Unable to log into web interface

rschuetzler commented 5 years ago

This is a...

[ ] Request for a new or modified feature
[x] Issue trying to run the docker image
[ ] Issue trying to build / test / develop the docker image

Description

This might be two separate issues, but it's hard to tell. FTL doesn't seem to be starting correctly in my Docker-enclosed pihole. Also, I can't seem to get it to keep a password, despite the fact that I have mapped the config directory to a volume (related to #364 ).

I've tried on latest and v4.2_rc1, and both have this issue. Going back to 4.0.0-1 does not.

Expected Behavior

Run docker-compose up -d
Pi hole runs and I can log in with my previously set password (set with docker-compose run hole pihole -a -p

Actual Behavior

Run docker-compose up -d
Attempt to log in with previously set password. Denied.
Run docker-compose logs hole | grep password to get the current randomly set password
Log in with password

Possible Fix

On the lastest versions of pihole, I get the following messages repeated over and over in the logs. It never stops as long as the pihole is running:

hole_1  | Starting pihole-FTL (no-daemon)
hole_1  | Stopping pihole-FTL
hole_1  | kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]

On 4.0.0-1, I don't get those error messages, but I still can't set a password that will persist.

Steps to Reproduce and debugging done

e.g. your docker run command, pages to visit, CLI commands you ran 1.

Debug steps I have tried

[x] I have tried destroying my container instance, pulling the newest image version, and re-creating a new container
[x] I have tried running the nearly stock docker run example in the readme (removing any customizations I added)
[ ] I have tried running without my volume data mounts to eliminate volumes as the cause
[x] I have searched this repository for existing issues and pull requests that look similar

Context and extra information

docker-compose.yml:

version: '3'
services:
  hole:
    image: pihole/pihole:4.0.0-1
    dns:
      - 127.0.0.1
      - 1.1.1.1
    environment:
      ServerIP: [ip]
    ports:
      - "53:53"
      - "80:80"
    volumes:
      - /opt/config/pihole:/etc/pihole
      - /opt/config/dnsmasq.d:/etc/dnsmasq.d
    restart: always

Your Environment

Docker Host Operating System and OS Version: Raspbian
Docker Version:
Hardware architecture: Raspberry Pi 3

mr-bolle commented 5 years ago

I can't seem to get it to keep a password, despite the fact that I have mapped the config directory to a volume (related to #364 ).

you can use the environment WEBPASSWORD: YourPiholePassword

Why you set the pihole fix to the TAG 4.0.0-1? This Image is 4 Month old. Please try this example below, and check if your environment ip is not empty.

docker-compose.yml

version: '3'
services:
  hole:
    image: pihole/pihole   #:4.0.0-1
    cap_add:
      - NET_ADMIN     
    environment:
      ServerIP: "${ip:-0.0.0.0}"
      WEBPASSWORD: YourPiholePassword
      DNS1: 127.0.0.1
      DNS2: 1.1.1.1
    ports:
      - "53:53"
      - "80:80"
    volumes:
      - /opt/config/pihole:/etc/pihole
      - /opt/config/dnsmasq.d:/etc/dnsmasq.d
    restart: always

RulerOf commented 5 years ago

I'm having the exact same problem.

Running pihole/pihole:latest via docker-compose with host networking:

---
version: '3.6'
services:
  pihole:
    image: pihole/pihole
    container_name: pihole
    restart: unless-stopped
    hostname: pihole
    volumes:
      - ./pihole/pihole/:/etc/pihole/
      - ./pihole/dnsmasq.d/:/etc/dnsmasq.d/
      - ./pihole/log/:/var/log/
    environment:
      - ServerIP=10.0.25.2
      - TZ=America/New_York
      - DNS1=10.0.25.1
      - DNS2=no
      - INTERFACE=brteam0.10
      - VIRTUAL_HOST=pihole.rulerof.net
      - WEBPASSWORD=${WEB_PASSWORD}
    network_mode: "host"

Running interactively shows the same kill loop:

