V6 on Docker: FTLCONF_webserver_api_password support secrets

fhughes90 · February 20, 2025, 2:30pm

Expected Behaviour:

I am running Pihole in a docker instance. I upgraded to v6 this morning and having trouble with FTLCONF_webserver_api_password. I expected this variable to support secrets so I don't have to include my password in the compose.yaml. Previously, this worked having these variables set in my compose.yaml

WEBPASSWORD:
WEBPASSWORD_FILE: /opt/pihole/secrets/admin_pw.txt

-operating system: Raspberry Pi OS Bookworm (Debian 12)
-hardware: RPi4

Actual Behaviour:

After upgrading to v6 and launching the admin interface for the first time, I get an error for password. Here is my new environment section in my compose.yaml

TZ: American/New_York
FTLCONF_weserver_api_password: /opt/pihole/secrets/admin_pw.txt
FTLCONF_dns_listeningMode: 'all'

Debug Token:

https://tricorder.pi-hole.net/JQM2o79t/

rdwebdesign · February 20, 2025, 7:35pm

There is no replacement for WEBPASSWORD_FILE and I'm not sure if the compose file allows to use an external file like you are trying.

Compose files can use .env files to store environment variables.

Try adding a file called .env on the same directory where your compose file is.
Then add something like this in the file:

PASSWORD=My_Password_1234

Now change your compose file to use the variable, like this:

FTLCONF_weserver_api_password: "${PASSWORD}"

fhughes90 · February 21, 2025, 2:15am

Thank you for the detailed guidance! This worked!

axelbd · February 23, 2025, 6:20pm

Hello, from my understanding this workaround isn't equivalent from a security point of view. Ability to use Docker Swarm secrets is a must have for me. I'd really like to see this security feature in PiHole v6 as it worked in v5 please.

Other breaking changes about using PiHole in Docker were really well documented and this went smoothly for me so a big thanks for your work
Best regards

Other references :

github.com/pi-hole/docker-pi-hole

Support docker secrets for web password

dev ← lightswitch05:feature/support-docker-secrets-for-web-password

ouvert 05:43PM - 26 Feb 20 UTC

lightswitch05

+9 -0

Support docker secrets for web password. ## Description This is the init…ial implementation for #556. I wanted to go ahead open a pull request to start discussions about the changes before I spent too much time with tests and documentation. * If `WEBPASSWORD` is set, `WEBPASSWORD_FILE` is ignored. * If `WEBPASSWORD` is empty, and `WEBPASSWORD_FILE` is set to a valid readable file path, then `WEBPASSWORD` will be set to the contents of `WEBPASSWORD_FILE`. TODO: - [ ] Discuss changes with pihole team - [ ] Update documentation - [ ] Add tests for `WEBPASSWORD_FILE` Example using with Docker Secrets: ```yaml version: "3.3" services: pihole: container_name: pihole image: pihole/pihole:latest network_mode: "host" environment: WEBPASSWORD_FILE: '/run/secrets/pihole_webpw' secrets: - pihole_webpw # Volumes store your data between container upgrades volumes: - './etc-pihole/:/etc/pihole/' - './etc-dnsmasq.d/:/etc/dnsmasq.d/' dns: - 127.0.0.1 - 1.1.1.1 secrets: pihole_webpw: file: my_file_secret.txt ``` ## Motivation and Context This implements request #556 ## How Has This Been Tested? Manually tested at the moment. Need to add actual tests once there has been some discussions on the implementation. ## Types of changes - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) ## Checklist: - [x] My code follows the code style of this project. - [x] My change requires a change to the documentation. - [ ] I have updated the documentation accordingly.

