everything is working as a charme.

If you search on stuff like database on docker volumes you find a load of problems.

maybe its an idea to move the database to a different directory?

For what its worth for now;

xxx@xxx-xxx:/opt/docker$ dpkg -l | grep docker
ii  docker-ce                                     5:19.03.6~3-0~ubuntu-disco                  amd64        Docker: the open-source application container engine
ii  docker-ce-cli                                 5:19.03.6~3-0~ubuntu-disco                  amd64        Docker CLI: the open-source application container engine

juha · May 14, 2020, 6:45pm

Solved my problem by adjusting the ACLs to default:group:rwx for the shared directory and all files inside. They were set so default:group::rx before.

@Freemann

Have a look at the ACLs of your shared /etc/pihole directory. Your directory listing shows by the + sign at the end of the permissions that ACLs are set. This might prevent docker to have write access.

Freemann · May 14, 2020, 7:13pm

I already tried that with a "chmod -R 777 /etc/pihole".
After a restart of the docker container it resets the acl.

Tried the chmod from the host on the volume and inside the docker container. Didn't fixed it for me.

DanSchaper · May 14, 2020, 7:16pm

Try getfacl instead.

Freemann · May 14, 2020, 7:29pm

What should i run, in which environment, on which did?

juha · May 14, 2020, 9:25pm

Look at the ACLs of your host environment. Try "getfacl your_path_to_the_docker_shared_folder"

chmod won't fix ACL settings.

Freemann · May 15, 2020, 5:26am

ok, thats "a new one for me" and here the result;

xxx@xxx-xxx:/opt/docker/pihole_v5$ getfacl /opt/docker/pihole_v5
getfacl: Removing leading '/' from absolute path names
# file: opt/docker/pihole_v5
# owner: root
# group: root
user::rwx
group::r-x
group:docker:rwx                #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:docker:rwx
default:mask::rwx
default:other::r-x

Is this good or bad and what command should I run to fix it?

Did some fiddeling and couldn't find a working solution with ACL.
So I decided to "reset" ACL on the volume dir;
sudo setfacl -Rbn /opt/docker/pihole_v5/

This fixed it for me

@juha thanks for helping!!

Freemann · May 16, 2020, 6:58am

So the error "attempt to write a readonly database" was in my case solved by resetting the ACL with this command;
sudo setfacl -Rbn /opt/docker/pihole_v5/

Hopefully it helps others with the same problem.

Thanks all for helping!

system · June 6, 2020, 6:59am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.