From 0784964f6008c0d1083fe9b4e0d02e46f8f9670c Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Fri, 20 Oct 2023 11:35:43 +0100 Subject: [PATCH 1/8] This is all now handled natively in FTL, no need for the bash Signed-off-by: Adam Warner --- README.md | 3 ++- src/bash_functions.sh | 60 ------------------------------------------- src/start.sh | 2 -- 3 files changed, 2 insertions(+), 63 deletions(-) diff --git a/README.md b/README.md index 9df5800d5..14460626a 100644 --- a/README.md +++ b/README.md @@ -104,7 +104,8 @@ There are other environment variables if you want to customize various things in | -------- | ------- | ----- | ---------- | | `SKIPGRAVITYONBOOT` | unset | `` | Use this option to skip updating the Gravity Database when booting up the container. By default this environment variable is not set so the Gravity Database will be updated when the container starts up. Setting this environment variable to 1 (or anything) will cause the Gravity Database to not be updated when container starts up. | `FTL_CMD` | `no-daemon` | `no-daemon -- ` | Customize the options with which dnsmasq gets started. e.g. `no-daemon -- --dns-forward-max 300` to increase max. number of concurrent dns queries on high load setups. | -| `FTLCONF_[SETTING]` | unset | As per documentation | Customize pihole-FTL.conf with settings described in the . Replace `.` with `_`, e.g for `dns.dnssec=true` use `FTLCONF_dns_dnssec: 'true'` +| `FTLCONF_[SETTING]` | unset | As per documentation | Customize pihole-FTL.conf with settings described in the . Replace `.` with `_`, e.g for `dns.dnssec=true` use `FTLCONF_dns_dnssec: 'true'`| +|`FTLCONF_ENV_ONLY`|unset|``|If set to true, FTL will use default values for all config values unless explicitly set as an environment variable| | `PIHOLE_UID` | `999` | Number | Overrides image's default pihole user id to match a host user id
**IMPORTANT**: id must not already be in use inside the container! | | `PIHOLE_GID` | `999` | Number | Overrides image's default pihole group id to match a host group id
**IMPORTANT**: id must not already be in use inside the container!| | `DNSMASQ_USER` | unset | `` | Allows changing the user that FTLDNS runs as. Default: `pihole`, some systems such as Synology NAS may require you to change this to `root` (See [#963](https://github.com/pi-hole/docker-pi-hole/issues/963)) | diff --git a/src/bash_functions.sh b/src/bash_functions.sh index 4c0e48063..5e919e172 100644 --- a/src/bash_functions.sh +++ b/src/bash_functions.sh @@ -113,64 +113,6 @@ fix_capabilities() { fi } - - -apply_FTL_Configs_From_Env(){ - # Get all exported environment variables starting with FTLCONF_ as a prefix and call the setFTLConfigValue - # function with the environment variable's suffix as the key. This allows applying any pihole-FTL.conf - # setting defined here: https://docs.pi-hole.net/ftldns/configfile/ - echo "" - echo "==========Applying settings from environment variables==========" - source /opt/pihole/COL_TABLE - declare -px | grep FTLCONF_ | sed -E 's/declare -x FTLCONF_([^=]+)=\"(|.+)\"/\1 \2/' | while read -r name value - do - # Replace underscores with dots in the name to match pihole-FTL expectiations - name="${name//_/.}" - - - # Special handling for some FTL Config values - case "$name" in - # Convert the semicolon separated list to a JSON array - "dns.upstreams") - value='["'${value//;/\",\"}'"]' - ;; - # The following config names have an underscore in them, - # so we need to re-convert the dot back to an underscore - "webserver.tls.rev.proxy") - name="webserver.tls.rev_proxy" - ;; - "webserver.api.totp.secret") - name="webserver.api.totp_secret" - ;; - "webserver.api.allow.destructive") - name="webserver.api.allow_destructive" - ;; - "misc.delay.startup") - name="misc.delay_startup" - ;; - "misc.dnsmasq.lines") - name="misc.dnsmasq_lines" - ;; - esac - - # Mask the value if it is a password, else display the value as is - if [ "$name" == "webserver.api.password" ]; then - masked_value=$(printf "%${#value}s" | tr " " "*") - else - masked_value=$value - fi - - if pihole-FTL --config "${name}" "${value}" > /ftlconfoutput; then - echo " ${TICK} Applied pihole-FTL setting $name=$masked_value" - else - echo " ${CROSS} Error Applying pihole-FTL setting $name=$masked_value" - echo " ${INFO} $(cat /ftlconfoutput)" - fi - done - echo "================================================================" - echo "" -} - setup_FTL_query_logging(){ if [ "${QUERY_LOGGING_OVERRIDE}" == "false" ]; then echo " [i] Disabling Query Logging" @@ -180,10 +122,8 @@ setup_FTL_query_logging(){ echo " [i] Enabling Query Logging" setFTLConfigValue dns.queryLogging true fi - } - load_web_password_secret() { # If WEBPASSWORD is not set at all, attempt to read password from WEBPASSWORD_FILE, # allowing secrets to be passed via docker secrets diff --git a/src/start.sh b/src/start.sh index 49ad3048e..303a012df 100644 --- a/src/start.sh +++ b/src/start.sh @@ -53,8 +53,6 @@ start() { # validate_env || exit 1 ensure_basic_configuration - apply_FTL_Configs_From_Env - # Web interface setup # =========================== # load_web_password_secret From 74657d01a917fe930dfd204db46c6591272fa5ab Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Fri, 20 Oct 2023 13:14:08 +0100 Subject: [PATCH 2/8] - Bring back the logic from v5 containers for web password - Update readme to take into accounts changes to FTLs environment variable handling - shell/md linting, tidy away some code that is no longer needed Signed-off-by: Adam Warner --- README.md | 105 ++++++++++++++++---------------- src/bash_functions.sh | 135 +++++++++++++----------------------------- src/start.sh | 38 +++--------- 3 files changed, 106 insertions(+), 172 deletions(-) diff --git a/README.md b/README.md index 14460626a..63358da19 100644 --- a/README.md +++ b/README.md @@ -5,11 +5,11 @@

- ## Upgrade Notes -## !!! THIS VERSION CONTAINS BREAKING CHANGES !!! -### v[ChangeMeBeforeTagging] has been entirely redesigned from the ground up and contains many breaking changes. Environment variable names have changed, script locations may have changed. Please read the the Readme carefully before proceeding. +## !!! THIS VERSION CONTAINS BREAKING CHANGES + +### v[ChangeMeBeforeTagging] has been entirely redesigned from the ground up and contains many breaking changes. Environment variable names have changed, script locations may have changed. Please read the the Readme carefully before proceeding --- @@ -36,9 +36,10 @@ services: - "53:53/udp" - "67:67/udp" # Only required if you are using Pi-hole as your DHCP server - "80:80/tcp" + - "443:443/tcp" # By default, FTL will generate a self-signed certificate environment: TZ: 'America/Chicago' - # WEBPASSWORD: 'set a secure password here or it will be random' + # FTLCONF_webserver_api_password: 'set a secure password here or it will be random' # Volumes store your data between container upgrades volumes: - './etc-pihole:/etc/pihole' @@ -48,6 +49,7 @@ services: - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed restart: unless-stopped ``` + 2. Run `docker compose up -d` to build and start pi-hole (Syntax may be `docker-compose` on older systems) 3. If using Docker's default `bridge` network setting, set the environment variable `FTLCONF_dns_listeningMode` to `all` @@ -81,43 +83,43 @@ Volumes are recommended for persisting data across container re-creations for up There are multiple different ways to run DHCP from within your Docker Pi-hole container but it is