Merge pull request #1142 from pi-hole/s6-3-markII

Upgrade to S6 overlay v3
This commit is contained in:
Adam Warner 2022-07-12 16:31:06 +01:00 committed by GitHub
commit c82c33b5a3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
38 changed files with 117 additions and 112 deletions

View File

@ -4,12 +4,12 @@ FROM "${PIHOLE_BASE:-ghcr.io/pi-hole/docker-pi-hole-base:bullseye-slim}"
ARG PIHOLE_DOCKER_TAG
ENV PIHOLE_DOCKER_TAG "${PIHOLE_DOCKER_TAG}"
ENV S6_OVERLAY_VERSION v2.1.0.2
ENV S6_OVERLAY_VERSION v3.1.1.2
COPY install.sh /usr/local/bin/install.sh
COPY ./scripts/install.sh /usr/local/bin/install.sh
ENV PIHOLE_INSTALL /etc/.pihole/automated\ install/basic-install.sh
ENTRYPOINT [ "/s6-init" ]
ENTRYPOINT [ "/init" ]
COPY s6/debian-root /
COPY s6/service /usr/local/bin/service
@ -22,8 +22,9 @@ ARG PHP_ENV_CONFIG
ENV PHP_ENV_CONFIG /etc/lighttpd/conf-enabled/15-fastcgi-php.conf
ARG PHP_ERROR_LOG
ENV PHP_ERROR_LOG /var/log/lighttpd/error-pihole.log
COPY ./start.sh /
COPY ./bash_functions.sh /
COPY ./scripts/start.sh /
COPY ./scripts/bash_functions.sh /
COPY ./scripts/gravityonboot.sh /
# IPv6 disable flag for networks/devices that do not support it
ENV IPv6 True

4
s6/debian-root/etc/cont-init.d/05-changer-uid-gid.sh Normal file → Executable file
View File

@ -1,4 +1,4 @@
#!/usr/bin/with-contenv bash
#!/command/with-contenv bash
set -e
if [ "${PH_VERBOSE:-0}" -gt 0 ] ; then
@ -14,7 +14,7 @@ modifyUser()
[[ ${currentId} -eq ${newId} ]] && return
echo "Changing ID for user: ${username} (${currentId} => ${newId})"
usermod -o -u ${newId} ${username}
usermod -o -u ${newId} ${username}
}
modifyGroup()

View File

@ -1,10 +0,0 @@
#!/usr/bin/with-contenv bash
set -e
bashCmd='bash -e'
if [ "${PH_VERBOSE:-0}" -gt 0 ] ; then
set -x ;
bashCmd='bash -e -x'
fi
$bashCmd /start.sh

0
s6/debian-root/etc/fix-attrs.d/01-resolver-resolv Normal file → Executable file
View File

View File

@ -0,0 +1 @@
pihole-FTL

View File

@ -0,0 +1 @@
oneshot

View File

@ -0,0 +1 @@
bash /gravityonboot.sh

View File

@ -0,0 +1 @@
oneshot

View File

@ -0,0 +1,2 @@
#!/usr/bin/execlineb
foreground { bash -e /start.sh }

View File

@ -1,4 +1,4 @@
#!/usr/bin/with-contenv bash
#!/command/with-contenv bash
s6-echo "Stopping cron"
killall -9 cron

View File

@ -1,4 +1,4 @@
#!/usr/bin/with-contenv bash
#!/command/with-contenv bash
s6-echo "Starting crond"
exec -c

View File

@ -0,0 +1 @@
longrun

View File

@ -1,4 +1,4 @@
#!/usr/bin/with-contenv bash
#!/command/with-contenv bash
s6-echo "Stopping lighttpd-access-log"
pid=$(ps -C cat -o pid=,args= |grep -oP "([0-9]+).+access\.log" |cut -f1 -d" ")

View File

@ -1,4 +1,4 @@
#!/usr/bin/with-contenv bash
#!/command/with-contenv bash
s6-echo "Starting lighttpd-access-log"

View File

@ -0,0 +1 @@
longrun

View File

@ -1,4 +1,4 @@
#!/usr/bin/with-contenv bash
#!/command/with-contenv bash
s6-echo "Stopping lighttpd-error-log"
pid=$(ps -C cat -o pid=,args= |grep -oP "([0-9]+).+error\.log" |cut -f1 -d" ")

View File

@ -1,4 +1,4 @@
#!/usr/bin/with-contenv bash
#!/command/with-contenv bash
s6-echo "Starting lighttpd-error-log"

View File

@ -0,0 +1 @@
longrun

View File

@ -0,0 +1 @@
pihole-FTL

View File

@ -1,4 +1,4 @@
#!/usr/bin/with-contenv bash
#!/command/with-contenv bash
s6-echo "Stopping lighttpd"
service lighttpd-access-log stop

