Set PUID and PGID as Variables

[Veldkornet]

trafficstars

This is a...

• [x] Request for a new or modified feature
• [x] Issue trying to run the docker image
• [ ] Issue trying to build / test / develop the docker image

Description

So I'm addressing a few things in this one issue, which I understand is not ideal. Could you please add the PUID (Process User ID) and PGID (Process Group ID) variables? I tell you why. I use Docker on my Synology NAS and for the life of me, I cannot get it to work. I keep getting the following error: [ERROR]: Unable to parse results from queryads.php: Unhandled error message (Invalid domain!) I've therefore set the logs to be external with "/volume1/docker/pihole/logs/:/var/log/", however I then run into the problem that it cannot start because pihole doesn't have access to the logs (even though I set the permission to 777 for the directory and everything in it.)

`

2018-08-31 17:30:36: (log.c.171) opening errorlog '/var/log/lighttpd/error.log' failed: Permission denied	stderr
`

Expected Behavior

Docker processes should run under the user id and group ID values specified in the environmental variables

Actual Behavior

It doesn't

Possible Fix

Add the variables. Many docker images have these variables, especially those from https://www.linuxserver.io/our-images if you need examples

Steps to Reproduce and debugging done

e.g. your docker run command, pages to visit, CLI commands you ran There's not much to do as I can't even access the webpage directly after creating the image. FYI, I do not have DNS or DHCP running on my NAS. This is the create command that I used: sudo docker run -d \ --name pihole \ -p 53:53/tcp -p 53:53/udp \ -p 67:67/udp \ -p 32777:80 \ -p 32778:443 \ -v "/volume1/docker/pihole/pihole/:/etc/pihole/" \ -v "/volume1/docker/pihole/dnsmasq.d/:/etc/dnsmasq.d/" \ -e ServerIP="${IP}" \ -e TZ=Europe/Amsterdam \ -e DNS1=208.67.222.222 \ -e DNS2=208.67.220.220 \ -e PUID=1033 \ -e PGID=65540 \ --restart=unless-stopped \ --cap-add=NET_ADMIN \ pihole/pihole:latest

Debug steps I have tried

• [x] I have tried destroying my container instance, pulling the newest image version, and re-creating a new container
• [x] I have tried running the nearly stock docker run example in the readme (removing any customizations I added)
• [x] I have tried running without my volume data mounts to eliminate volumes as the cause
• [x] I have searched this repository for existing issues and pull requests that look similar

Context and extra information

#271 #267 #85

Your Environment

• Docker Host Operating System and OS Version: Synology DS1517+ | DSM 6.2-23739 Update 2
• Docker Version: 17.05.0-ce
• Docker API version: 1.29
• Hardware architecture: linux/amd64

[Exist2Resist]

What are the deafult PUID and PGID that Pi-Hole runs under right now? I'm creating an unraid template for myself and I need to know this, thanks.

[diginc]

The services run as mix of root and www-data, with some files owned by the pihole service account:

root@a70f4332e07f:/# id root
uid=0(root) gid=0(root) groups=0(root)
root@a70f4332e07f:/# id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
root@a70f4332e07f:/# id pihole
uid=999(pihole) gid=999(pihole) groups=999(pihole),33(www-data)

[Exist2Resist]

@diginc Thanks

[jbpaux]

That would explain why I can't do anything in the webgui (adding white list) etc. for example as the user is not correctly set

[EsEnZeT]

Similar stuff - I deploy on Qnap NAS + VPS.

I think it would be nice to have ability to specify UID & GID.

I hope this issue is still valid

[diginc]

Still on my board. FTL's service script (docker specific s6) needs to be updated to run as pi-hole user to accommodate not having a mix of 3 different users processes.

[EsEnZeT]

@diginc thank you for clarification and overall great work on that :)

[lennyg1]

Same thing happens on QNAP NAS, the GUID en PUID aren't set so the files pihole needs in /etc/pihole are pretty much read only to the docker image if you want to mount them to store the data outside of the image. You can clearly see pihole wanting to create files with GID 999, while that one doesn't exist on the NAS.

[tzapu]

same thing happening on docker in ubuntu, every time i restart the service it can't read previosly saved config files i assume, so everything is reset and a new password regenerated.

great job with pi-hole, can t wait to be able to fully use it

[arnemoor]

As this is not a synology specific issue would it be possible to rename that issue? Something like "Use provided host PID / GID to allow host compatible file access" seems to me more meaningful for this feature request.

The mentioned "magic" from linuxserver.io is mainly the usage of a user account "abc" which the tweak to the given PID / GID, see https://github.com/linuxserver/docker-baseimage-alpine/blob/master/root/etc/cont-init.d/10-adduser

• Create user abc with 911 as default PID / GID
• On startup check environment and override if value provided
• Run all processes under the account abc - guess this is the main issue here
• chown folders accordingly

Sidenote: Best practice is to create a "technical docker user" on the NAS / host and use the values of that account for the containers.

[celeroll]

And is there currently a workaround to overcome the issue with permission 999 on shared folder "pihole"? I'm facing same error as here https://discourse.pi-hole.net/t/php-permissions-error-web-admin-page/14250

[diginc]

My last post in that thread leads to this post and it's reply about tweaking nas permissions to resolve folder share permissions conflicting with docker permissions.