slightly more advanced and one size does not fit all. DHCP and Docker's multiple network modes are covered in detail on our docs site: [Docker DHCP and Network Modes](https://docs.pi-hole.net/docker/DHCP/) -## Environment Variables +## Configuration + +It is recommended that you use environment variables to configure the Pi-hole docker container (more details below), however if you are persisting your `/etc/pihole` directory, you may also set them via the web interface or by directly editing `pihole.toml` + +### Web interface password + +To set a specific password for the web interface, use the environment variable `FTLCONF_webserver_api_password`. If this variable is not detected, and you have not already set one via `pihole setpassword` in the container, then a random password will be assigned on startup, this will be printed to the log. Run `docker logs pihole | grep random` to find it. -There are other environment variables if you want to customize various things inside the docker container: +To explicitly set no password, set `FTLCONF_webserver_api_password: ''` -### Recommended Variables +### Recommended Environment Variables | Variable | Default | Value | Description | | -------- | ------- | ----- | ---------- | | `TZ` | UTC | `` | Set your [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) to make sure logs rotate at local midnight instead of at UTC midnight. -| `FTLCONF_webserver_api_password` | random | `` | http://pi.hole/admin password. Run `docker logs pihole \| grep random` to find your random pass. -| `FTLCONF_dns_upstreams` | `8.8.8.8;8.8.4.4` | IPs delimited by `;` | Upstream DNS server(s) for Pi-hole to forward queries to, separated by a semicolon
(supports non-standard ports with `#[port number]`) e.g `127.0.0.1#5053;8.8.8.8;8.8.4.4`
(supports [Docker service names and links](https://docs.docker.com/compose/networking/) instead of IPs) e.g `upstream0;upstream1` where `upstream0` and `upstream1` are the service names of or links to docker services
Note: The existence of this environment variable assumes this as the _sole_ management of upstream DNS. Upstream DNS added via the web interface will be overwritten on container restart/recreation | +| `FTLCONF_webserver_api_password` | random | `` | password. Run `docker logs pihole \| grep random` to find your random pass. +| `FTLCONF_dns_upstreams` | `8.8.8.8,8.8.4.4` | IPs delimited by `,` | Upstream DNS server(s) for Pi-hole to forward queries to, separated by a semicolon
(supports non-standard ports with `#[port number]`) e.g `127.0.0.1#5053,8.8.8.8,8.8.4.4`
(supports [Docker service names and links](https://docs.docker.com/compose/networking/) instead of IPs) e.g `upstream0,upstream1` where `upstream0` and `upstream1` are the service names of or links to docker services
Note: The existence of this environment variable assumes this as the _sole_ management of upstream DNS. Upstream DNS added via the web interface will be overwritten on container restart/recreation | ### Optional Variables | Variable | Default | Value | Description | | -------- | ------- | ----- | ---------- | | `TAIL_FTL_LOG` | unset | `` | Whether or not to output the FTL log when running the. Useful for debugging/watching what FTL is doing. +| `SKIPGRAVITYONBOOT` | unset | `` | Use this option to skip updating the Gravity Database when booting up the container. By default this environment variable is not set so the Gravity Database will be updated when the container starts up. Setting this environment variable to 1 (or anything) will cause the Gravity Database to not be updated when container starts up. +| `FTLCONF_[SETTING]` | unset | As per documentation | Customize pihole-FTL.conf with settings described in the . Replace `.` with `_`, e.g for `dns.dnssec=true` use `FTLCONF_dns_dnssec: 'true'`| +| `PIHOLE_UID` | `100` | Number | Overrides image's default pihole user id to match a host user id
**IMPORTANT**: id must not already be in use inside the container! | +| `PIHOLE_GID` | `101` | Number | Overrides image's default pihole group id to match a host group id
**IMPORTANT**: id must not already be in use inside the container!| ### Advanced Variables + | Variable | Default | Value | Description | | -------- | ------- | ----- | ---------- | -| `SKIPGRAVITYONBOOT` | unset | `` | Use this option to skip updating the Gravity Database when booting up the container. By default this environment variable is not set so the Gravity Database will be updated when the container starts up. Setting this environment variable to 1 (or anything) will cause the Gravity Database to not be updated when container starts up. | `FTL_CMD` | `no-daemon` | `no-daemon -- ` | Customize the options with which dnsmasq gets started. e.g. `no-daemon -- --dns-forward-max 300` to increase max. number of concurrent dns queries on high load setups. | -| `FTLCONF_[SETTING]` | unset | As per documentation | Customize pihole-FTL.conf with settings described in the . Replace `.` with `_`, e.g for `dns.dnssec=true` use `FTLCONF_dns_dnssec: 'true'`| |`FTLCONF_ENV_ONLY`|unset|``|If set to true, FTL will use default values for all config values unless explicitly set as an environment variable| -| `PIHOLE_UID` | `999` | Number | Overrides image's default pihole user id to match a host user id
**IMPORTANT**: id must not already be in use inside the container! | -| `PIHOLE_GID` | `999` | Number | Overrides image's default pihole group id to match a host group id
**IMPORTANT**: id must not already be in use inside the container!| | `DNSMASQ_USER` | unset | `` | Allows changing the user that FTLDNS runs as. Default: `pihole`, some systems such as Synology NAS may require you to change this to `root` (See [#963](https://github.com/pi-hole/docker-pi-hole/issues/963)) | - -### Experimental Variables -| Variable | Default | Value | Description | -| -------- | ------- | ----- | ---------- | | `ADDITIONAL_PACKAGES`| unset | Space separated list of APKs | HERE BE DRAGONS. Mostly for development purposes, this just makes it easier for those of us that always like to have whatever additional tools we need inside the container for debugging | - -To use these env vars in docker run format style them like: `-e DNS1=1.1.1.1` - Here is a rundown of other arguments for your docker-compose / docker run. | Docker Arguments | Description | @@ -125,25 +127,24 @@ Here is a rundown of other arguments for your docker-compose / docker run. | `-p :` **Recommended** | Ports to expose (53, 80, 67), the bare minimum ports required for Pi-holes HTTP and DNS services | `--restart=unless-stopped`
**Recommended** | Automatically (re)start your Pi-hole on boot or in the event of a crash | `-v $(pwd)/etc-pihole:/etc/pihole`
**Recommended** | Volumes for your Pi-hole configs help persist changes across docker image updates -| `--net=host`
*Optional* | Alternative to `-p :` arguments (Cannot be used at same time as -p) if you don't run any other web application. DHCP runs best with --net=host, otherwise your router must support dhcp-relay settings. -| `--cap-add=NET_ADMIN`
*Recommended* | Commonly added capability for DHCP, see [Note on Capabilities](#note-on-capabilities) below for other capabilities. -| `--dns=127.0.0.1`
*Optional* | Sets your container's resolve settings to localhost so it can resolve DHCP hostnames from Pi-hole's DNSMasq, may fix resolution errors on container restart. -| `--dns=1.1.1.1`
*Optional* | Sets a backup server of your choosing in case DNSMasq has problems starting -| `--env-file .env`