github.com/pi-hole/docker-pi-hole

Support for Docker Secrets

ouvert 06:39AM - 15 Jan 20 UTC

fermé 06:02PM - 16 Jan 22 UTC

nicedevil007

Submitter Attention Required

Hey guys, I'm using your docker pihole deployment with a docker swarm environ…ment. I setup a docker secret with a webpassword "test1234". Then I added everything as described in docker guides to use this docker secret and the service starts without any error. Unfortunately the webpassword isn't the same as I entered in this secret. The WebGUI always tells me that the password is wrong. I guess there is no support for it right now. So this should be understood as an improvement/enhancement <3 Thank you all in advance. EDIT: forgot to post my docker-compose.yml ``` version: '3.1' services: pihole: hostname: pihole image: pihole/pihole:latest ports: - 53:53/tcp - 53:53/udp - 67:67/udp - 443:443/tcp - 80:80/tcp network_mode: 'host' environment: TZ: 'Europe/Berlin' IPv6: 'False' DNSMASQ_USER: 'pihole' WEBPASSWORD: /run/secrets/pihole_webpw secrets: - pihole_webpw volumes: - pihole:/etc/pihole - dnsmasq:/etc/dnsmasq.d - theme:/var/www/html/admin/style/vendor dns: - 127.0.0.1 - 192.168.1.1 restart: unless-stopped cap_add: - NET_ADMIN volumes: pihole: dnsmasq: theme: secrets: pihole_webpw: external: true ``` ![grafik](https://user-images.githubusercontent.com/17103076/72412296-4530a400-376d-11ea-959a-0d0852727a02.png)

rdwebdesign · February 23, 2025, 6:24pm

You can use the env_file attribute:

PromoFaux · February 23, 2025, 6:27pm

I don't think it was dropped on purpose.

The image for V6 was entirely built from scratch - so it might just be that I missed it while developing. Nobody had mentioned it throughout the beta (or I'm really bad at paying attention!!)

But, I'll look into it - it shouldn't be too difficult to add back in

axelbd · February 24, 2025, 7:20pm

Just tested pihole/pihole:development image, seems ok to me, I've been able to set the password with a secret.

[i] Setting FTLCONF_webserver_api_password from file
[i] Assigning password defined by Environment Variable

Thank you very much.
Are you planning to harmonize the name of the parameter with your new naming convention? Something like FILE_xxx or xxx_FILE (xxx being FTLCONF_webserver_api_password) maybe?

PromoFaux · February 24, 2025, 9:58pm

I thought about this - but what I was trying not to do was to confuse it with an actual setting for FTL - as it is handled separately.

I'll mull it over some more

HenkskeforGH · March 10, 2025, 5:16pm

Any update for the _FILE implementation?

PromoFaux · March 10, 2025, 5:40pm

https://docs.pi-hole.net/docker/configuration/#webpassword_file-example

HenkskeforGH · March 13, 2025, 2:35pm

Thanks for this.
I will play around with it, because at the moment all all my input is being ignored. Even when completely removing the container and volumes. But i expect this is my issue:)
- WEBPASSWORD=
- WEBPASSWORD_file=/run/secrets/pihole
- WEBPASSWORD_FILE=/run/secrets/pihole
- WEBPASSWORD=$WEBPASSWORD

[i] No password set in environment or config file

PromoFaux · March 13, 2025, 5:17pm

I'd suggest reading the docs, it's described in there exactly how to set the password . Here is the complete section about setting the web password, which covers just the password via environment variable, and also the docker secrets method I linked directly to before.

Effective3792 · March 14, 2025, 12:12am

Heads up, I was also setting this up just now and stumbled on a slight issue in that documentation.

It seems like the WEBPASSWORD_FILE environment variable is case sensitive. It is correctly written in all caps everywhere on that page except the example compose file at the bottom of the page, where it is written as WEBPASSWORD_file. My password was not being read with the lowercase _file variable name, but started working once I switched it to all caps.

It's relatively easy to spot and correct while troubleshooting, but still a bit of a snag if someone was following the documentation line for line.

rdwebdesign · March 14, 2025, 1:04am

In docker-pi-hole repository, the README file shows the correct name:

~~I can confirm the Docs page is wrong. I will fix it.~~

Docs page is already fixed.