[celeroll]

I solved this problem in the way that I executed this command before docker-compose on the shared folder: chmod 777 /volume1/apps/configs/pihole/

This allowed the system to create all files with necessary permissions to execute.

And my volume share for this looks like this: - /volume1/apps/configs/pihole/:/etc/pihole/

[jcass8695]

Any movement on this?

[dschaper]

Diginc, do we need to add an entrypoint to chmod directories to a PID/GID? Or is this something more on the core package that needs to be able to install/run with user supplied UIDs?

[diginc]

Using the linuxserver io style adduser script works really well as long as your programs actually run as that same defined user.

Since this was last discussed we added customizing dnsmasq / FTL's user feature which helps. Spitballing the logic: IF PUID / PGID is passed in, it could modify the pre-existing pihole user to user those IDs and then force the dnsmasq user to pihole.

Next up is probably customizing www-data lighttpd user customization before this'll work. That is a fairly simple sed command.

[jcass8695]

@diginc It sounds like everything I need has been implemented, just sanity checking with you. Adding

-e PUID=1000 \
-e GUID=1000 \
-e DNSMASQ_USER=1000

to my docker run will allow me to volume mount dnsmasq.d locally and be able to write to the conf files? Provided my local user is 1000.

[diginc]

@JCass45 Only the DNSMASQ_USER variable has been added so far. The PUID and GUID scripts haven't been added yet.

[HNGamingUK]

Do we know when PUID and PGID is going to be implemented as I currently keep getting:

cp: cannot create regular file '/etc/dnsmasq.d/01-pihole.conf': Permission denied

Even with DNSMASQ_USER set to 1000

[kquinsland]

I am another +1 for this.

I am trying to use pihole in a rootless container w/ Podman. I currently cant do this because there are three relevant user/group IDs inside the pi-hole container.

The only way to get pihole working is - sadly - to use xx7 level permissions on whichever directories the host mounts into the container. This way, the three IDs inside the container that need access to the volume can access them.

[Haarolean]

This permissions hell is a mess. And chmod'ing 777 is not a proper solution, it's a serious security issue.

[matthewdennett]

It would be awesometo see this fixed up. Having contorll over this make it really easy for this to slot straight into existing convensions.

[araemo]

Adding my vote here... it would be very good to be able to specify what UIDs/GIDs are chosen for pihole and www-data (www-data is less important, since it's somewhat standardized across distros, but 999 for pihole is in-use in both of my main distros for other services, and it complicates the permissions setup on the persistent files)

With the security changes in v5, I had to add the www-data user (UID 33 on ubuntu, and in this container) to the group systemd-coredump (GID 999 on ubuntu.. which is what is the 'pihole' GID is in this container) on my ubuntu NFS host so that the pihole www-data user (UID 33) could update files with 664 perms and uid:gid of 999:999. Being able to choose the UIDs/GIDs would allow me to set the permissions so that they don't overlap with other services on the same host. Then you don't have to worry so much about what the user names are inside the container - IDs just need to match what your external users/groups are set to.

[kquinsland]

The only reason this ticket is open is because the cardinal sin of putting more than one $thing in a container was broken. One user/group per $thing and one $thing per container.

The proper fix would be to break out the web server and web app from the rest of the piHole components into a series of containers that are composed into the service.

I think that keeping this ticket open is a good idea as it's currently the best place to discuss the issue as well as the fix but ultimately there will have to be some substantial work to de-couple the various components of the piHole service.

Is there any documentation on what binaries are used by piHole and how they're configured? I am only vaguely aware of the massive installer script and:

• the web server
• the php process
• the pihole fork of dnsmasq which also? reads the DB file that the php process manages?

[akusei]

I'm having the same issue with this and find it quite annoying that you can't properly control permissions. I came up with a workaround though. I've only applied it for the pihole and www-data user but can be extended for any user in the container. Forgive the bad code, I didn't make it look pretty.

30-fix-permissions.sh

#!/bin/bash

modifyUser()
{
  declare username=${1:-} newId=${2:-}
  [[ -z ${username} || -z ${newId} ]] && return

  local currentId=$(id -u ${username})

  echo "user ${username} ${currentId} => ${newId}"
  usermod -o -u ${newId} ${username}

  find / -user ${currentId} -print0 2> /dev/null | \
    xargs -0 -n1 chown -h ${username} 2> /dev/null
}

modifyGroup()
{
  declare groupname=${1:-} newId=${2:-}
  [[ -z ${groupname} || -z ${newId} ]] && return

  local currentId=$(id -g ${groupname})

  echo "group ${groupname} ${currentId} => ${newId}"
  groupmod -o -g ${newId} ${groupname}

  find / -group ${currentId} -print0 2> /dev/null | \
    xargs -0 -n1 chgrp -h ${groupname} 2> /dev/null
}

modifyUser www-data ${WEB_UID}
modifyGroup www-data ${WEB_GID}
modifyUser pihole ${PIHOLE_UID}
modifyGroup pihole ${PIHOLE_GID}

Then in the docker-compose.yml file, add a volume that binds to the above file:

volumes:
  - 30-fix-permissions.sh:/etc/cont-init.d/30-permissions.sh:ro

The web user must be in the pihole group on the host and you have to specify the following environment variables