*Optional* | File to store environment variables for docker replacing `-e key=value` settings. Here for convenience +| `--net=host`
_Optional_ | Alternative to `-p :` arguments (Cannot be used at same time as -p) if you don't run any other web application. DHCP runs best with --net=host, otherwise your router must support dhcp-relay settings. +| `--cap-add=NET_ADMIN`
_Recommended_ | Commonly added capability for DHCP, see [Note on Capabilities](#note-on-capabilities) below for other capabilities. +| `--dns=127.0.0.1`
_Optional_ | Sets your container's resolve settings to localhost so it can resolve DHCP hostnames from Pi-hole's DNSMasq, may fix resolution errors on container restart. +| `--dns=1.1.1.1`
_Optional_ | Sets a backup server of your choosing in case DNSMasq has problems starting +| `--env-file .env`
_Optional_ | File to store environment variables for docker replacing `-e key=value` settings. Here for convenience ## Tips and Tricks -* A good way to test things are working right is by loading this page: [http://pi.hole/admin/](http://pi.hole/admin/) -* [How do I set or reset the Web interface Password?](https://discourse.pi-hole.net/t/how-do-i-set-or-reset-the-web-interface-password/1328) - * `docker exec -it pihole_container_name pihole -a -p` - then enter your password into the prompt -* Port conflicts? Stop your server's existing DNS / Web services. - * Don't forget to stop your services from auto-starting again after you reboot - * Ubuntu users see below for more detailed information -* You can map other ports to Pi-hole port 80 using docker's port forwarding like this `-p 8080:80` if you are using the default blocking mode. If you are using the legacy IP blocking mode, you should not remap this port. - * [Here is an example of running with nginxproxy/nginx-proxy](https://github.com/pi-hole/docker-pi-hole/blob/master/examples/docker-compose-nginx-proxy.yml) (an nginx auto-configuring docker reverse proxy for docker) on my port 80 with Pi-hole on another port. Pi-hole needs to be `DEFAULT_HOST` env in nginxproxy/nginx-proxy and you need to set the matching `VIRTUAL_HOST` for the Pi-hole's container. Please read nginxproxy/nginx-proxy readme for more info if you have trouble. -* Docker's default network mode `bridge` isolates the container from the host's network. This is a more secure setting, but requires setting the Pi-hole DNS option for *Interface listening behavior* to "Listen on all interfaces, permit all origins". +- A good way to test things are working right is by loading this page: [http://pi.hole/admin/](http://pi.hole/admin/) +- Port conflicts? Stop your server's existing DNS / Web services. + - Don't forget to stop your services from auto-starting again after you reboot + - Ubuntu users see below for more detailed information +- You can map other ports to Pi-hole port 80 using docker's port forwarding like this `-p 8080:80` if you are using the default blocking mode. If you are using the legacy IP blocking mode, you should not remap this port. + - [Here is an example of running with nginxproxy/nginx-proxy](https://github.com/pi-hole/docker-pi-hole/blob/master/examples/docker-compose-nginx-proxy.yml) (an nginx auto-configuring docker reverse proxy for docker) on my port 80 with Pi-hole on another port. Pi-hole needs to be `DEFAULT_HOST` env in nginxproxy/nginx-proxy and you need to set the matching `VIRTUAL_HOST` for the Pi-hole's container. Please read nginxproxy/nginx-proxy readme for more info if you have trouble. +- Docker's default network mode `bridge` isolates the container from the host's network. This is a more secure setting, but requires setting the Pi-hole DNS option for _Interface listening behavior_ to "Listen on all interfaces, permit all origins". ### Installing on Ubuntu or Fedora + Modern releases of Ubuntu (17.10+) and Fedora (33+) include [`systemd-resolved`](http://manpages.ubuntu.com/manpages/bionic/man8/systemd-resolved.service.8.html) which is configured by default to implement a caching DNS stub resolver. This will prevent pi-hole from listening on port 53. The stub resolver should be disabled with: `sudo sed -r -i.orig 's/#?DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf` @@ -153,6 +154,7 @@ After making these changes, you should restart systemd-resolved using `systemctl Once pi-hole is installed, you'll want to configure your clients to use it ([see here](https://discourse.pi-hole.net/t/how-do-i-configure-my-devices-to-use-pi-hole-as-their-dns-server/245)). If you used the symlink above, your docker host will either use whatever is served by DHCP, or whatever static setting you've configured. If you want to explicitly set your docker host's nameservers you can edit the netplan(s) found at `/etc/netplan`, then run `sudo netplan apply`. Example netplan: + ```yaml network: ethernets: @@ -170,6 +172,7 @@ Note that it is also possible to disable `systemd-resolved` entirely. However, t Users of older Ubuntu releases (circa 17.04) will need to disable dnsmasq. ## Installing on Dokku + @Rikj000 has produced a guide to assist users [installing Pi-hole on Dokku](https://github.com/Rikj000/Pihole-Dokku-Installation) ## Docker tags and versioning @@ -196,12 +199,12 @@ The standard Pi-hole customization abilities apply to this docker, but with dock Do not attempt to upgrade (`pihole -up`) or reconfigure (`pihole -r`). New images will be released for upgrades, upgrading by replacing your old container with a fresh upgraded image is the 'docker way'. Long-living docker containers are not the docker way since they aim to be portable and reproducible, why not re-create them often! Just to prove you can. 0. Read the release notes for both this Docker release and the Pi-hole release - * This will help you avoid common problems due to any known issues with upgrading or newly required arguments or variables - * We will try to put common break/fixes at the top of this readme too + - This will help you avoid common problems due to any known issues with upgrading or newly required arguments or variables + - We will try to put common break/fixes at the top of this readme too 1. Download the latest version of the image: `docker pull pihole/pihole` 2. Throw away your container: `docker rm -f pihole` - * **Warning** When removing your pihole container you may be stuck without DNS until step 3; **docker pull** before **docker rm -f** to avoid DNS interruption **OR** always have a fallback DNS server configured in DHCP to avoid this problem altogether. - * If you care about your data (logs/customizations), make sure you have it volume-mapped or it will be deleted in this step. + - **Warning** When removing your pihole container you may be stuck without DNS until step 3; **docker pull** before **docker rm -f** to avoid DNS interruption **OR** always have a fallback DNS server configured in DHCP to avoid this problem altogether. + - If you care about your data (logs/customizations), make sure you have it volume-mapped or it will be deleted in this step. 3. Start your container with the newer base image: `docker run pihole/pihole` (`` being your preferred run volumes and env vars) Why is this style of upgrading good? A couple reasons: Everyone is starting from the same base image which has been tested to known it works. No worrying about upgrading from A to B, B to C, or A to C is required when rolling out updates, it reduces complexity, and simply allows a 'fresh start' every time while