View File

@ -1,4 +1,4 @@
#!/usr/bin/with-contenv bash
#!/command/with-contenv bash
s6-echo "Starting lighttpd"

View File

@ -0,0 +1 @@
longrun

View File

@ -0,0 +1 @@
1-startup

View File

@ -1,4 +1,4 @@
#!/usr/bin/with-contenv bash
#!/command/with-contenv bash
s6-echo "Stopping pihole-FTL"
killall -15 pihole-FTL

View File

@ -1,4 +1,37 @@
#!/usr/bin/with-contenv bash
#!/command/with-contenv bash
# Testing on Docker 20.10.14 with no caps set shows the following caps available to the container:
# Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
# FTL can also use CAP_NET_ADMIN and CAP_SYS_NICE. If we try to set them when they haven't been explicitly enabled, FTL will not start. Test for them first:
/sbin/capsh --has-p=cap_chown 2>/dev/null && CAP_STR+=',CAP_CHOWN'
/sbin/capsh --has-p=cap_net_bind_service 2>/dev/null && CAP_STR+=',CAP_NET_BIND_SERVICE'
/sbin/capsh --has-p=cap_net_raw 2>/dev/null && CAP_STR+=',CAP_NET_RAW'
/sbin/capsh --has-p=cap_net_admin 2>/dev/null && CAP_STR+=',CAP_NET_ADMIN' || DHCP_READY='false'
/sbin/capsh --has-p=cap_sys_nice 2>/dev/null && CAP_STR+=',CAP_SYS_NICE'
if [[ ${CAP_STR} ]]; then
# We have the (some of) the above caps available to us - apply them to pihole-FTL
setcap ${CAP_STR:1}+ep "$(which pihole-FTL)" || ret=$?
if [[ $DHCP_READY == false ]] && [[ $DHCP_ACTIVE == true ]]; then
# DHCP is requested but NET_ADMIN is not available.
echo "ERROR: DHCP requested but NET_ADMIN is not available. DHCP will not be started."
echo " Please add cap_net_admin to the container's capabilities or disable DHCP."
DHCP_ACTIVE='false'
change_setting "DHCP_ACTIVE" "false"
fi
if [[ $ret -ne 0 && "${DNSMASQ_USER:-pihole}" != "root" ]]; then
echo "ERROR: Unable to set capabilities for pihole-FTL. Cannot run as non-root."
echo " If you are seeing this error, please set the environment variable 'DNSMASQ_USER' to the value 'root'"
exit 1
fi
else
echo "WARNING: Unable to set capabilities for pihole-FTL."
echo " Please ensure that the container has the required capabilities."
exit 1
fi
s6-echo "Starting pihole-FTL ($FTL_CMD) as ${DNSMASQ_USER}"
# Remove possible leftovers from previous pihole-FTL processes
@ -37,7 +70,7 @@ if [ ! -f /var/log/pihole-FTL.log ]; then
fi
# Call capsh with the detected capabilities
capsh --inh=${CAP_STR:1} --addamb=${CAP_STR:1} --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null 2>&1"
capsh --inh=${CAP_STR:1} --addamb=${CAP_STR:1} --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null 2>&1"
# Notes on above:
# - DNSMASQ_USER default of pihole is in Dockerfile & can be overwritten by runtime container env

View File

@ -0,0 +1 @@
longrun

View File

@ -7,14 +7,16 @@ start() {
}
stop() {
s6-svc -wD -d -T2500 /var/run/s6/services/$service
#s6-svc -wD -d -T2500 /var/run/s6/services/$service
# /command/s6-svc -wD -d -T2500 /run/service/$service
/command/s6-rc -d change $service
}
restart() {
local pid
# Get the PID(s) of the service we are asking to restart
mapfile -t pids < <(pgrep $service)
mapfile -t pids < <(pgrep $service)
# Only attempt to stop the service if it is already running
if [ "${#pids[@]}" -gt 0 ]; then
@ -30,22 +32,25 @@ restart() {
# Check it hasn't been started by something else in the meantime
pid=$(pgrep $service)
# Only attempt to start the service if it is not already running
if [ -z "$pid" ]; then
s6-svc -wu -u -T2500 /var/run/s6/services/$service
# s6-svc -wu -u -T2500 /var/run/s6/services/$service
# /command/s6-svc -wu -u -T2500 /run/service/$service
/command/s6-rc -u change $service
fi
}
status() {
s6-svstat /var/run/s6/services/$service
/command/s6-svstat /run/service/$service
#/var/run/s6/services/$service
}
service="$1"
command="$2"
if [[ ! -d "/var/run/s6/services/$service" ]] ; then
if [[ ! -d "/run/service/$service" ]] ; then
echo "s6 service not found for $service, exiting..."
exit
fi;