[root@drew-metal adblocker]# docker-compose up
Creating pihole ... done
Attaching to pihole
pihole    | [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
pihole    | [s6-init] ensuring user provided files have correct perms...exited 0.
pihole    | [fix-attrs.d] applying ownership & permissions fixes...
pihole    | [fix-attrs.d] 01-resolver-resolv: applying... 
pihole    | [fix-attrs.d] 01-resolver-resolv: exited 0.
pihole    | [fix-attrs.d] done.
pihole    | [cont-init.d] executing container initialization scripts...
pihole    | [cont-init.d] 20-start.sh: executing... 
pihole    | stty: 'standard input': Inappropriate ioctl for device
pihole    |  ::: Starting docker specific setup for docker pihole/pihole
pihole    | WARNING Misconfigured DNS in /etc/resolv.conf: Two DNS servers are recommended, 127.0.0.1 and any backup server
pihole    | WARNING Misconfigured DNS in /etc/resolv.conf: Primary DNS should be 127.0.0.1 (found 10.0.25.1)
pihole    | 
pihole    | # Generated by NetworkManager
pihole    | search rulerof.net
pihole    | nameserver 10.0.25.1
pihole    | stty: 'standard input': Inappropriate ioctl for device
pihole    |   [i] Existing PHP installation detected : PHP version 7.0.33-0+deb9u1
pihole    | 
pihole    |   [i] Installing configs from /etc/.pihole...
pihole    |   [i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
  [✓] Copying 01-pihole.conf to /etc/dnsmasq.d/01-pihole.conf
pihole    | chown: cannot access '/etc/pihole/dhcp.leases': No such file or directory
pihole    | Setting password: REDACTED_PASSWORD
pihole    | + pihole -a -p REDACTED_PASSWORD REDACTED_PASSWORD
pihole    |   [✓] New password set
pihole    | Using custom DNS servers: 10.0.25.1 & no
pihole    | DNSMasq binding to custom interface: brteam0.10
pihole    | Added ENV to php:
pihole    |             "PHP_ERROR_LOG" => "/var/log/lighttpd/error.log",
pihole    |             "ServerIP" => "10.0.25.2",
pihole    |             "VIRTUAL_HOST" => "pihole.rulerof.net",
pihole    | Using IPv4 and IPv6
pihole    | ::: Preexisting ad list /etc/pihole/adlists.list detected ((exiting setup_blocklists early))
pihole    | https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
pihole    | https://mirror1.malwaredomains.com/files/justdomains
pihole    | http://sysctl.org/cameleon/hosts
pihole    | https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
pihole    | https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
pihole    | https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
pihole    | https://hosts-file.net/ad_servers.txt
pihole    | ::: Testing pihole-FTL DNS: FTL started!
pihole    | ::: Testing lighttpd config: Syntax OK
pihole    | ::: All config checks passed, cleared for startup ...
pihole    |  ::: Docker start setup complete
pihole    |   [i] Pi-hole blocking is enabled
pihole    |   [i] Neutrino emissions detected...
  [✓] Pulling blocklist source list into range
pihole    | 
pihole    |   [i] Target: raw.githubusercontent.com (hosts)
  [✓] Status: No changes detected
pihole    | 
pihole    |   [i] Target: mirror1.malwaredomains.com (justdomains)
  [✓] Status: No changes detected
pihole    | 
pihole    |   [i] Target: sysctl.org (hosts)
  [✓] Status: No changes detected
pihole    | 
pihole    |   [i] Target: zeustracker.abuse.ch (blocklist.php?download=domainblocklist)
  [✓] Status: No changes detected
pihole    | 
pihole    |   [i] Target: s3.amazonaws.com (simple_tracking.txt)
  [✓] Status: No changes detected
pihole    | 
pihole    |   [i] Target: s3.amazonaws.com (simple_ad.txt)
  [✓] Status: No changes detected
pihole    | 
pihole    |   [i] Target: hosts-file.net (ad_servers.txt)
  [✓] Status: No changes detected
pihole    | 
  [✓] Consolidating blocklists
  [✓] Extracting domains from blocklists
pihole    |   [i] Number of domains being pulled in by gravity: 135414
  [✓] Removing duplicate domains
pihole    |   [i] Number of unique domains trapped in the Event Horizon: 112784
  [i] Number of whitelisted domains: 119
pihole    |   [i] Number of blacklisted domains: 0
pihole    |   [i] Number of regex filters: 0
  [✓] Parsing domains into hosts format
  [✓] Cleaning up stray matter
pihole    | 
pihole    |   [✗] DNS service is NOT running
pihole    | kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
pihole    | [cont-init.d] 20-start.sh: exited 0.
pihole    | [cont-init.d] done.
pihole    | [services.d] starting services
pihole    | Starting lighttpd
pihole    | Starting crond
pihole    | Starting pihole-FTL (no-daemon)
pihole    | [services.d] done.
pihole    | Stopping pihole-FTL
pihole    | kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
pihole    | Starting pihole-FTL (no-daemon)
pihole    | Stopping pihole-FTL
pihole    | kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
pihole    | Starting pihole-FTL (no-daemon)
pihole    | Stopping pihole-FTL
pihole    | kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
pihole    | Starting pihole-FTL (no-daemon)
pihole    | Stopping pihole-FTL
pihole    | kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]