preserving customizations with volumes. Basically I'm encouraging [phoenix server](https://www.google.com/?q=phoenix+servers) principles for your containers. @@ -215,9 +218,10 @@ Occasionally you may need to try an alternative branch of one of the components The preferred method is to clone this repository and rebuild the image with the custom branch name passed in as an arg, e.g `docker buildx build src/. --tag pihole_custom --build-arg CORE_BRANCH=custombranchname --no-cache`, and then redeploy your stack with this new image (In this case you should have a local image named `pihole_custom`, but you can call it whatever you want) Valid args are: - - `CORE_BRANCH` - - `WEB_BRANCH` - - `FTL_BRANCH` + +- `CORE_BRANCH` +- `WEB_BRANCH` +- `FTL_BRANCH` ### Pi-hole features @@ -225,9 +229,9 @@ Here are some relevant wiki pages from [Pi-hole's documentation](https://github. We install all pihole utilities so the the built in [pihole commands](https://discourse.pi-hole.net/t/the-pihole-command-with-examples/738) will work via `docker exec ` like so: -* `docker exec pihole_container_name pihole updateGravity` -* `docker exec pihole_container_name pihole -w spclient.wg.spotify.com` -* `docker exec pihole_container_name pihole -wild example.com` +- `docker exec pihole_container_name pihole updateGravity` +- `docker exec pihole_container_name pihole -w spclient.wg.spotify.com` +- `docker exec pihole_container_name pihole -wild example.com` ### Customizations @@ -236,6 +240,7 @@ The webserver and DNS service inside the container can be customized if necessar ## Note on Capabilities DNSMasq / [FTLDNS](https://docs.pi-hole.net/ftldns/in-depth/#linux-capabilities) expects to have the following capabilities available: + - `CAP_NET_BIND_SERVICE`: Allows FTLDNS binding to TCP/UDP sockets below 1024 (specifically DNS service on port 53) - `CAP_NET_RAW`: use raw and packet sockets (needed for handling DHCPv6 requests, and verifying that an IP is not in use before leasing it) - `CAP_NET_ADMIN`: modify routing tables and other network-related operations (in particular inserting an entry in the neighbor table to answer DHCP requests using unicast packets) @@ -246,18 +251,18 @@ This image automatically grants those capabilities, if available, to the FTLDNS By default, docker does not include the `NET_ADMIN` capability for non-privileged containers, and it is recommended to explicitly add it to the container using `--cap-add=NET_ADMIN`.\ However, if DHCP and IPv6 Router Advertisements are not in use, it should be safe to skip it. For the most paranoid, it should even be possible to explicitly drop the `NET_RAW` capability to prevent FTLDNS from automatically gaining it. - ## Note on Watchtower We have noticed that a lot of people use Watchtower to keep their Pi-hole containers up to date. For the same reason we don't provide an auto-update feature on a bare metal install, you _should not_ have a system automatically update your Pi-hole container. Especially unattended. As much as we try to ensure nothing will go wrong, sometimes things do go wrong - and you need to set aside time to _manually_ pull and update to the version of the container you wish to run. The upgrade process should be along the lines of: - - **Important**: Read the release notes. Sometimes you will need to make changes other than just updating the image - - Pull the new image - - Stop and _remove_ the running Pi-hole container - - If you care about your data (logs/customizations), make sure you have it volume-mapped or it will be deleted in this step. - - Recreate the container using the new image +- **Important**: Read the release notes. Sometimes you will need to make changes other than just updating the image +- Pull the new image +- Stop and _remove_ the running Pi-hole container + - If you care about your data (logs/customizations), make sure you have it volume-mapped or it will be deleted in this step. +- Recreate the container using the new image Pi-hole is an integral part of your network, don't let it fall over because of an unattended update in the middle of the night. + # User Feedback Please report issues on the [GitHub project](https://github.com/pi-hole/docker-pi-hole) when you suspect something docker related. Pi-hole or general docker questions are best answered on our [user forums](https://discourse.pi-hole.net/c/bugs-problems-issues/docker/30). diff --git a/src/bash_functions.sh b/src/bash_functions.sh index 5e919e172..d30df938a 100644 --- a/src/bash_functions.sh +++ b/src/bash_functions.sh @@ -15,8 +15,8 @@ # Takes one argument: key # Example getFTLConfigValue dns.piholePTR ####################### -getFTLConfigValue(){ - pihole-FTL --config -q "${1}" +getFTLConfigValue() { + pihole-FTL --config -q "${1}" } ####################### @@ -28,29 +28,21 @@ getFTLConfigValue(){ # Note, for complex values such as dns.upstreams, you should wrap the value in single quotes: # setFTLConfigValue dns.upstreams '[ "8.8.8.8" , "8.8.4.4" ]' ####################### -setFTLConfigValue(){ - pihole-FTL --config "${1}" "${2}" >/dev/null +setFTLConfigValue() { + pihole-FTL --config "${1}" "${2}" >/dev/null } -# export adlistFile="/etc/pihole/adlists.list" - # shellcheck disable=SC2034 ensure_basic_configuration() { echo " [i] Ensuring basic configuration by re-running select functions from basic-install.sh" - - # installScripts > /dev/null + # TODO: # installLogrotate || true #installLogRotate can return 2 or 3, but we are still OK to continue in that case - # set +e mkdir -p /var/run/pihole /var/log/pihole touch /var/log/pihole/FTL.log /var/log/pihole/pihole.log chown -R pihole:pihole /var/run/pihole /var/log/pihole - # In case of `pihole` UID being changed, re-chown the pihole scripts and pihole command - # chown -R pihole:root "${PI_HOLE_INSTALL_DIR}" - # chown pihole:root "${PI_HOLE_BIN_DIR}/pihole" - mkdir -p /etc/pihole if [[ -z "${PYTEST}" ]]; then if [[ ! -f /etc/pihole/adlists.list ]]; then @@ -60,9 +52,6 @@ ensure_basic_configuration() { chown -R pihole:pihole /etc/pihole - - # set -e - # If FTLCONF_files_macvendor is not set if [[ -z "${FTLCONF_files_macvendor:-}" ]]; then # User is not passing in a custom location - so force FTL to use the file we moved to / during the build @@ -71,6 +60,41 @@ ensure_basic_configuration() { fi } +setup_web_password() { + echo " [i] Checking web password" + # If the web password variable is not set... + if [ -z "${FTLCONF_webserver_api_password+x}" ]; then + # is the variable FTLCONF_ENV_ONLY set to true? + if [ "${FTLCONF_ENV_ONLY}" == "true" ]; then + echo " [i] No password supplied via FTLCONF_webserver_api_password, but FTLCONF_ENV_ONLY is set to true, using default (none)" + # If so, return - the password will be set to FTL's default (no password) + return + fi + + # Exit if password is already set in config file + if [[ -n $(pihole-FTL --config webserver.api.pwhash) ]]; then + echo " [i] Password already set in config file" + return + fi + + # If we have got here, we will now generate a random passwor + RANDOMPASSWORD=$(tr -dc _A-Z-a-z-0-9 /dev/null + + pihole setpassword "$RANDOMPASSWORD" + + # To avoid printing this if conditional in bash debug, turn off debug above.. + # then re-enable debug if necessary (more code but cleaner printed output) + if [ "${PH_VERBOSE:-0}" -gt 0 ]; then + set -x + fi + else + echo " [i] Assigning password defined by Environment Variable" + fi +} fix_capabilities() { # Testing on Docker 20.10.14 with no caps set shows the following caps available to the container: @@ -86,7 +110,7 @@ fix_capabilities() { if [[ ${CAP_STR} ]]; then # We have the (some of) the above caps available to us - apply them to pihole-FTL echo " [i] Applying the following caps to pihole-FTL:" - IFS=',' read -ra CAPS <<< "${CAP_STR:1}" + IFS=',' read -ra CAPS <<<"${CAP_STR:1}" for i in "${CAPS[@]}"; do echo " * ${i}" done @@ -111,80 +135,5 @@ fix_capabilities() { echo " Please ensure that the container has the required capabilities." exit 1 fi + echo "" } - -setup_FTL_query_logging(){ - if [ "${QUERY_LOGGING_OVERRIDE}" == "false" ]; then - echo " [i] Disabling Query Logging" - setFTLConfigValue dns.queryLogging "${QUERY_LOGGING_OVERRIDE}" - else - # If it is anything other than false, set it to true - echo " [i] Enabling Query Logging" - setFTLConfigValue dns.queryLogging true - fi -} - -load_web_password_secret() { - # If WEBPASSWORD is not set at all, attempt to read password from WEBPASSWORD_FILE, - # allowing secrets to be passed via docker secrets - if [ -z "${WEBPASSWORD+x}" ] && [ -n "${WEBPASSWORD_FILE}" ] && [ -r "${WEBPASSWORD_FILE}" ]; then - WEBPASSWORD=$(<"${WEBPASSWORD_FILE}") - fi; -} - -setup_web_password() { - if [ -z "${WEBPASSWORD+x}" ] ; then - # ENV WEBPASSWORD_OVERRIDE is not set - - # Exit if password is already set (TODO: Revisit this. Maybe make setting password in environment variable mandatory?) - if [[ $(pihole-FTL --config webserver.api.pwhash) != '""' ]]; then - return - fi - # Generate new random password - WEBPASSWORD=$(tr -dc _A-Z-a-z-0-9 < /dev/urandom | head -c 8) - echo " [i] Assigning random password: $WEBPASSWORD" - else - # ENV WEBPASSWORD_OVERRIDE is set and will be used - echo " [i] Assigning password defined by Environment Variable" - # WEBPASSWORD="$WEBPASSWORD" - fi - - # Explicitly turn off bash printing when working with secrets - { set +x; } 2>/dev/null - - if [[ "$WEBPASSWORD" == "" ]] ; then - echo "" | pihole -a -p - else - pihole -a -p "$WEBPASSWORD" "$WEBPASSWORD" - fi - - # To avoid printing this if conditional in bash debug, turn off debug above.. - # then re-enable debug if necessary (more code but cleaner printed output) - if [ "${PH_VERBOSE:-0}" -gt 0 ] ; then - set -x - fi -} - -# setup_blocklists() { -# # Exit/return early without setting up adlists with defaults for any of the following conditions: -# # 1. skip_setup_blocklists env is set -# exit_string="(exiting ${FUNCNAME[0]} early)" - -# if [ -n "${skip_setup_blocklists}" ]; then -# echo " [i] skip_setup_blocklists requested $exit_string" -# return -# fi - -# # 2. The adlist file exists already (restarted container or volume mounted list) -# if [ -f "${adlistFile}" ]; then -# echo " [i] Preexisting ad list ${adlistFile} detected $exit_string" -# return -# fi - -# echo " [i] ${FUNCNAME[0]} now setting default blocklists up: " -# echo " [i] TIP: Use a docker volume for ${adlistFile} if you want to customize for first boot" -# # installDefaultBlocklists - -# echo " [i] Blocklists (${adlistFile}) now set to:" -# cat "${adlistFile}" -# } diff --git a/src/start.sh b/src/start.sh index 303a012df..66a0792b5 100644 --- a/src/start.sh +++ b/src/start.sh @@ -12,9 +12,6 @@ start() { # shellcheck source=/dev/null . /usr/bin/bash_functions.sh - # shellcheck source=/dev/null - # SKIP_INSTALL=true . /etc/.pihole/automated\ install/basic-install.sh - echo " [i] Starting docker specific checks & setup for docker pihole/pihole" # TODO: @@ -49,32 +46,10 @@ start() { fi fi - fix_capabilities - # validate_env || exit 1 ensure_basic_configuration + setup_web_password - # Web interface setup - # =========================== - # load_web_password_secret - # setup_web_password - - # Misc Setup - # =========================== - # setup_blocklists - - # FTL setup - # =========================== - - # setup_FTL_User - # setup_FTL_query_logging - - [ -f /.piholeFirstBoot ] && rm /.piholeFirstBoot - - echo " [i] Docker start setup complete" - echo "" - - echo " [i] pihole-FTL ($FTL_CMD) will be started as ${DNSMASQ_USER}" - echo "" + # [ -f /.piholeFirstBoot ] && rm /.piholeFirstBoot # Install additional packages inside the container if requested if [ -n "${ADDITIONAL_PACKAGES}" ]; then @@ -96,8 +71,6 @@ start() { rm -f /run/pihole/FTL.sock # Start crond for scheduled scripts (logrotate, pihole flush, gravity update etc) - # crond - # Randomize gravity update time sed -i "s/59 1 /$((1 + RANDOM % 58)) $((3 + RANDOM % 2))/" /crontab.txt # Randomize update checker time @@ -129,8 +102,15 @@ start() { pihole updatechecker + echo " [i] Docker start setup complete" + echo "" + + echo " [i] pihole-FTL ($FTL_CMD) will be started as ${DNSMASQ_USER}" + echo "" + # Start pihole-FTL + fix_capabilities sh /opt/pihole/pihole-FTL-prestart.sh capsh --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null" & From b8a717f9254db550bb225d3352213de89eb0f920 Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Fri, 20 Oct 2023 16:04:14 +0100 Subject: [PATCH 3/8] Re-do tests to account for FTLCONF_ changes. Add new tests for web password Signed-off-by: Adam Warner --- test/tests/conftest.py | 2 +- test/tests/test_bash_functions.py | 38 +++++++++++++++++++++++-------- 2 files changed, 30 insertions(+), 10 deletions(-) diff --git a/test/tests/conftest.py b/test/tests/conftest.py index bbb2df83e..eb1887f20 100644 --- a/test/tests/conftest.py +++ b/test/tests/conftest.py @@ -37,7 +37,7 @@ def run_and_stream_command_output_inner(command, verbose=False): @pytest.fixture() def args_env(): - return '-e TZ="Europe/London"' + return '-e TZ="Europe/London" -e FTLCONF_ENV_ONLY=true' @pytest.fixture() diff --git a/test/tests/test_bash_functions.py b/test/tests/test_bash_functions.py index c9917f5c7..9b5d2dae9 100644 --- a/test/tests/test_bash_functions.py +++ b/test/tests/test_bash_functions.py @@ -1,22 +1,42 @@ -import os import pytest -import re - -CMD_APPLY_FTL_CONFIG_FROM_ENV = ". bash_functions.sh ; apply_FTL_Configs_From_Env" @pytest.mark.parametrize("test_args", ['-e "FTLCONF_webserver_port=999"']) def test_ftlconf_webserver_port(docker): - func = docker.run(CMD_APPLY_FTL_CONFIG_FROM_ENV) - assert "Applied pihole-FTL setting webserver.port=999" in func.stdout + func = docker.run("pihole-FTL --config webserver.port") + assert "999" in func.stdout @pytest.mark.parametrize( - "test_args", ['-e "FTLCONF_dns_upstreams=1.1.1.1;8.8.8.8#1234"'] + "test_args", ['-e "FTLCONF_dns_upstreams=1.2.3.4,5.6.7.8#1234"'] ) def test_ftlconf_dns_upstreams(docker): - func = docker.run(CMD_APPLY_FTL_CONFIG_FROM_ENV) + func = docker.run("pihole-FTL --config dns.upstreams") + assert "[ 1.2.3.4, 5.6.7.8#1234 ]" in func.stdout + + +CMD_SETUP_WEB_PASSWORD = ". bash_functions.sh ; setup_web_password" + + +@pytest.mark.parametrize("test_args", ['-e "FTLCONF_ENV_ONLY=false"']) +def test_random_password_assigned_fresh_start(docker): + func = docker.run(CMD_SETUP_WEB_PASSWORD) + assert "assigning random password:" in func.stdout + assert "New password set" in func.stdout + + +@pytest.mark.parametrize( + "test_args", ['-e "FTLCONF_webserver_api_password=1234567890"'] +) +def test_password_set_by_envvar(docker): + func = docker.run(CMD_SETUP_WEB_PASSWORD) + assert "Assigning password defined by Environment Variable" in func.stdout + + +@pytest.mark.parametrize("test_args", ['-e "FTLCONF_ENV_ONLY=true"']) +def test_password_envonly_true(docker): + func = docker.run(CMD_SETUP_WEB_PASSWORD) assert ( - 'Applied pihole-FTL setting dns.upstreams=["1.1.1.1","8.8.8.8#1234"]' + "No password