View File

@ -17,41 +17,6 @@ changeFTLsetting() {
addOrEditKeyValPair "${FTLconf}" "${1}" "${2}"
}
fix_capabilities() {
# Testing on Docker 20.10.14 with no caps set shows the following caps available to the container:
# Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
# FTL can also use CAP_NET_ADMIN and CAP_SYS_NICE. If we try to set them when they haven't been explicitly enabled, FTL will not start. Test for them first:
/sbin/capsh --has-p=cap_chown 2>/dev/null && CAP_STR+=',CAP_CHOWN'
/sbin/capsh --has-p=cap_net_bind_service 2>/dev/null && CAP_STR+=',CAP_NET_BIND_SERVICE'
/sbin/capsh --has-p=cap_net_raw 2>/dev/null && CAP_STR+=',CAP_NET_RAW'
/sbin/capsh --has-p=cap_net_admin 2>/dev/null && CAP_STR+=',CAP_NET_ADMIN' || DHCP_READY='false'
/sbin/capsh --has-p=cap_sys_nice 2>/dev/null && CAP_STR+=',CAP_SYS_NICE'
if [[ ${CAP_STR} ]]; then
# We have the (some of) the above caps available to us - apply them to pihole-FTL
setcap ${CAP_STR:1}+ep "$(which pihole-FTL)" || ret=$?
if [[ $DHCP_READY == false ]] && [[ $DHCP_ACTIVE == true ]]; then
# DHCP is requested but NET_ADMIN is not available.
echo "ERROR: DHCP requested but NET_ADMIN is not available. DHCP will not be started."
echo " Please add cap_net_admin to the container's capabilities or disable DHCP."
DHCP_ACTIVE='false'
change_setting "DHCP_ACTIVE" "false"
fi
if [[ $ret -ne 0 && "${DNSMASQ_USER:-pihole}" != "root" ]]; then
echo "ERROR: Unable to set capabilities for pihole-FTL. Cannot run as non-root."
echo " If you are seeing this error, please set the environment variable 'DNSMASQ_USER' to the value 'root'"
exit 1
fi
else
echo "WARNING: Unable to set capabilities for pihole-FTL."
echo " Please ensure that the container has the required capabilities."
exit 1
fi
}
# shellcheck disable=SC2034
ensure_basic_configuration() {
@ -99,6 +64,8 @@ ensure_basic_configuration() {
if [ ! -f /etc/dnsmasq.d/01-pihole.conf ] ; then
cp /etc/.pihole/advanced/01-pihole.conf /etc/dnsmasq.d/
fi;
# setup_or_skip_gravity
}
validate_env() {
@ -301,6 +268,14 @@ setup_FTL_upstream_DNS(){
fi
}
setup_FTL_ProcessDNSSettings(){
# Commit settings to 01-pihole.conf
# shellcheck source=/dev/null
. /opt/pihole/webpage.sh
ProcessDNSSettings
}
setup_lighttpd_bind() {
local serverip="${FTLCONF_REPLY_ADDR4}"
# if using '--net=host' only bind lighttpd on $FTLCONF_REPLY_ADDR6 and localhost
@ -496,32 +471,3 @@ setup_admin_email() {
pihole -a -e "$EMAIL"
fi
}
setup_or_skip_gravity(){
# Gotta go fast, no time for gravity
if [ -n "$PYTEST" ]; then
sed -i 's/^gravity_spinup$/#gravity_spinup # DISABLED FOR PYTEST/g' "$(which gravity.sh)"
fi
gravityDBfile="/etc/pihole/gravity.db"
config_file="/etc/pihole/pihole-FTL.conf"
# make a point to mention which config file we're checking, as breadcrumb to revisit if/when pihole-FTL.conf is succeeded by TOML
echo " Checking if custom gravity.db is set in ${config_file}"
if [[ -f "${config_file}" ]]; then
gravityDBfile="$(grep --color=never -Po "^GRAVITYDB=\K.*" "${config_file}" 2> /dev/null || echo "/etc/pihole/gravity.db")"
fi
if [ -z "$SKIPGRAVITYONBOOT" ] || [ ! -e "${gravityDBfile}" ]; then
if [ -n "$SKIPGRAVITYONBOOT" ];then
echo " SKIPGRAVITYONBOOT is set, however ${gravityDBfile} does not exist (Likely due to a fresh volume). This is a required file for Pi-hole to operate."
echo " Ignoring SKIPGRAVITYONBOOT on this occaision."
fi
# shellcheck disable=SC2016
echo '@reboot root PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole updateGravity >/var/log/pihole/pihole_updateGravity.log || cat /var/log/pihole/pihole_updateGravity.log' > /etc/cron.d/gravity-on-boot
else
echo " Skipping Gravity Database Update."
[ ! -e /etc/cron.d/gravity-on-boot ] || rm /etc/cron.d/gravity-on-boot &>/dev/null
fi
}

18
scripts/gravityonboot.sh Executable file
View File

@ -0,0 +1,18 @@
#!/bin/bash
gravityDBfile="/etc/pihole/gravity.db"
config_file="/etc/pihole/pihole-FTL.conf"
# make a point to mention which config file we're checking, as breadcrumb to revisit if/when pihole-FTL.conf is succeeded by TOML
echo " Checking if custom gravity.db is set in ${config_file}"
if [[ -f "${config_file}" ]]; then
gravityDBfile="$(grep --color=never -Po "^GRAVITYDB=\K.*" "${config_file}" 2> /dev/null || echo "/etc/pihole/gravity.db")"
fi
if [ -z "$SKIPGRAVITYONBOOT" ] || [ ! -f "${gravityDBfile}" ]; then
if [ -n "$SKIPGRAVITYONBOOT" ];then
echo " SKIPGRAVITYONBOOT is set, however ${gravityDBfile} does not exist (Likely due to a fresh volume). This is a required file for Pi-hole to operate."
echo " Ignoring SKIPGRAVITYONBOOT on this occaision."
fi
pihole -g
else
echo " Skipping Gravity Database Update."
fi

View File

@ -9,24 +9,24 @@ WEB_LOCAL_REPO=/var/www/html/admin
setupVars=/etc/pihole/setupVars.conf
s6_download_url() {
detect_arch() {
DETECTED_ARCH=$(dpkg --print-architecture)
S6_ARCH=$DETECTED_ARCH
case $DETECTED_ARCH in
amd64)
S6_ARCH="x86_64";;
armel)
S6_ARCH="arm";;
armhf)
S6_ARCH="arm";;
S6_ARCH="armhf";;
arm64)
S6_ARCH="aarch64";;
i386)
S6_ARCH="x86";;
ppc64el)
S6_ARCH="ppc64le";;
esac
echo "https://github.com/just-containers/s6-overlay/releases/download/${S6_OVERLAY_VERSION}/s6-overlay-${S6_ARCH}.tar.gz"
}
# Helps to have some additional tools in the dev image when debugging
if [[ "${PIHOLE_DOCKER_TAG}" = 'nightly' || "${PIHOLE_DOCKER_TAG}" = 'dev' ]]; then
apt-get update
@ -34,8 +34,10 @@ if [[ "${PIHOLE_DOCKER_TAG}" = 'nightly' || "${PIHOLE_DOCKER_TAG}" = 'dev' ]];
rm -rf /var/lib/apt/lists/*
fi
curl -L -s "$(s6_download_url)" | tar xvzf - -C /
mv /init /s6-init
detect_arch
curl -L -s "https://github.com/just-containers/s6-overlay/releases/download/${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz" | tar Jxpf - -C /
curl -L -s "https://github.com/just-containers/s6-overlay/releases/download/${S6_OVERLAY_VERSION}/s6-overlay-${S6_ARCH}.tar.xz" | tar Jxpf - -C /
# Preseed variables to assist with using --unattended install
{

View File

@ -27,7 +27,6 @@ echo " ::: Starting docker specific checks & setup for docker pihole/pihole"
# Initial checks
# ===========================
fix_capabilities
validate_env || exit 1
ensure_basic_configuration
@ -44,9 +43,7 @@ setup_FTL_server || true
[ -n "${DNS_FQDN_REQUIRED}" ] && change_setting "DNS_FQDN_REQUIRED" "$DNS_FQDN_REQUIRED"
[ -n "${DNSSEC}" ] && change_setting "DNSSEC" "$DNSSEC"
[ -n "${DNS_BOGUS_PRIV}" ] && change_setting "DNS_BOGUS_PRIV" "$DNS_BOGUS_PRIV"
# We call the following function directly as it also allows us to run ProcessDNSSettings
# (to commit settings to 01-pihole.conf) without sourcing webpage.sh
pihole -a -i "$DNSMASQ_LISTENING"
setup_FTL_ProcessDNSSettings
# Web interface setup
# ===========================
@ -72,8 +69,8 @@ test_configs
[ -f /.piholeFirstBoot ] && rm /.piholeFirstBoot
echo " ::: Docker start setup complete"
echo "::: Docker start setup complete"
pihole -v
echo " Container tag is: ${PIHOLE_DOCKER_TAG}"
echo " Container tag is: ${PIHOLE_DOCKER_TAG}"