• WEB_UID=< id of your web user >
• WEB_GID=< id of your web group >
• PIHOLE_UID=< id of your pihole user >
• PIHOLE_GID=< id of your pihole group >
• DNSMASQ_USER=pihole

DNSMASQ_USER must be set to pihole and when this runs there will still be root owned files in your pihole volume but the actual processes will be running as whatever user you specify. I'm not sure if this will cause long term issues but so far it's working for me

[neybar]

Any progress? I'm getting this issue also. Would love to be able to specify UID/GID

[imajes]

Would also be a fan of this... on my machine, 999 maps to systemd-coredump which honestly i don't care for ... would much rather be able to specify the pihole user! thanks 👍

[k-matti]

Any progress on this? I have the issue with permission when using nfs share as a volume for pihole configs

[modem7]

For me this would be useful so I don't have to run docker volumes (which makes backing up and restoring a PITA (I backup my folders daily for easier restore)) and can instead save pihole data in relevant folders with everything else whilst being in the docker group, rather than root.

[katbyte]

Adding another me to +1, its preventing me from running within docker using a shared networked CIFS volume (#750) and i'm not willing to use 777 permissions.

Also would probably fix #749

[evanre]

+1 looking forward to seeing this being fixed.

[uysct]

+1 it would be a great pleasure for me too

[c0m3d1an]

I solved this problem (finally) after running the container with --cap-add=setuid --cap-add=setgid

In kubernetes, add this to the appropriate spot in your YAML:

    securityContext:
      allowPrivilegeEscalation: true
      capabilities:
        add:
        - SETGID
        - SETUID

[Klarstein]

+1 It’s a good security practice to run rootless and use namespace remapping in Docker. The current workarounds (777, setgid/setuid capabilities) to use pihole, completely defy that principle and weaken security in case of a container breakout.

[modem7]

@diginc @PromoFaux

Do you know if we have any official update on this particular feature from the dev team?

Would be good to see if there has been any updates behind the scenes, and where this particular feature may lie within the roadmap.

Is there anything the devs need from us for further info or to assist in implementation/testing?

[kquinsland]

Is there anything the devs need from us for further info or to assist in implementation/testing?

The only fix is to break up the various binaries inside the image. The current pihole docker image is an anti pattern but because most people running pihole on docker actually want the simpicity that comes from that anti pattern, i suspect very little will change any time soon.

In the short term, it probably wouldn't be too hard to create a set of 'decomposed' containers using multi-stage builds, but in reverse:

# Load the 'composed' pihole image
FROM pihole as donor

FROM alpine:latest as dns
COPY --from=donor /usr/bin/pihole-ftl  ...
...

FROM nginx-php-fpm:latest as web
COPY --from=donor /etc/lighttpd/...
...

Not quite as elegant as building proper containers from the beginning, but probably how it'll get done if anybody can find the time to donate / get it done.

[dschaper]

Might be something to address in https://github.com/pi-hole/docker-pi-hole/issues/735

[kquinsland]

@dschaper I believe it was addressed:

I had started to work on updating the workflow but I find it very difficult to understand and apprehend this repository. We depend on shell and python scripts whereas a simple docker build should be enough.

So I started again and made a new image from scratch but the study of the basic-install.sh script is complicated to take into account. A lot of static items and system dependencies prevent us from a generic and agnostic approach to create a simple image.

de-composing PiHole is non trivial.

[PromoFaux]

The only fix is to break up the various binaries inside the image.

Just to note that:

• the web server
• the php process
• the pihole fork of dnsmasq which also? reads the DB file that the php process manages?

Work is happening in the background currently for Pi-hole 6.0, in which the web server will be embedded in to FTL (our dnsmasq "fork") and PHP will also hopefully be going away entirely....

[Klarstein]

Awesome! Thank you for your hard work! In the meantime I just use pihole by manually editing the config files.

On 27 Feb 2021, at 13:36, Adam Warner [email protected] wrote:

 The only fix is to break up the various binaries inside the image.

Just to note that:

the web server the php process the pihole fork of dnsmasq which also? reads the DB file that the php process manages? Work is happening in the background currently for Pi-hole 6.0, in which the web server will be embedded in to FTL (our dnsmasq "fork") and PHP will also hopefully be going away entirely....

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[kquinsland]

The only fix is to break up the various binaries inside the image.

Just to note that:

• the web server
• the php process
• the pihole fork of dnsmasq which also? reads the DB file that the php process manages?

Work is happening in the background currently for Pi-hole 6.0, in which the web server will be embedded in to FTL (our dnsmasq "fork") and PHP will also hopefully be going away entirely....

Good to know! Just curious, why not have a standalone web server if the FTL binary has an API?

[PromoFaux]

If FTL can act as it's own webserver, why have a separate one? Obviously nothing stopping users, then, from reverse proxying via nginx or whatever.

work is happening here https://github.com/pi-hole/ftl/tree/new/http and here https://github.com/pi-hole/AdminLTE/tree/new/FTL_is_my_new_home for those following along at home

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Please comment or update this issue or it will be closed in 5 days.

[kquinsland]

This issue is stale because it has been open 30 days with no activity. Please comment or update this issue or it will be closed in 5 days.

Yep. Still an issue.