This repeats in the logs on the same interval as the kill loop:

==> pihole.log <==
Feb  3 03:47:19 dnsmasq[645]: setting capabilities failed: Operation not permitted
Feb  3 03:47:19 dnsmasq[645]: FAILED to start up

==> pihole-FTL.log <==
[2019-02-03 03:47:20.561] Using log file /var/log/pihole-FTL.log
[2019-02-03 03:47:20.561] ########## FTL started! ##########
[2019-02-03 03:47:20.561] FTL branch: master
[2019-02-03 03:47:20.561] FTL version: v4.1.2
[2019-02-03 03:47:20.561] FTL commit: b06eedf
[2019-02-03 03:47:20.561] FTL date: 2018-12-21 14:43:34 -0600
[2019-02-03 03:47:20.561] FTL user: root
[2019-02-03 03:47:20.561] WARNING: Starting pihole-FTL as user root is not recommended
[2019-02-03 03:47:20.561] Starting config file parsing (/etc/pihole/pihole-FTL.conf)
[2019-02-03 03:47:20.561]    SOCKET_LISTENING: only local
[2019-02-03 03:47:20.561]    AAAA_QUERY_ANALYSIS: Show AAAA queries
[2019-02-03 03:47:20.561]    MAXDBDAYS: max age for stored queries is 365 days
[2019-02-03 03:47:20.561]    RESOLVE_IPV6: Resolve IPv6 addresses
[2019-02-03 03:47:20.561]    RESOLVE_IPV4: Resolve IPv4 addresses
[2019-02-03 03:47:20.561]    DBINTERVAL: saving to DB file every minute
[2019-02-03 03:47:20.561]    DBFILE: Using /etc/pihole/pihole-FTL.db
[2019-02-03 03:47:20.561]    MAXLOGAGE: Importing up to 24.0 hours of log data
[2019-02-03 03:47:20.561]    PRIVACYLEVEL: Set to 0
[2019-02-03 03:47:20.561]    IGNORE_LOCALHOST: Show queries from localhost
[2019-02-03 03:47:20.561]    BLOCKINGMODE: Null IPs for blocked domains
[2019-02-03 03:47:20.561]    REGEX_DEBUGMODE: Inactive
[2019-02-03 03:47:20.561]    ANALYZE_ONLY_A_AND_AAAA: Disabled. Analyzing all queries
[2019-02-03 03:47:20.561]    DBIMPORT: Importing history from database
[2019-02-03 03:47:20.561]    PIDFILE: Using /var/run/pihole-FTL.pid
[2019-02-03 03:47:20.561]    PORTFILE: Using /var/run/pihole-FTL.port
[2019-02-03 03:47:20.561]    SOCKETFILE: Using /var/run/pihole/FTL.sock
[2019-02-03 03:47:20.561]    WHITELISTFILE: Using /etc/pihole/whitelist.txt
[2019-02-03 03:47:20.561]    BLACKLISTFILE: Using /etc/pihole/black.list
[2019-02-03 03:47:20.561]    GRAVITYFILE: Using /etc/pihole/gravity.list
[2019-02-03 03:47:20.561]    REGEXLISTFILE: Using /etc/pihole/regex.list
[2019-02-03 03:47:20.561]    SETUPVARSFILE: Using /etc/pihole/setupVars.conf
[2019-02-03 03:47:20.561]    AUDITLISTFILE: Using /etc/pihole/auditlog.list
[2019-02-03 03:47:20.561] Finished config file parsing
[2019-02-03 03:47:20.561] Compiled 0 Regex filters and 119 whitelisted domains in 0.1 msec (0 errors)
[2019-02-03 03:47:20.562] Database successfully initialized
[2019-02-03 03:47:20.562] Imported 0 queries from the long-term database
[2019-02-03 03:47:20.562]  -> Total DNS queries: 0
[2019-02-03 03:47:20.562]  -> Cached DNS queries: 0
[2019-02-03 03:47:20.562]  -> Forwarded DNS queries: 0
[2019-02-03 03:47:20.562]  -> Exactly blocked DNS queries: 0
[2019-02-03 03:47:20.562]  -> Unknown DNS queries: 0
[2019-02-03 03:47:20.562]  -> Unique domains: 0
[2019-02-03 03:47:20.562]  -> Unique clients: 0
[2019-02-03 03:47:20.562]  -> Known forward destinations: 0
[2019-02-03 03:47:20.562] Successfully accessed setupVars.conf
[2019-02-03 03:47:20.574] PID of FTL process: 659
[2019-02-03 03:47:20.574] Listening on port 4711 for incoming IPv4 telnet connections
[2019-02-03 03:47:20.574] Listening on port 4711 for incoming IPv6 telnet connections
[2019-02-03 03:47:20.575] Listening on Unix socket