supplied via FTLCONF_webserver_api_password, but FTLCONF_ENV_ONLY is set to true, using default (none)" in func.stdout ) From bb2a7b11535eece13f92323aa2de5a58c9ca5b64 Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Fri, 20 Oct 2023 16:22:58 +0100 Subject: [PATCH 4/8] Update README.md Co-authored-by: yubiuser Signed-off-by: Adam Warner --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 63358da19..f732a3e90 100644 --- a/README.md +++ b/README.md @@ -107,7 +107,7 @@ To explicitly set no password, set `FTLCONF_webserver_api_password: ''` | -------- | ------- | ----- | ---------- | | `TAIL_FTL_LOG` | unset | `` | Whether or not to output the FTL log when running the. Useful for debugging/watching what FTL is doing. | `SKIPGRAVITYONBOOT` | unset | `` | Use this option to skip updating the Gravity Database when booting up the container. By default this environment variable is not set so the Gravity Database will be updated when the container starts up. Setting this environment variable to 1 (or anything) will cause the Gravity Database to not be updated when container starts up. -| `FTLCONF_[SETTING]` | unset | As per documentation | Customize pihole-FTL.conf with settings described in the . Replace `.` with `_`, e.g for `dns.dnssec=true` use `FTLCONF_dns_dnssec: 'true'`| +| `FTLCONF_[SETTING]` | unset | As per documentation | Customize pihole.toml with settings described in the . Replace `.` with `_`, e.g for `dns.dnssec=true` use `FTLCONF_dns_dnssec: 'true'`| | `PIHOLE_UID` | `100` | Number | Overrides image's default pihole user id to match a host user id
**IMPORTANT**: id must not already be in use inside the container! | | `PIHOLE_GID` | `101` | Number | Overrides image's default pihole group id to match a host group id
**IMPORTANT**: id must not already be in use inside the container!| From ae90e9c854797d6f6e532f9a09531b03ee9dd2a8 Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Fri, 20 Oct 2023 16:45:04 +0100 Subject: [PATCH 5/8] Trim some fat Signed-off-by: Adam Warner --- README.md | 40 +++++------------ examples/docker-compose-caddy-proxy.yml | 8 ++-- examples/docker-compose-nginx-proxy.yml | 59 ------------------------- examples/docker-compose.yml.example | 25 ----------- examples/docker-pi-hole.cron | 31 ------------- examples/docker_run.sh | 39 ---------------- examples/pihole.service | 13 ------ 7 files changed, 14 insertions(+), 201 deletions(-) delete mode 100644 examples/docker-compose-nginx-proxy.yml delete mode 100644 examples/docker-compose.yml.example delete mode 100644 examples/docker-pi-hole.cron delete mode 100755 examples/docker_run.sh delete mode 100644 examples/pihole.service diff --git a/README.md b/README.md index f732a3e90..de51cf09e 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # Docker Pi-hole +[![Build Status](https://github.com/pi-hole/docker-pi-hole/workflows/Test%20&%20Build/badge.svg)](https://github.com/pi-hole/docker-pi-hole/actions?query=workflow%3A%22Test+%26+Build%22) [![Docker Stars](https://img.shields.io/docker/stars/pihole/pihole.svg?maxAge=604800)](https://store.docker.com/community/images/pihole/pihole) [![Docker Pulls](https://img.shields.io/docker/pulls/pihole/pihole.svg?maxAge=604800)](https://store.docker.com/community/images/pihole/pihole) +

Pi-hole

@@ -19,10 +21,11 @@ ## Quick Start -1. Copy docker-compose.yml.example to docker-compose.yml and update as needed. See example below: -[Docker-compose](https://docs.docker.com/compose/install/) example: +Using [Docker-compose](https://docs.docker.com/compose/install/): -```yaml +1. Copy the below docker compose example and update as needed + +```yml version: "3" # More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/ @@ -53,31 +56,11 @@ services: 2. Run `docker compose up -d` to build and start pi-hole (Syntax may be `docker-compose` on older systems) 3. If using Docker's default `bridge` network setting, set the environment variable `FTLCONF_dns_listeningMode` to `all` -[Here is an equivalent docker run script](https://github.com/pi-hole/docker-pi-hole/blob/master/examples/docker_run.sh). - -## Overview - -A [Docker](https://www.docker.com/what-docker) project to make a lightweight x86 and ARM container with [Pi-hole](https://pi-hole.net) functionality. - -1) Install Docker. [Docker-compose](https://docs.docker.com/compose/install/) is also recommended. -2) Use the above quick start example, customize if desired. -3) Enjoy! - -[![Build Status](https://github.com/pi-hole/docker-pi-hole/workflows/Test%20&%20Build/badge.svg)](https://github.com/pi-hole/docker-pi-hole/actions?query=workflow%3A%22Test+%26+Build%22) [![Docker Stars](https://img.shields.io/docker/stars/pihole/pihole.svg?maxAge=604800)](https://store.docker.com/community/images/pihole/pihole) [![Docker Pulls](https://img.shields.io/docker/pulls/pihole/pihole.svg?maxAge=604800)](https://store.docker.com/community/images/pihole/pihole) - -## Running Pi-hole Docker - -This container uses 2 popular ports, port 53 and port 80, so **may conflict with existing applications ports**. If you have no other services or docker containers using port 53/80 (if you do, keep reading below for a reverse proxy example), the minimum arguments required to run this container are in the script [docker_run.sh](https://github.com/pi-hole/docker-pi-hole/blob/master/examples/docker_run.sh) - -If you're using a Red Hat based distribution with an SELinux Enforcing policy add `:z` to line with volumes like so: - -``` - -v "$(pwd)/etc-pihole:/etc/pihole:z" \ -``` +nb. Volumes are recommended for persisting data across container re-creations for updating images. -Volumes are recommended for persisting data across container re-creations for updating images. +### Automatic Ad List Updates -**Automatic Ad List Updates** - `cron` is baked into the container and will grab the newest versions of your lists and flush your logs. This happens once per week in the small hours of Sunday morning. +`cron` is baked into the container and will grab the newest versions of your lists and flush your logs. This happens once per week in the small hours of Sunday morning. ## Running DHCP from Docker Pi-Hole @@ -139,9 +122,8 @@ Here is a rundown of other arguments for your docker-compose / docker run. - Port conflicts? Stop your server's existing DNS / Web services. - Don't forget to stop your services from auto-starting again after you reboot - Ubuntu users see below for more detailed information -- You can map other ports to Pi-hole port 80 using docker's port forwarding like this `-p 8080:80` if you are using the default blocking mode. If you are using the legacy IP blocking mode, you should not remap this port. - - [Here is an example of running with nginxproxy/nginx-proxy](https://github.com/pi-hole/docker-pi-hole/blob/master/examples/docker-compose-nginx-proxy.yml) (an nginx auto-configuring docker reverse proxy for docker) on my port 80 with Pi-hole on another port. Pi-hole needs to be `DEFAULT_HOST` env in nginxproxy/nginx-proxy and you need to set the matching `VIRTUAL_HOST` for the Pi-hole's container. Please read nginxproxy/nginx-proxy readme for more info if you have trouble. - Docker's default network mode `bridge` isolates the container from the host's network. This is a more secure setting, but requires setting the Pi-hole DNS option for _Interface listening behavior_ to "Listen on all interfaces, permit all origins". +- If you're using a Red Hat based distribution with an SELinux Enforcing policy add `:z` to line with volumes ### Installing on Ubuntu or Fedora @@ -235,7 +217,7 @@ We install all pihole utilities so the the built in [pihole commands](https://di ### Customizations -The webserver and DNS service inside the container can be customized if necessary. Any configuration files you volume mount into `/etc/dnsmasq.d/` will be loaded by dnsmasq when the container starts or restarts or if you need to modify the Pi-hole config it is located at `/etc/dnsmasq.d/01-pihole.conf`. The docker start scripts runs a config test prior to starting so it will tell you about any errors in the docker log. +The webserver and DNS service inside the container can be customized if necessary. Any configuration files you volume mount into `/etc/dnsmasq.d/` will be loaded by dnsmasq when the container starts or restarts. ## Note on Capabilities diff --git a/examples/docker-compose-caddy-proxy.yml b/examples/docker-compose-caddy-proxy.yml index 99d54d755..0ee3cc104 100644 --- a/examples/docker-compose-caddy-proxy.yml +++ b/examples/docker-compose-caddy-proxy.yml @@ -22,7 +22,7 @@ services: # More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/ pihole: - depends_on: + depends_on: - caddy container_name: pihole #dns: # Optional. Specify desired upstream DNS servers here. @@ -37,17 +37,15 @@ services: # Following are NOT proxied through Caddy, bound to host net instead: - "53:53/udp" - "53:53/tcp" - - "853:853/tcp" # DNS-over-TLS + - "853:853/tcp" # DNS-over-TLS #- "67:67/udp" # DHCP, if desired. If not bound to host net you need an mDNS proxy service configured somewhere on host net. # ref: https://docs.pi-hole.net/docker/DHCP/ environment: TZ: 'America/New_York' # Supported TZ database names: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#Time_Zone_abbreviations - WEBPASSWORD: 'password' # Only used on first boot, change with pihole cli then comment out here. + FTLCONF_webserver_api_password: 'password' volumes: - './etc-pihole:/etc/pihole' - './etc-dnsmasq.d:/etc/dnsmasq.d' - - './etc-lighttpd/external.conf:/etc/lighttpd/external.conf' # Recommend leave as bind mount for easier editing. - # ref for why you may need to change this file: https://docs.pi-hole.net/guides/webserver/caddy/#modifying-lighttpd-configuration #cap_add: # Uncomment if using Pi-hole as DHCP server # https://github.com/pi-hole/docker-pi-hole#note-on-capabilities #- NET_ADMIN # ONLY required if you are using Pi-hole as your DHCP server, else remove for better security diff --git a/examples/docker-compose-nginx-proxy.yml b/examples/docker-compose-nginx-proxy.yml deleted file mode 100644 index 48b34f92d..000000000 --- a/examples/docker-compose-nginx-proxy.yml +++ /dev/null @@ -1,59 +0,0 @@ -version: "3" - -# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md - -services: - nginx-proxy: - image: nginxproxy/nginx-proxy - ports: - - '80:80' - environment: - DEFAULT_HOST: pihole.yourDomain.lan - volumes: - - '/var/run/docker.sock:/tmp/docker.sock' - restart: always - - pihole: - image: pihole/pihole:latest - ports: - - '53:53/tcp' - - '53:53/udp' - - "67:67/udp" - - '8053:80/tcp' - volumes: - - './etc-pihole:/etc/pihole' - - './etc-dnsmasq.d:/etc/dnsmasq.d' - # run `touch ./var-log/pihole.log` first unless you like errors - # - './var-log/pihole.log:/var/log/pihole/pihole.log' - # Recommended but not required (DHCP needs NET_ADMIN) - # https://github.com/pi-hole/docker-pi-hole#note-on-capabilities - cap_add: - - NET_ADMIN - environment: - ServerIP: 192.168.41.55 - PROXY_LOCATION: pihole - VIRTUAL_HOST: pihole.yourDomain.lan - VIRTUAL_PORT: 80 - extra_hosts: - # Resolve to nothing domains (terminate connection) - - 'nw2master.bioware.com nwn2.master.gamespy.com:0.0.0.0' - # LAN hostnames for other docker containers using nginx-proxy - - 'yourDomain.lan:192.168.41.55' - - 'pihole pihole.yourDomain.lan:192.168.41.55' - - 'ghost ghost.yourDomain.lan:192.168.41.55' - - 'wordpress wordpress.yourDomain.lan:192.168.41.55' - restart: always - -# Another container you might want to have running through the proxy -# Note it also have ENV Vars like pihole and a host under pihole's extra_hosts -# ghost: -# image: fractalf/ghost -# ports: -# - '2368:2368/tcp' -# volumes: -# - '/etc/ghost:/ghost-override' -# environment: -# PROXY_LOCATION: ghost -# VIRTUAL_HOST: ghost.yourDomain.lan -# VIRTUAL_PORT: 2368 -# restart: always diff --git a/examples/docker-compose.yml.example b/examples/docker-compose.yml.example deleted file mode 100644 index f52e18419..000000000 --- a/examples/docker-compose.yml.example +++ /dev/null @@ -1,25 +0,0 @@ -version: "3" - -# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md - -services: - pihole: - container_name: pihole - image: pihole/pihole:latest - # For DHCP it is recommended to remove these ports and instead add: network_mode: "host" - ports: - - "53:53/tcp" - - "53:53/udp" - - "67:67/udp" - - "80:80/tcp" - environment: - TZ: 'America/Chicago' - # WEBPASSWORD: 'set a secure password here or it will be random' - # Volumes store your data between container upgrades - volumes: - - './etc-pihole:/etc/pihole' - - './etc-dnsmasq.d:/etc/dnsmasq.d' - # https://github.com/pi-hole/docker-pi-hole#note-on-capabilities - cap_add: - - NET_ADMIN - restart: unless-stopped # Recommended but not required (DHCP needs NET_ADMIN) diff --git a/examples/docker-pi-hole.cron b/examples/docker-pi-hole.cron deleted file mode 100644 index 669c96fbb..000000000 --- a/examples/docker-pi-hole.cron +++ /dev/null @@ -1,31 +0,0 @@ -# Pi-hole: A black hole for Internet advertisements -# (c) 2015, 2016 by Jacob Salmela -# Network-wide ad blocking via your Raspberry Pi -# http://pi-hole.net -# Updates ad sources every week -# -# Pi-hole is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 2 of the License, or -# (at your option) any later version. -# -# This file is under source-control of the Pi-hole installation and update -# scripts, any changes made to this file will be overwritten when the softare -# is updated or re-installed. Please make any changes to the appropriate crontab -# or other cron file snippets. - -# Your container name goes here: -DOCKER_NAME=pihole -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin - -# Pi-hole: Update the ad sources once a week on Sunday at 01:59 -# Download any updates from the adlists -59 1 * * 7 root PATH="$PATH:/usr/local/bin/" docker exec $DOCKER_NAME pihole updateGravity > /dev/null - -# Update docker-pi-hole by pulling the latest docker image and re-creating your container. -# pihole software update commands are unsupported in docker! -#30 2 * * 7 root PATH="$PATH:/usr/local/bin/" docker exec $DOCKER_NAME pihole updatePihole > /dev/null - -# Pi-hole: Flush the log daily at 00:00 so it doesn't get out of control -# Stats will be viewable in the Web interface thanks to the cron job above -00 00 * * * root PATH="$PATH:/usr/local/bin/" docker exec $DOCKER_NAME pihole flush > /dev/null diff --git a/examples/docker_run.sh b/examples/docker_run.sh deleted file mode 100755 index 68df5db1d..000000000 --- a/examples/docker_run.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash - -# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md - -# You can customize where to store persistent data by setting the `PIHOLE_BASE` environment -# variable when invoking `docker_run.sh` (e.g. `PIHOLE_BASE=/opt/pihole-storage ./docker_run.sh`). -# If `PIHOLE_BASE` is not set, files are stored in your current directory when you invoke the script. -PIHOLE_BASE="${PIHOLE_BASE:-$(pwd)}" -[[ -d "$PIHOLE_BASE" ]] || mkdir -p "$PIHOLE_BASE" || { echo "Couldn't create storage directory: $PIHOLE_BASE"; exit 1; } - -# Note: FTLCONF_LOCAL_IPV4 should be replaced with your external ip. -docker run -d \ - --name pihole \ - -p 53:53/tcp -p 53:53/udp \ - -p 80:80 \ - -e TZ="America/Chicago" \ - -v "${PIHOLE_BASE}/etc-pihole:/etc/pihole" \ - -v "${PIHOLE_BASE}/etc-dnsmasq.d:/etc/dnsmasq.d" \ - --dns=127.0.0.1 --dns=1.1.1.1 \ - --restart=unless-stopped \ - --hostname pi.hole \ - pihole/pihole:latest - -printf 'Starting up pihole container ' -for i in $(seq 1 20); do - if [ "$(docker inspect -f "{{.State.Health.Status}}" pihole)" == "healthy" ] ; then - printf ' OK' - echo -e "\n$(docker logs pihole 2> /dev/null | grep 'password:') for your pi-hole: http://${IP}/admin/" - exit 0 - else - sleep 3 - printf '.' - fi - - if [ $i -eq 20 ] ; then - echo -e "\nTimed out waiting for Pi-hole start, consult your container logs for more info (\`docker logs pihole\`)" - exit 1 - fi -done; diff --git a/examples/pihole.service b/examples/pihole.service deleted file mode 100644 index b4cbad770..000000000 --- a/examples/pihole.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=pihole -Requires=docker.service multi-user.target -After=docker.service network-online.target dhcpd.service - -[Service] -Restart=always -ExecStart=/usr/bin/docker start -a pihole -ExecStop=/usr/bin/docker stop -t 2 pihole - -[Install] -WantedBy=multi-user.target - From 5c7ff5c539c75c1aab7fcd3d392f78d26e246d75 Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Sun, 22 Oct 2023 12:15:04 +0100 Subject: [PATCH 6/8] TARGETPLATFORM needs to be set Co-authored-by: yubiuser Signed-off-by: Adam Warner --- build-and-test.sh | 1 + src/Dockerfile | 2 +- test/cmd.sh | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/build-and-test.sh b/build-and-test.sh index 0f90186b0..1efec104a 100755 --- a/build-and-test.sh +++ b/build-and-test.sh @@ -19,4 +19,5 @@ docker run --rm \ --env PIPENV_CACHE_DIR="$(pwd)/.pipenv" \ --env GIT_TAG="${GIT_TAG}" \ --env PY_COLORS=1 \ + --env TARGETPLATFORM="${PLATFORM}" \ ${enter} image_pipenv diff --git a/src/Dockerfile b/src/Dockerfile index 12fe8de26..028cd2fed 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -47,7 +47,7 @@ RUN git clone --depth 1 --single-branch --branch ${WEB_BRANCH} https://github.co elif [ "$TARGETPLATFORM" = "linux/386" ]; then FTLARCH=386; \ elif [ "$TARGETPLATFORM" = "linux/arm/v6" ]; then FTLARCH=armv6; \ elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then FTLARCH=armv7; \ - elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then FTLARCH=arm64; \ + elif [ "$TARGETPLATFORM" = "linux/arm64/v8" ]; then FTLARCH=arm64; \ elif [ "$TARGETPLATFORM" = "linux/riscv64" ]; then FTLARCH=riscv64; \ else FTLARCH=amd64; fi \ && echo "Arch: ${TARGETPLATFORM}, FTLARCH: ${FTLARCH}" \ diff --git a/test/cmd.sh b/test/cmd.sh index 2c753d745..193585cd5 100755 --- a/test/cmd.sh +++ b/test/cmd.sh @@ -1,7 +1,7 @@ #!/usr/bin/env sh set -eux -docker buildx build ./src --tag pihole:${GIT_TAG} --no-cache +docker buildx build ./src --build-arg TARGETPLATFORM="${TARGETPLATFORM}" --tag pihole:${GIT_TAG} --no-cache docker images pihole:${GIT_TAG} # auto-format the pytest code From 335ec7e40de54871727a316903b83a0c120b8937 Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Sat, 28 Oct 2023 19:47:59 +0100 Subject: [PATCH 7/8] explicitly test for pwhash containing a value beginning $BALOON-SHA256 --- src/bash_functions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/bash_functions.sh b/src/bash_functions.sh index d30df938a..0c69f51cd 100644 --- a/src/bash_functions.sh +++ b/src/bash_functions.sh @@ -72,7 +72,7 @@ setup_web_password() { fi # Exit if password is already set in config file - if [[ -n $(pihole-FTL --config webserver.api.pwhash) ]]; then + if [[ $(pihole-FTL --config webserver.api.pwhash) = \$BALLOON-SHA256* ]]; then echo " [i] Password already set in config file" return fi From 9928cfa630b5e99f76831aab311907a97afe17a0 Mon Sep 17 00:00:00 2001 From: Adam Warner Date: Sun, 29 Oct 2023 17:48:24 +0000 Subject: [PATCH 8/8] Clarify delimter for array type FTLCONF_ values Signed-off-by: Adam Warner --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index de51cf09e..9ed727080 100644 --- a/README.md +++ b/README.md @@ -82,7 +82,7 @@ To explicitly set no password, set `FTLCONF_webserver_api_password: ''` | -------- | ------- | ----- | ---------- | | `TZ` | UTC | `` | Set your [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) to make sure logs rotate at local midnight instead of at UTC midnight. | `FTLCONF_webserver_api_password` | random | `` | password. Run `docker logs pihole \| grep random` to find your random pass. -| `FTLCONF_dns_upstreams` | `8.8.8.8,8.8.4.4` | IPs delimited by `,` | Upstream DNS server(s) for Pi-hole to forward queries to, separated by a semicolon
(supports non-standard ports with `#[port number]`) e.g `127.0.0.1#5053,8.8.8.8,8.8.4.4`
(supports [Docker service names and links](https://docs.docker.com/compose/networking/) instead of IPs) e.g `upstream0,upstream1` where `upstream0` and `upstream1` are the service names of or links to docker services
Note: The existence of this environment variable assumes this as the _sole_ management of upstream DNS. Upstream DNS added via the web interface will be overwritten on container restart/recreation | +| `FTLCONF_dns_upstreams` | `8.8.8.8;8.8.4.4` | IPs delimited by `;` | Upstream DNS server(s) for Pi-hole to forward queries to, separated by a semicolon
(supports non-standard ports with `#[port number]`) e.g `127.0.0.1#5053;8.8.8.8;8.8.4.4`
(supports [Docker service names and links](https://docs.docker.com/compose/networking/) instead of IPs) e.g `upstream0,upstream1` where `upstream0` and `upstream1` are the service names of or links to docker services
Note: The existence of this environment variable assumes this as the _sole_ management of upstream DNS. Upstream DNS added via the web interface will be overwritten on container restart/recreation | ### Optional Variables @@ -90,7 +90,7 @@ To explicitly set no password, set `FTLCONF_webserver_api_password: ''` | -------- | ------- | ----- | ---------- | | `TAIL_FTL_LOG` | unset | `` | Whether or not to output the FTL log when running the. Useful for debugging/watching what FTL is doing. | `SKIPGRAVITYONBOOT` | unset | `` | Use this option to skip updating the Gravity Database when booting up the container. By default this environment variable is not set so the Gravity Database will be updated when the container starts up. Setting this environment variable to 1 (or anything) will cause the Gravity Database to not be updated when container starts up. -| `FTLCONF_[SETTING]` | unset | As per documentation | Customize pihole.toml with settings described in the . Replace `.` with `_`, e.g for `dns.dnssec=true` use `FTLCONF_dns_dnssec: 'true'`| +| `FTLCONF_[SETTING]` | unset | As per documentation | Customize pihole.toml with settings described in the . Replace `.` with `_`, e.g for `dns.dnssec=true` use `FTLCONF_dns_dnssec: 'true'`
Array type configs should be delimited with `;`| | `PIHOLE_UID` | `100` | Number | Overrides image's default pihole user id to match a host user id
**IMPORTANT**: id must not already be in use inside the container! | | `PIHOLE_GID` | `101` | Number | Overrides image's default pihole group id to match a host group id
**IMPORTANT**: id must not already be in use inside the container!|