Somebody should make a bot that watches for the "about to be stale" bot and keeps things open.

[PromoFaux]

keeps things open.

Added an exemption label.

No status update to share on this - lots of other things to untangle first (including tidying up old and stale issues)

[dsm1212]

A couple messages back it mentions setting DNSMASQ_USER to 1000. I can see in the start script that this will be used also for starting pihole-FTL which seems odd, but anyhow it doesn't work because there is no 1000 user in the passwd file. The container just prints an error about no user 1000 and restarts. I don't know how that feature is working for anyone. Is there a pihole docker that supports UID/GID correctly? I hate having this mess on my nas. Is too hard to think through the security risk. I'm tempted to overlay my own password file just to change the numbers but then I'll have to manually update the container all the time.

[PromoFaux]

I can see in the start script that this will be used also for starting pihole-FTL which seems odd,

Maybe that variable can be renamed. pihole-FTL is a drop-in replacement for dnsmasq, indeed dnsmasq is embedded directly into pihole-FTL

By default, this user is set to pihole (was root up until recently)

[dsm1212]

Ah, that makes sense. A pihole user is good, we just need two variables for setting the UID/GID. I think www-data for lighthttpd is not so bad. Heck if the pihole user just had a big number UID that is not already present in these liniux distros it would be manageable. Tying it to systemd-coredumper, or whatever, means we have to try to figure out how to secure what that account can do.

[PromoFaux]

just

Some things are easier said than done. But we hear you - things "just" take time to get sorted. We've been working on various improvements lately

[imajes]

it's a fair point... but it's worth noting that given the widespread use of pihole, and it's leading-edge presence, it does feel like getting this right from a security POV is fairly high priority....

[PromoFaux]

It's also a volunteer-led project, all of whom work not only work full time outside of it, but also have active family lives and responsibilities... it can be a tough one to juggle at times.

Pull Requests and help on the code are always welcome - the beauty of being an open source project is that anyone can contribute to it. Comments along the lines of "You're doing this wrong and you should fix it" don't help anyone, and can lead to developer fatigue and burnout, to the point where working on the project becomes a chore - rather than the fun it is supposed to be.

That's not to say I'm shrugging anything off, or pointing any fingers in the direction of unhelpful contributions. We don't bite, not that hard anyway.

I'll add the Help Wanted label - maybe that will encourage helpful contribution

[imajes]

100%. :) no questions there. I'm trying to carve out some time to spend on my docker stack and will try and tinker with a better fix if i can... :)

[edgd1er]

Hello,

I've had the problem on a system where I needed specif uid and gid to write files to filesystem. Here is the code I've put in cont-init.d as 05-changer-uid-gid.sh As you will guess, the vars will be WEB_UID, WEB_GID, PIHOLE_UID, PIHOLE_GID. I wish I could send a PR but my pihole project is a mess now, trying to debug a building issue. is there someone to test and push a request ?

#!/usr/bin/with-contenv bash
set -e

modifyUser()
{
  declare username=${1:-} newId=${2:-}
  [[ -z ${username} || -z ${newId} ]] && return

  local currentId=$(id -u ${username})
  [[ ${currentId} -eq ${newId} ]] && return

  echo "user ${username} ${currentId} => ${newId}"
  usermod -o -u ${newId} ${username}

  find / -user ${currentId} -print0 2> /dev/null | \
    xargs -0 -n1 chown -h ${username} 2> /dev/null
}

modifyGroup()
{
  declare groupname=${1:-} newId=${2:-}
  [[ -z ${groupname} || -z ${newId} ]] && return

  local currentId=$(id -g ${groupname})
  [[ ${currentId} -eq ${newId} ]] && return

  echo "group ${groupname} ${currentId} => ${newId}"
  groupmod -o -g ${newId} ${groupname}

  find / -group ${currentId} -print0 2> /dev/null | \
    xargs -0 -n1 chgrp -h ${groupname} 2> /dev/null
}

modifyUser www-data ${WEB_UID}
modifyGroup www-data ${WEB_GID}
modifyUser pihole ${PIHOLE_UID}
modifyGroup pihole ${PIHOLE_GID}

[PromoFaux]

Changes in #982 have been merged to dev, which allow for the setting of UID for both www-data and pihole users with env vars. These are experimental changes that will likely require feedback (Changes can be played with on the :dev tag)

[nixmomo]

_pihole_pihole.1.853ecdtwqr5d08e8z9yzuf4zi_logs.txt @edgd1er it is not working... he has isues with the error logs... i tried also to mount the error log directly as volume to set the right permissions but it fails too. But the rest looks ok but not possible to test operations from webinterface

env that i have set: WEB_UID: 1111 WEB_GID: 1111 PIHOLE_UID: 1112 PIHOLE_GID: 1112

[PromoFaux]

@nixmomo are you trying this on the dev image? There were some further tweaks to adjust permissions/ownerships there

[nixmomo]

@PromoFaux yes i used it in dev image from dockerhub

[edgd1er]

@nixmomo, I run pihole on openmediavault system which has ACL set, I had to set uids/gids according to the host. What I can say, databases were in read only, and are accessible now. (ext4s not test with nfs)

without much more details, about your mounting point (compose file), a ls from within the container, a ls from the host, we won't be able to help you.

[nixmomo]

hi @edgd1er here is the part of compose (if ya need the complete compose file, i will attach)

    environment:
      TZ: ${TZ}
      WEBPASSWORD: ${WEBPASSWORD}
      DNS1: ${DNSSERVER1}
      DNS2: ${DNSSERVER2}
      ADMIN_EMAIL: [email protected]
      WEB_UID: 1111
      WEB_GID: 1111
      PIHOLE_UID: 1112
      PIHOLE_GID: 1112
   #   CONDITIONAL_FORWARDING: ${CONDITIONAL_FORWARDING}
   #   CONDITIONAL_FORWARDING_IP: ${CONDITIONAL_FORWARDING_IP}
   #   CONDITIONAL_FORWARDING_DOMAIN: ${CONDITIONAL_FORWARDING_DOMAIN}
   #   CONDITIONAL_FORWARDING_REVERSE: ${CONDITIONAL_FORWARDING_REVERSE}
    # Volumes store your data between container upgrades
    volumes:
      - /home/nfs/docker/pihole/conf/:/etc/pihole/
      - /home/nfs/docker/pihole/dnsmasq.d/conf/:/etc/dnsmasq.d/

the mounts are nfs mounts here is the ls-la output from host where pihole is running at moment

root@rpi-4gb /home/nfs/docker/pihole/conf # ls -la
total 126816
drwxrwxrwx 3       1112 1112     4096 Jan 27 07:55 .
drwxrwxrwx 6 root       root     4096 Jan 25 07:46 ..
-rw-rw-rw- 1 root       root       65 Dec 28 09:15 adlists.list
-rw-rw-rw- 1 root       root      492 Jan 25 20:16 custom.list
-rw-r--r-- 1       1112 1112        0 Jan 27 07:43 dhcp.leases
-rw-r--r-- 1 root       root      651 Jan 27 07:43 dns-servers.conf
-rw-r--r-- 1 root       root       20 Jan 27 07:43 GitHubVersions
-rw-rw-r-- 1       1112 1112 14069760 Jan 27 07:43 gravity.db
-rw-rw-r-- 1       1112 1112 14020608 Jan 27 07:43 gravity_old.db
-rw-r--r-- 1 root       root   250965 Dec 28 09:38 list.10.v.firebog.net.domains
-rw-r--r-- 1 root       root       84 Dec 28 09:38 list.10.v.firebog.net.domains.sha1
-rw-r--r-- 1 root       root    67622 Dec 28 09:38 list.11.zerodot1.gitlab.io.domains
-rw-r--r-- 1 root       root       89 Dec 28 09:38 list.11.zerodot1.gitlab.io.domains.sha1
-rw-r--r-- 1 root       root  2168819 Jan 27 07:43 list.1.raw.githubusercontent.com.domains
-rw-r--r-- 1 root       root       95 Jan 25 06:51 list.1.raw.githubusercontent.com.domains.sha1
-rw-r--r-- 1 root       root   978572 Jan 27 07:43 list.2.raw.githubusercontent.com.domains
-rw-r--r-- 1 root       root       95 Jan 27 07:43 list.2.raw.githubusercontent.com.domains.sha1
-rw-r--r-- 1 root       root     1172 Jan 27 07:43 list.3.raw.githubusercontent.com.domains
-rw-r--r-- 1 root       root       95 Dec 29 09:12 list.3.raw.githubusercontent.com.domains.sha1
-rw-r--r-- 1 root       root   150216 Jan 27 07:43 list.4.adaway.org.domains
-rw-r--r-- 1 root       root       80 Jan 27 07:43 list.4.adaway.org.domains.sha1
-rw-r--r-- 1 root       root   691748 Jan 27 07:43 list.5.v.firebog.net.domains
-rw-r--r-- 1 root       root       83 Jan 27 07:43 list.5.v.firebog.net.domains.sha1
-rw-r--r-- 1 root       root   271455 Jan 27 07:43 list.6.v.firebog.net.domains
-rw-r--r-- 1 root       root       83 Jan 27 07:43 list.6.v.firebog.net.domains.sha1
-rw-r--r-- 1 root       root    59286 Dec 28 09:38 list.7.v.firebog.net.domains
-rw-r--r-- 1 root       root       83 Dec 28 09:38 list.7.v.firebog.net.domains.sha1
-rw-r--r-- 1 root       root   132829 Jan 27 07:43 list.8.raw.githubusercontent.com.domains
-rw-r--r-- 1 root       root       95 Jan 23 03:29 list.8.raw.githubusercontent.com.domains.sha1
-rw-r--r-- 1 root       root    21016 Jan 27 07:43 list.9.osint.digitalside.it.domains
-rw-r--r-- 1 root       root       90 Jan 27 07:43 list.9.osint.digitalside.it.domains.sha1
-rw-r--r-- 1 root       root       20 Jan 27 07:50 localbranches
-rw-r--r-- 1 root       root       65 Jan 27 07:43 local.list
-rw-r--r-- 1 root       root       42 Jan 27 07:50 localversions
drwxr-xr-x 2 root       root     4096 Dec 28 09:12 migration_backup
-rw-r--r-- 1 rpimonitor spi        20 Jan 27 07:43 pihole-FTL.conf
-rw-rw-r-- 1       1112 1112 96849920 Jan 27 07:55 pihole-FTL.db
-rw-r--r-- 1 root       root      247 Jan 27 07:43 setupVars.conf
-rw-r--r-- 1 root       root      247 Jan 27 07:43 setupVars.conf.update.bak

here is output from ls -la within container

root@7424fd578cb5:/etc/pihole# ls -la
total 126828
drwxrwxrwx 3 pihole pihole     4096 Jan 27 07:57 .
drwxr-xr-x 1 root   root       4096 Jan 27 07:43 ..
-rw-r--r-- 1 root   root         20 Jan 27 07:43 GitHubVersions
-rw-rw-rw- 1 root   root         65 Dec 28 09:15 adlists.list
-rw-rw-rw- 1 root   root        492 Jan 25 20:16 custom.list
-rw-r--r-- 1 pihole pihole        0 Jan 27 07:43 dhcp.leases
-rw-r--r-- 1 root   root        651 Jan 27 07:43 dns-servers.conf
-rw-rw-r-- 1 pihole pihole 14069760 Jan 27 07:43 gravity.db
-rw-rw-r-- 1 pihole pihole 14020608 Jan 27 07:43 gravity_old.db
-rw-r--r-- 1 root   root    2168819 Jan 27 07:43 list.1.raw.githubusercontent.com.domains
-rw-r--r-- 1 root   root         95 Jan 25 06:51 list.1.raw.githubusercontent.com.domains.sha1
-rw-r--r-- 1 root   root     250965 Dec 28 09:38 list.10.v.firebog.net.domains
-rw-r--r-- 1 root   root         84 Dec 28 09:38 list.10.v.firebog.net.domains.sha1
-rw-r--r-- 1 root   root      67622 Dec 28 09:38 list.11.zerodot1.gitlab.io.domains
-rw-r--r-- 1 root   root         89 Dec 28 09:38 list.11.zerodot1.gitlab.io.domains.sha1
-rw-r--r-- 1 root   root     978572 Jan 27 07:43 list.2.raw.githubusercontent.com.domains
-rw-r--r-- 1 root   root         95 Jan 27 07:43 list.2.raw.githubusercontent.com.domains.sha1
-rw-r--r-- 1 root   root       1172 Jan 27 07:43 list.3.raw.githubusercontent.com.domains
-rw-r--r-- 1 root   root         95 Dec 29 09:12 list.3.raw.githubusercontent.com.domains.sha1
-rw-r--r-- 1 root   root     150216 Jan 27 07:43 list.4.adaway.org.domains
-rw-r--r-- 1 root   root         80 Jan 27 07:43 list.4.adaway.org.domains.sha1
-rw-r--r-- 1 root   root     691748 Jan 27 07:43 list.5.v.firebog.net.domains
-rw-r--r-- 1 root   root         83 Jan 27 07:43 list.5.v.firebog.net.domains.sha1
-rw-r--r-- 1 root   root     271455 Jan 27 07:43 list.6.v.firebog.net.domains
-rw-r--r-- 1 root   root         83 Jan 27 07:43 list.6.v.firebog.net.domains.sha1
-rw-r--r-- 1 root   root      59286 Dec 28 09:38 list.7.v.firebog.net.domains
-rw-r--r-- 1 root   root         83 Dec 28 09:38 list.7.v.firebog.net.domains.sha1
-rw-r--r-- 1 root   root     132829 Jan 27 07:43 list.8.raw.githubusercontent.com.domains
-rw-r--r-- 1 root   root         95 Jan 23 03:29 list.8.raw.githubusercontent.com.domains.sha1
-rw-r--r-- 1 root   root      21016 Jan 27 07:43 list.9.osint.digitalside.it.domains
-rw-r--r-- 1 root   root         90 Jan 27 07:43 list.9.osint.digitalside.it.domains.sha1
-rw-r--r-- 1 root   root         65 Jan 27 07:43 local.list
-rw-r--r-- 1 root   root         20 Jan 27 07:50 localbranches
-rw-r--r-- 1 root   root         42 Jan 27 07:50 localversions
drwxr-xr-x 2 root   root       4096 Dec 28 09:12 migration_backup
-rw-r--r-- 1    999    999       20 Jan 27 07:43 pihole-FTL.conf
-rw-rw-r-- 1 pihole pihole 96858112 Jan 27 07:57 pihole-FTL.db
-rw-r--r-- 1 root   root        247 Jan 27 07:43 setupVars.conf
-rw-r--r-- 1 root   root        247 Jan 27 07:43 setupVars.conf.update.bak

I have no idea why the log error is gone but here is the log

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.,
[s6-init] ensuring user provided files have correct perms...exited 0.,
[fix-attrs.d] applying ownership & permissions fixes...,
[fix-attrs.d] 01-resolver-resolv: applying... ,
[fix-attrs.d] 01-resolver-resolv: exited 0.,
[fix-attrs.d] done.,
[cont-init.d] executing container initialization scripts...,
[cont-init.d] 05-changer-uid-gid.sh: executing... ,
Changing ID for user: www-data (33 => 1111),
Changing ID for group: www-data (33 => 1111),
Changing ID for user: pihole (999 => 1112),
Changing ID for group: pihole (999 => 1112),
[cont-init.d] 05-changer-uid-gid.sh: exited 0.,
[cont-init.d] 20-start.sh: executing... ,
 ::: Starting docker specific checks & setup for docker pihole/pihole,
,
  [i] Installing configs from /etc/.pihole...,
  [i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!,
  [i] Installing /etc/dnsmasq.d/01-pihole.conf...
  [✓] Installed /etc/dnsmasq.d/01-pihole.conf,
  [i] Installing /etc/.pihole/advanced/06-rfc6761.conf...
  [✓] Installed /etc/dnsmasq.d/06-rfc6761.conf,
Converting DNS1 to PIHOLE_DNS_,
Converting DNS2 to PIHOLE_DNS_,
Setting DNS servers based on PIHOLE_DNS_ variable,
::: Pre existing WEBPASSWORD found,
  [✓] Setting admin contact to [email protected],
DNSMasq binding to default interface: eth0,
Added ENV to php:,
			"PIHOLE_DOCKER_TAG" => "dev",,
			"PHP_ERROR_LOG" => "/var/log/lighttpd/error.log",,
			"ServerIP" => "0.0.0.0",,
			"CORS_HOSTS" => "",,
			"VIRTUAL_HOST" => "0.0.0.0",,
Using IPv4 and IPv6,
::: Preexisting ad list /etc/pihole/adlists.list detected ((exiting setup_blocklists early)),
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts,
::: Testing lighttpd config: Syntax OK,
::: All config checks passed, cleared for startup ...,
::: Enabling Query Logging,
  [i] Enabling logging...,

  [✓] Logging has been enabled!,
 ::: Docker start setup complete,
  Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf,
  Pi-hole version is v5.8.1 (Latest: v5.8.1),
  AdminLTE version is v5.10.1 (Latest: v5.10.1),
  FTL version is v5.13 (Latest: v5.13),
  Container tag is: dev,
[cont-init.d] 20-start.sh: exited 0.,
[cont-init.d] done.,
[services.d] starting services,
Starting lighttpd,
Starting crond,
Starting pihole-FTL (no-daemon) as pihole,
[services.d] done.

I can use the webinterface now with the dev image but whitelisting is not working with this image .... the rights looking ok for me

[PromoFaux]

-rw-r--r-- 1 999 999 20 Jan 27 07:43 pihole-FTL.conf

This should have been chowned when FTL started. We may have missed it, I'll check later!

What is the exact error you get when whitelisting?

[nixmomo]

Hi @PromoFaux i get this error http://prntscr.com/26k7h1y

[edgd1er]

@nixmomo ,

Could you test with local storage as I suspect your problem may be due to nfs filesystem rights ? I'm new to nfs and I remember having problems with root_squash/no_root_squash/all_squash.

[nixmomo]

@edgd1er its a nfs v3 mount so it is mounted as a local folder but i tried with a real local folder and its the same issue

[PromoFaux]

This experimental support is now in 2022.02.1/latest - Testing and feedback would be greatly appreciated

[dsm1212]

FWIW this worked first try for me. Thanks!!!

[nixmomo]

The "While executing: attempt to write a readonly database Added 0 out of 1 domains" is not fixed in the 2022.2.1 Version

here is the debug log if it helps https://tricorder.pi-hole.net/vfequxfr/

[nixmomo]

ok, it works if i move the files to local folder but there it struggles with the rpimonitor user (both using 999 as uid) thats why i want to change... but i can't believe that its a nfs error.... its a nfs3 share with this options (rw,async,no_subtree_check,no_root_squash,insecure) so where is the missconfiguration? The share is mounted as rw and it works in all other containers.

[edgd1er]

this link: https://serverfault.com/questions/240897/how-to-properly-set-permissions-for-nfs-folder-permission-denied-on-mounting-en may give you some hints on how to tackle right permissions on nfs.

uid/gid must match between the containers and the nfs server. if not, ,anonuid=1000,anongid=1000 may be a solution. uid/gid 1000 must have read,right permissions on the nfs dirs/files.

[nixmomo]

hmm that cant be the point... i have no_root_squash and the ownership on the nfs mounts are the same that i set in pihole configs and on the nfs server are they set to the same uid/guid i configured for pihole and the folder on top has a 777 write permission.... i can create files from within the docker container in the mounted volumes too so it can't be a nfs problem.. that makes absolutly no sense

[dsm1212]

The host volume has to bind mount into the container and it introduces some odd behavior with nfs. But docker supports nfs mounting the volume from within the container. You can do it from the docker command line or from docker compose if you are using that. Just google how to mount nfs into a docker container. Switch to that and this should go away, plus you can drop allowing the root access which is dangerous. I feel compelled to add that there are many reasons for an nfs mount to have issues. Those issues will take out your entire network when pihole stops working. Not to mention that you will have to carefully get that nfs location mounted without dns since you have to do it before pihole is started. I'm not sure what you are gaining here but I wouldn't do this.

[Swiiney]

Working for me, thanks a lot I have a simple config with Pihole running on Rpi with data on external drive connected with USB.

Only problem, I tried to get the same UID/GID for WEB and PIHOLE which is not working. After I figured out that it creates the same UID and GID in passwd and groups, I removed WEB_UID and WEB_GID (which is almost useless) all is working.

[dschaper]

Only problem, I tried to get the same UID/GID for WEB and PIHOLE which is not working. After I figured out that it creates the same UID and GID in passwd and groups, I removed WEB_UID and WEB_GID (which is almost useless) all is working.

I'll take a look at that soon.

[divStar]

Just for reference: all of the sudden I couldn't edit any settings. I suppose it has something to do with me changing the docker-volumes location (didn't change permissions though).

For whatever reason stopping, removing and pruning the pihole-image and redownloading it, helped... I checked on the permissions of /usr/bin/sudo (I have had the error message saying, that /usr/bin/sudo must be owned by uid 0 and have the setuid bit set) and they seemed just fine. I did not change any other settings.

[ilium007]

When I set PIHOLE_GID=1001 it reverts to GID of 999 and messes up my host volume group permissions. If I set PIHOLE_GID=1000 it correctly sets the GID to 1000 but that is not what I want on the host directory group permission.

[nixmomo]

this feature has never worked very well.... thats the reason why i use unbound dns .... i love pihole but it is more a fun project ... in german we call it "frickelei" .... unbound dns is very stable and can handle all the pihole lists too and it has a HA feature and so on.... and all what i need is a stable working dns blocking function and the possibility to add local domains.... if unbound is not working ini your case, just look into adguard....its more stable and handles the gid and uid perfectly. Very hard words from me i know and my heart is crying because i used pihole over 8 years or so and i love it realy but yes, from time to time it needs to look around and validate the new software what comes out

[dschaper]

Sorry you had a bad experience with free open source software. There are a number of other options like AdGuard or NextDNS however you are sending your data to other parties with those.

What ever you decide to do, please make sure that you use some kind of software to help protect your privacy online.

[dschaper]

When I set PIHOLE_GID=1001 it reverts to GID of 999 and messes up my host volume group permissions. If I set PIHOLE_GID=1000 it correctly sets the GID to 1000 but that is not what I want on the host directory group permission.

Can you please post your docker compose or docker run so we can try to assist you? Thanks!

[divStar]

Well, for me pi-Hole is working fine within the docker container. I just had to make sure to forward those few hosts Portainer needs in case no DNS is available (pi-Hole container down when updating or altering settings). I also solved that issue by I think setting permissions on the file system (configs are written to a mounted volume in my case), because I just checked and I haven't specified any GID/PID in the environment arguments section of my docker-compose file.

[nixmomo]

Sorry you had a bad experience with free open source software. There are a number of other options like AdGuard or NextDNS however you are sending your data to other parties with those.

What ever you decide to do, please make sure that you use some kind of software to help protect your privacy online.

thanks for the hint but none of the called software calls home if you don't want to .... at the end it do the same like pihole.

but i always have a pihole instance running to keep an eye on it. i'm sure that i use pihole in feature again as primary resolver / adblocker but before it is needed to fix all the broken things (pid / guid bugs, nfs support for storing configs) and an ha option (master slave sync maybe)

[ilium007]

When I set PIHOLE_GID=1001 it reverts to GID of 999 and messes up my host volume group permissions. If I set PIHOLE_GID=1000 it correctly sets the GID to 1000 but that is not what I want on the host directory group permission.

Can you please post your docker compose or docker run so we can try to assist you? Thanks!

version: '3.9'

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    networks:
      - sapling
    ports:
      - 53:53/tcp
      - 53:53/udp
      - 80
    environment:
      - TZ=Australia/Sydney
      - WEBPASSWORD=xxx
      - [email protected]
      - PIHOLE_UID=1000
      - PIHOLE_GID=1000
      - VIRTUAL_HOST=pihole.xxx
    volumes:
      - /data/docker/pihole/etc-pihole:/etc/pihole
      - /data/docker/pihole/etc-dnsmasq.d:/etc/dnsmasq.d
    restart: unless-stopped

This results in correct permissions on etc-pihole but etc-dnsmasq.d are still root/root

❯ ll pihole
drwxr-sr-x -  root        root        14 Jul  9:39 etc-dnsmasq.d
drwxrwsr-x - xxx         xxx          14 Jul  9:41 etc-pihole

[nixmomo]

isn't it the wrong image? i'm not sure but is it merged into latest? The last changes was in :dev or :2022.2.1

[PromoFaux]

The last changes was in :dev or :2022.2.1

?? 7 releases since then!

Do you specifically mean this PR? That was released with 2022.02, but hasn't been removed

[ilium007]

I’m using :latest

I commented on this thread rather than opening a new issue.

[dsm1212]

There is a separate env setting DNSMASQ_USER for changing the dnsmasq user because on some systems dnsmasq won't work right if it is not root. I have it unset and I get root/root like you stated too. Although elsewhere here I see a statement it defaults to pihole, I think that must not be true. Try setting this to pihole.

By the way this reverting to 999 issue doesn't seem to make sense to me and I don't see that in the info you shared. Could you show that one? Is the disk you are mapping a remote mounted volume by any chance?

[PromoFaux]

Although elsewhere here I see a statement it defaults to pihole, I think that must not be true.

https://github.com/pi-hole/docker-pi-hole/blob/master/Dockerfile#L41

on some systems dnsmasq won't work right if it is not root.

Yeah, I have the Pi-hole container running on my Synology (DSM7) and I have to set DNSMASQ: root otherwise things don't work as expected