I might try to troubleshoot this later, but I wanted to add my two cents since I just discovered that my pihole DNS wasn't working. I pull images once a day, so this has likely been happening since at least this morning.

mr-bolle commented 5 years ago

@RulerOf

pihole | ::: Starting docker specific setup for docker pihole/pihole pihole | WARNING Misconfigured DNS in /etc/resolv.conf: Two DNS servers are recommended, 127.0.0.1 and any backup server pihole | WARNING Misconfigured DNS in /etc/resolv.conf: Primary DNS should be 127.0.0.1 (found 10.0.25.1)

fix this issue with follow adjustment. >> docker-pi-hole-v411-important-upgrade-notes

add required --dns arguments

add cap_add: - NET_ADMIN

version: '3.6'
services:
pihole:
image: pihole/pihole
container_name: pihole
restart: unless-stopped
hostname: pihole
volumes:
  - ./pihole/pihole/:/etc/pihole/
  - ./pihole/dnsmasq.d/:/etc/dnsmasq.d/
  - ./pihole/log/:/var/log/
cap_add:
  - NET_ADMIN
dns:
  - 127.0.0.1
  - 1.1.1.1   
environment:
  - ServerIP=10.0.25.2
  - TZ=America/New_York
  - DNS1=1.1.1.1
  - DNS2=1.0.0.1
  - INTERFACE=brteam0.10
  - VIRTUAL_HOST=pihole.rulerof.net
  - WEBPASSWORD=${WEB_PASSWORD}
network_mode: "host"

maintainer note: updated for accuracy. DNS environment variables were confused with --dns args

RulerOf commented 5 years ago

@mr-bolle I can confirm that your changes resolved my issue.

While I don't currently use version pinning, the changes introducing these requirements should have entailed a major or at least minor version bump, to 5.0 or 4.2.

For what it's worth, I'm not using the DHCP features of pihole (and honestly find them excessive), and am only using host networking because I don't want to obscure my DNS client IPs behind the docker bridge masquerade—this additional privilege is technically unnecessary. The commits and PRs that I was able to find that reference the issue aren't terribly helpful in explaining what circumstances require it, but I'm assuming it has something to do with listening to DHCP traffic.

Is there any discussion somewhere about this requirement? Maybe I should open a separate issue?

Thanks for your help!

diginc commented 5 years ago

I agree major version are proper release procedure for breaking changes but the benefit of keeping the version mirrored between upstream Pi-hole projects and docker-pi-hole's is it prevents confusion by users thinking Pi-hole is on v5 and having to keep a mapping of 5.0 containers Core v4.1, FTL v4.1.2, and Web 4.1.1. I'd do just about anything to avoid having to do that but it poses the tricky question of if we had caught this before 4.1's release should Pi-hole it's self have been 5.0 even though this was mostly a docker exclusive bug.

I'm hoping this is one of the few times a new docker run argument is introduce as a breaking change, it was caught a week or so after the initial v4.1 release was done so it was a bit late to even entertain the thought of a version bump of the upstream versioning in this case unfortunately.

For all future releases we're aiming to test docker thoroughly before the official releases and have done that with the v4.2 release today so that should help prevent a re-occurrence of this weird 4.1 docker run breaking change.

rschuetzler commented 5 years ago

@mr-bolle's suggestion fixed the repeating error message, but not the password issue. Passwords are still not being stored between restarts of the container, so I have to read from the logs each time the container is rebooted.

diginc commented 5 years ago

That might have something to do with your volume saving the password (the image tries not to over aggressively overwrite already set passwords).

Try changing your password with the CLI docker exec pihole pihoile -a -p to save it into your volume.

rschuetzler commented 5 years ago

If I change the password with docker-compose run hole pihole -a -p, I can't log in at all. But when I restart the container, the password is reset to a new one, so something's not sticking.

rschuetzler commented 5 years ago

Here's my docker-compose.yml that's currently working besides the password issue.

version: '3.6'
services:
  hole:
    image: pihole/pihole:latest
    hostname: pihole
    cap_add:
      - NET_ADMIN
    dns:
      - 127.0.0.1
      - 1.1.1.1
    environment:
      - ServerIP=<IP>
      - TZ=America/Chicago
      - DNS1=1.1.1.1
      - DNS2=1.0.0.1
    volumes:
      - "/home/pi/pihole/:/etc/pihole/"
      - "/home/pi/dnsmasq.d/:/etc/dnsmasq.d/"
      - "/home/pi/pihole.log:/var/log/pihole.log"
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "80:80/tcp"
      - "443:443/tcp"
    restart: always

RulerOf commented 5 years ago

@rschuetzler add - WEBPASSWORD=YourPasswordHere to the environment in your docker-compose yaml and it will set permanently to that value.

mr-bolle commented 5 years ago

Please check first your variable ip echo "ip: " $ip "IP: $IP" (with your first docker-compose you the ip in low letter, and now in Capital Letter)

And check your pihole log, it should be like this. Below you find your example with the environment WEBPASSWORD. Addidional i remove the host volume to the pihole.log. Could you try it if you have now success

docker-compose logs | grep -A 1 'pihole -a -p'

hole_1 | + pihole -a -p YourPasswordHere YourPasswordHere hole_1 | [✓] New password set

version: '3.6'
services:
  hole:
    image: pihole/pihole:latest
    hostname: pihole
    cap_add:
      - NET_ADMIN
    dns:
      - 127.0.0.1
      - 1.1.1.1
    environment:
      - ServerIP="${ip:-0.0.0.0}"
      - TZ=America/Chicago
      - WEBPASSWORD=YourPasswordHere
      - DNS1=208.67.222.123
      - DNS2=208.67.220.123
    volumes:
      - "/home/pi/pihole/:/etc/pihole/"
      - "/home/pi/dnsmasq.d/:/etc/dnsmasq.d/"
#      - "/home/pi/pihole.log:/var/log/pihole.log"
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "80:80/tcp"
      - "443:443/tcp"
    restart: always

rschuetzler commented 5 years ago

I was trying to avoid setting the password in the docker-compose.yml file for security. I thought once the password was set once (and stored in /etc/pihole/setupVars.conf) that it wouldn't get overwritten on startup. Is that not correct anymore?

RulerOf commented 5 years ago

@rschuetzler

I was trying to avoid setting the password in the docker-compose.yml file for security.

You can set the variable in a .env file, add the .env file to your .gitignore, assuming you're tracking changes to the docker-compose yaml in that fashion.

In the snippet from my docker-compose.yml above, you can see how I set my WEBPASSWORD in this fashion.

I thought once the password was set once (and stored in /etc/pihole/setupVars.conf) that it wouldn't get overwritten on startup. Is that not correct anymore?

When I tested it, it had to be set every time, and would never stick. Every time the container comes up, it either generates a new password or pulls one set from the environment.

rschuetzler commented 5 years ago

Looks like #418 is fixing the only remaining issue I've had of webpassword getting set.

pi-hole / docker-pi-hole