-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PiHole on docker using networked (CIFS) volumes fails to initialize the gravity DB #750
Comments
I had a similar problem with acl on openmediavault. Gravity db was in read only mode. By default pihole user id inside the container is 999 and pihole group has another id. This might be a partial solution for your case. At startup, i think gravity and pihole-ftl databases are created by root. Docker pihole might need further modifications to have databases created and written by a specific user. |
I created an issue for something similar just yesterday #749. I am using s3fs to mount S3 buckets. It would be great if there was documentation on the user Id and group Ids used as this would help with setting up the right permissions for the mounted folders. @edgd1er can you point to where the users are created for the docker container? I tried looking but couldnt find it. |
@muzzah , this is the script I created in my own version of docker-pihole which is 99% based on pihole sources. there is minor changes like redirection of logs to container stdout and user uid/gid changes. there was previously a fix for REV_SERVER_VARS and an upgrade to latest S6 version. You may have to adapt the script to fit your needs. As @DL6ER sais, there are 3 differents users running scripts in the container: root, www-data and pihole. The script fixes 2 problems: pihole owned files and www-data owned file by setting a env setted UID and GID, and adding www-data to pihole group. root owned/executed files are not changed. As pihole-FTL needs a port less than 1024, root privileges are needed. a unique user seems difficult to fit for all roles. |
I ended up just getting rid of my S3 buckets. I dont understand why there has to be 3 users here and why there cant just be one, you are in a container after all, why not just setup one user and use that? Btw, you can override userIds in docker containers by using the --user argument or user: field in docker compose. Though this also has its quirks. |
I tried setting the docker user to root/0 and it still didn't work 😞 |
Because Pi-hole isn't meant to run only inside Coming back to the question: We use three users because this is meaningful: Personally, I think this is how all the daemons on whatever operating system should work, but this is rarely (if ever) found anywhere. Imagine a buffer overflow with remote code execution flaw in some I know that |
Thanks for the explanation @DL6ER Though, even though I am now using local disk for bind mounts I am still seeing
and I had to downgrade from the latest tag to even be able to add block lists. There are indeed some permission problems I believe with the latest release as I could not use pihole due to some sqlite db errors. Teleporting also does not work in the latest tag |
Yeah, it is indeed possible that CIFS/SMB doesn't work as Pi-hole expects to be installed on Linux and implicitly expectcs permissions to work. I haven't ever tried installing Pi-hole on a filesystem that does not support permissions myself so I cannot comment much. However, I know some people succeeded to install Pi-hole successfully in this Windows-embedded Linux Subsystem (if that is how this thing is called) and they were able to use Pi-hole (almost?) with no adaptations. Maybe they have some input for you, pinging @PromoFaux who experimented with this IIRC. What is the file system on your disk?
I cannot really say where the empty filenames are coming from, however, the warning about the |
@DL6ER - thanks for you time/response, and personally i think it's great to default to the safe daemon on host model, especially for a project that is many people's first intro into this world and I've spent enough of my life lecturing people not to run services as root 😅 But it can be useful to specify the UID/GID to use for the processes even if not root and when run outside a vm/container (and as can be seen by #328 i'm not the only one who could benefit from this). I mount the docker volume with a unprivilegedd user and have done my best to set containers to run processes as that UID/GID (which is unique to docker), running 17 and while some end up as root pihole is the only one that i wasn't able to coax into working. FWIW this is a pretty unique edge case with networked CIFS on a linux host as its this combination of OS/proto that mounts the volume as a single UID/GID, and so far it doesn't seem worth the hassle to setup NFS or mount the share as 777 just for this one container .. yet🙃 I presume it worked in WSL? (1 and 2 are quite different) as i think microsoft just hand waveses permissions away, very much their style. While i work with azure daily I haven't owned a window computerer for ages Feel free to close this as #328 would solve my problem, Honestly i just threw it on a local volume with a cron to shut it down and copy it to where i want weekly, works just fine! i don't think there is much else to it other then pihole using fixed UID/GID. Would you accept a PR to expose those properties? (and any guidance on what would be involved?) i'm still moving services over to docker but if pihole is the only one that ends up local might just try and add it hah @muzzah - Care to share your compose? The latest version worked just fine on a local path for me, make sure the docker user matches the owner of the mount point, or run the container as root. Also wrt to the networked s3 volume did you try and set the mount to be 0777 so all users could write to it? i DO NOT recommend this as its is terrible security but if its just your pihole data maybe its ok. quick google found me:
|
Oh, we have some facility to achieve this, but I'm not so sure if they are what you need. Before trying anything new, you may first want to try to modify the values in |
This issue is stale because it has been open 30 days with no activity. Please comment or update this issue or it will be closed in 5 days. |
As of now this is still an issue for me: i have been unable to get docker pihole to work on network mounts can i please have this issue reopened? |
I have solved this by just adding "Everyone" with write permissions and "Admin" and the admin group with full access to my smb share. If it's of any help, I could drop my fstab, too. Edit: this is the line in my fstab:
Maybe the 'nobrl' parameter prevents database locks. |
I too have been having major frustration trying to get Pi-hole to work on SAMBA share on the host. The nobrl SAMBA mount option seems to fix it for me. |
same here regarding a synology nas, CIFS mounted docker volumes, and pihole having permission issues/locked databases upon attempting to update gravity. just as @madnuttah and @firewire10000 said, the "nobrl" option being passed when specifying the mount in my compose file seemed to fix this. Thanks folks! |
Versions
Platform
Debian 8.3/linux 3.19 (intel NUC)
Docker 20 with docker-compose 1.21
Expected behavior
PiHole to correct initialize and persist querylog/data and be able to manage lists
Actual behavior / bug
The server boots up and filters, however i cannot manage lists, and if i restart the container queries are not persisted.
The docker volumes are on a network CIFS mount, if i move to a path on the local server everything works as expected. Other containers are using these mounts just fine.
The following can be found in the startup log:
and when navigating to the groups page
Steps to reproduce
A host CIFS mount:
And then pihole defined in a docker container such as:
and then
docker-compose
Debug Token
Screenshots
Additional context
inspection of docker mounts:
and
mount
from containerThe text was updated successfully, but these errors were encountered: