checkpoint
Signed-off-by: Adam Warner <me@adamwarner.co.uk>
This commit is contained in:
parent
382367f968
commit
d7a25836ad
146
src/Dockerfile
146
src/Dockerfile
|
@ -1,53 +1,111 @@
|
|||
ARG PIHOLE_BASE
|
||||
# FROM "${PIHOLE_BASE:-ghcr.io/pi-hole/docker-pi-hole-base:bullseye-slim}"
|
||||
FROM debian:bullseye-slim
|
||||
RUN apt-get update \
|
||||
&& apt-get install --no-install-recommends -y \
|
||||
# Packages Specific to Docker:
|
||||
procps \
|
||||
xz-utils \
|
||||
curl \
|
||||
ca-certificates \
|
||||
git \
|
||||
sudo \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
# FROM ghcr.io/pi-hole/docker-pi-hole-base:bullseye-slim
|
||||
|
||||
FROM alpine:latest
|
||||
|
||||
# download a repo from github
|
||||
RUN apk add --no-cache git libcap bash
|
||||
|
||||
# download a repo from github
|
||||
RUN git clone --branch devel-v6 https://github.com/pi-hole/AdminLTE.git /var/www/html/admin
|
||||
RUN git clone --branch development-v6 https://github.com/pi-hole/pi-hole.git /etc/.pihole
|
||||
|
||||
# Download the latest version of pihole-FTL for alpine:
|
||||
# Probably need this to be built for different architectures
|
||||
ADD https://ftl.pi-hole.net/new/http/pihole-FTL-musl-linux-x86_64 /usr/bin/pihole-FTL
|
||||
ADD https://ftl.pi-hole.net/macvendor.db /macvendor.db
|
||||
|
||||
RUN cd /etc/.pihole && \
|
||||
install -Dm755 -d /opt/pihole && \
|
||||
install -Dm755 -t /opt/pihole gravity.sh && \
|
||||
install -Dm755 -t /opt/pihole ./advanced/Scripts/*.sh && \
|
||||
install -Dm755 -t /opt/pihole ./automated\ install/uninstall.sh && \
|
||||
install -Dm755 -t /opt/pihole ./advanced/Scripts/COL_TABLE && \
|
||||
install -Dm755 -t /usr/local/bin pihole && \
|
||||
install -Dm644 ./advanced/bash-completion/pihole /etc/bash_completion.d/pihole
|
||||
|
||||
|
||||
ARG PIHOLE_DOCKER_TAG
|
||||
RUN echo "${PIHOLE_DOCKER_TAG}" > /pihole.docker.tag
|
||||
ENV DNSMASQ_USER=pihole
|
||||
ENV FTL_CMD=no-daemon
|
||||
RUN addgroup -S pihole && adduser -S pihole -G pihole
|
||||
# RUN groupadd pihole && useradd -r --no-user-group -g pihole -s /usr/sbin/nologin pihole
|
||||
|
||||
ENTRYPOINT [ "/s6-init" ]
|
||||
RUN apk add curl \
|
||||
bind-tools \
|
||||
nmap-ncat \
|
||||
psmisc \
|
||||
sudo \
|
||||
unzip \
|
||||
wget \
|
||||
libidn \
|
||||
nettle \
|
||||
libcap \
|
||||
openresolv \
|
||||
iproute2-ss \
|
||||
jq \
|
||||
coreutils \
|
||||
ncurses \
|
||||
dialog git newt procps dhcpcd openrc ncurses newt git
|
||||
|
||||
COPY s6/debian-root /
|
||||
COPY s6/service /usr/local/bin/service
|
||||
ADD bash_functions.sh /usr/bin/bash_functions.sh
|
||||
ADD start.sh /usr/bin/start.sh
|
||||
|
||||
RUN bash -ex install.sh 2>&1 && \
|
||||
rm -rf /var/cache/apt/archives /var/lib/apt/lists/*
|
||||
RUN chmod +x /usr/bin/start.sh
|
||||
RUN chmod +x /usr/bin/pihole-FTL
|
||||
|
||||
ARG PHP_ERROR_LOG
|
||||
ENV PHP_ERROR_LOG /var/log/lighttpd/error-pihole.log
|
||||
|
||||
# Add PADD to the container, too.
|
||||
ADD https://raw.githubusercontent.com/pi-hole/PADD/PADD_FTLv6/padd.sh /usr/local/bin/padd
|
||||
RUN chmod +x /usr/local/bin/padd
|
||||
|
||||
# IPv6 disable flag for networks/devices that do not support it
|
||||
ENV IPv6 True
|
||||
|
||||
EXPOSE 53 53/udp
|
||||
EXPOSE 67/udp
|
||||
EXPOSE 80
|
||||
|
||||
ENV S6_KEEP_ENV 1
|
||||
ENV S6_BEHAVIOUR_IF_STAGE2_FAILS 2
|
||||
ENV S6_CMD_WAIT_FOR_SERVICES_MAXTIME 0
|
||||
|
||||
# ENV FTLCONF_LOCAL_IPV4 0.0.0.0
|
||||
ENV FTL_CMD no-daemon
|
||||
ENV DNSMASQ_USER pihole
|
||||
|
||||
ENV PATH /opt/pihole:${PATH}
|
||||
|
||||
HEALTHCHECK CMD dig +short +norecurse +retry=0 @127.0.0.1 pi.hole || exit 1
|
||||
|
||||
SHELL ["/bin/bash", "-c"]
|
||||
ENTRYPOINT [ "start.sh" ]
|
||||
|
||||
|
||||
|
||||
# RUN apt-get update \
|
||||
# && apt-get install --no-install-recommends -y \
|
||||
# # Packages Specific to Docker:
|
||||
# procps \
|
||||
# xz-utils \
|
||||
# curl \
|
||||
# ca-certificates \
|
||||
# git \
|
||||
# sudo \
|
||||
# && rm -rf /var/lib/apt/lists/*
|
||||
|
||||
|
||||
# ARG PIHOLE_DOCKER_TAG
|
||||
# RUN echo "${PIHOLE_DOCKER_TAG}" > /pihole.docker.tag
|
||||
|
||||
# ENTRYPOINT [ "/s6-init" ]
|
||||
|
||||
# COPY s6/debian-root /
|
||||
# COPY s6/service /usr/local/bin/service
|
||||
|
||||
# RUN bash -ex install.sh 2>&1 && \
|
||||
# rm -rf /var/cache/apt/archives /var/lib/apt/lists/*
|
||||
|
||||
# ARG PHP_ERROR_LOG
|
||||
# ENV PHP_ERROR_LOG /var/log/lighttpd/error-pihole.log
|
||||
|
||||
# # Add PADD to the container, too.
|
||||
# ADD https://raw.githubusercontent.com/pi-hole/PADD/PADD_FTLv6/padd.sh /usr/local/bin/padd
|
||||
# RUN chmod +x /usr/local/bin/padd
|
||||
|
||||
# # IPv6 disable flag for networks/devices that do not support it
|
||||
# ENV IPv6 True
|
||||
|
||||
# EXPOSE 53 53/udp
|
||||
# EXPOSE 67/udp
|
||||
# EXPOSE 80
|
||||
|
||||
# ENV S6_KEEP_ENV 1
|
||||
# ENV S6_BEHAVIOUR_IF_STAGE2_FAILS 2
|
||||
# ENV S6_CMD_WAIT_FOR_SERVICES_MAXTIME 0
|
||||
|
||||
# # ENV FTLCONF_LOCAL_IPV4 0.0.0.0
|
||||
# ENV FTL_CMD no-daemon
|
||||
# ENV DNSMASQ_USER pihole
|
||||
|
||||
# ENV PATH /opt/pihole:${PATH}
|
||||
|
||||
# HEALTHCHECK CMD dig +short +norecurse +retry=0 @127.0.0.1 pi.hole || exit 1
|
||||
|
||||
# SHELL ["/bin/bash", "-c"]
|
|
@ -7,20 +7,75 @@
|
|||
# Some of the bash_functions use utilities from Pi-hole's utils.sh
|
||||
# shellcheck disable=SC2154
|
||||
# shellcheck source=/dev/null
|
||||
. /opt/pihole/utils.sh
|
||||
# . /opt/pihole/utils.sh
|
||||
|
||||
#######################
|
||||
# returns value from FTLs config file using pihole-FTL --config
|
||||
#
|
||||
# Takes one argument: key
|
||||
# Example getFTLConfigValue dns.piholePTR
|
||||
#######################
|
||||
getFTLConfigValue(){
|
||||
pihole-FTL --config -q "${1}"
|
||||
}
|
||||
|
||||
#######################
|
||||
# sets value in FTLs config file using pihole-FTL --config
|
||||
#
|
||||
# Takes two arguments: key and value
|
||||
# Example setFTLConfigValue dns.piholePTR PI.HOLE
|
||||
#
|
||||
# Note, for complex values such as dns.upstreams, you should wrap the value in single quotes:
|
||||
# setFTLConfigValue dns.upstreams '[ "8.8.8.8" , "8.8.4.4" ]'
|
||||
#######################
|
||||
setFTLConfigValue(){
|
||||
pihole-FTL --config "${1}" "${2}" >/dev/null
|
||||
}
|
||||
|
||||
# export adlistFile="/etc/pihole/adlists.list"
|
||||
|
||||
# shellcheck disable=SC2034
|
||||
ensure_basic_configuration() {
|
||||
echo " [i] Ensuring basic configuration by re-running select functions from basic-install.sh"
|
||||
|
||||
|
||||
# installScripts > /dev/null
|
||||
# installLogrotate || true #installLogRotate can return 2 or 3, but we are still OK to continue in that case
|
||||
|
||||
# set +e
|
||||
mkdir -p /var/run/pihole /var/log/pihole
|
||||
touch /var/log/pihole/FTL.log /var/log/pihole/pihole.log
|
||||
chown -R pihole:pihole /var/run/pihole /var/log/pihole
|
||||
|
||||
# In case of `pihole` UID being changed, re-chown the pihole scripts and pihole command
|
||||
# chown -R pihole:root "${PI_HOLE_INSTALL_DIR}"
|
||||
# chown pihole:root "${PI_HOLE_BIN_DIR}/pihole"
|
||||
|
||||
mkdir -p /etc/pihole
|
||||
echo "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" >> /etc/pihole/adlists.list
|
||||
chown -R pihole:pihole /etc/pihole
|
||||
|
||||
|
||||
# set -e
|
||||
|
||||
# # If FTLCONF_files_macvendor is not set
|
||||
# if [[ -z "${FTLCONF_files_macvendor:-}" ]]; then
|
||||
# # User is not passing in a custom location - so force FTL to use the file we moved to / during the build
|
||||
# setFTLConfigValue "files.macvendor" "/macvendor.db"
|
||||
# fi
|
||||
}
|
||||
|
||||
export adlistFile="/etc/pihole/adlists.list"
|
||||
|
||||
fix_capabilities() {
|
||||
# Testing on Docker 20.10.14 with no caps set shows the following caps available to the container:
|
||||
# Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
|
||||
# FTL can also use CAP_NET_ADMIN and CAP_SYS_NICE. If we try to set them when they haven't been explicitly enabled, FTL will not start. Test for them first:
|
||||
echo " [i] Setting capabilities on pihole-FTL where possible"
|
||||
/sbin/capsh --has-p=cap_chown 2>/dev/null && CAP_STR+=',CAP_CHOWN'
|
||||
/sbin/capsh --has-p=cap_net_bind_service 2>/dev/null && CAP_STR+=',CAP_NET_BIND_SERVICE'
|
||||
/sbin/capsh --has-p=cap_net_raw 2>/dev/null && CAP_STR+=',CAP_NET_RAW'
|
||||
/sbin/capsh --has-p=cap_net_admin 2>/dev/null && CAP_STR+=',CAP_NET_ADMIN' || DHCP_READY='false'
|
||||
/sbin/capsh --has-p=cap_sys_nice 2>/dev/null && CAP_STR+=',CAP_SYS_NICE'
|
||||
capsh --has-p=cap_chown 2>/dev/null && CAP_STR+=',CAP_CHOWN'
|
||||
capsh --has-p=cap_net_bind_service 2>/dev/null && CAP_STR+=',CAP_NET_BIND_SERVICE'
|
||||
capsh --has-p=cap_net_raw 2>/dev/null && CAP_STR+=',CAP_NET_RAW'
|
||||
capsh --has-p=cap_net_admin 2>/dev/null && CAP_STR+=',CAP_NET_ADMIN' || DHCP_READY='false'
|
||||
capsh --has-p=cap_sys_nice 2>/dev/null && CAP_STR+=',CAP_SYS_NICE'
|
||||
|
||||
if [[ ${CAP_STR} ]]; then
|
||||
# We have the (some of) the above caps available to us - apply them to pihole-FTL
|
||||
|
@ -53,29 +108,6 @@ fix_capabilities() {
|
|||
}
|
||||
|
||||
|
||||
# shellcheck disable=SC2034
|
||||
ensure_basic_configuration() {
|
||||
echo " [i] Ensuring basic configuration by re-running select functions from basic-install.sh"
|
||||
# TODO: Is this it?
|
||||
installLogrotate || true #installLogRotate can return 2 or 3, but we are still OK to continue in that case
|
||||
|
||||
set +e
|
||||
mkdir -p /var/run/pihole /var/log/pihole
|
||||
touch /var/log/pihole/FTL.log /var/log/pihole/pihole.log
|
||||
|
||||
# In case of `pihole` UID being changed, re-chown the pihole scripts and pihole command
|
||||
chown -R pihole:root "${PI_HOLE_INSTALL_DIR}"
|
||||
chown pihole:root "${PI_HOLE_BIN_DIR}/pihole"
|
||||
chown -R pihole:pihole /etc/pihole
|
||||
|
||||
set -e
|
||||
|
||||
# If FTLCONF_files_macvendor is not set
|
||||
if [[ -z "${FTLCONF_files_macvendor:-}" ]]; then
|
||||
# User is not passing in a custom location - so force FTL to use the file we moved to / during the build
|
||||
setFTLConfigValue "files.macvendor" "/macvendor.db"
|
||||
fi
|
||||
}
|
||||
|
||||
apply_FTL_Configs_From_Env(){
|
||||
# Get all exported environment variables starting with FTLCONF_ as a prefix and call the setFTLConfigValue
|
||||
|
@ -100,7 +132,7 @@ apply_FTL_Configs_From_Env(){
|
|||
masked_value=$value
|
||||
fi
|
||||
|
||||
if $(pihole-FTL --config "${name}" "${value}" > /ftlconfoutput); then
|
||||
if $(sudo -u pihole pihole-FTL --config "${name}" "${value}" > /ftlconfoutput); then
|
||||
echo " ${TICK} Applied pihole-FTL setting $name=$masked_value"
|
||||
else
|
||||
echo " ${CROSS} Error Applying pihole-FTL setting $name=$masked_value"
|
||||
|
@ -165,26 +197,26 @@ setup_web_password() {
|
|||
fi
|
||||
}
|
||||
|
||||
setup_blocklists() {
|
||||
# Exit/return early without setting up adlists with defaults for any of the following conditions:
|
||||
# 1. skip_setup_blocklists env is set
|
||||
exit_string="(exiting ${FUNCNAME[0]} early)"
|
||||
# setup_blocklists() {
|
||||
# # Exit/return early without setting up adlists with defaults for any of the following conditions:
|
||||
# # 1. skip_setup_blocklists env is set
|
||||
# exit_string="(exiting ${FUNCNAME[0]} early)"
|
||||
|
||||
if [ -n "${skip_setup_blocklists}" ]; then
|
||||
echo " [i] skip_setup_blocklists requested $exit_string"
|
||||
return
|
||||
fi
|
||||
# if [ -n "${skip_setup_blocklists}" ]; then
|
||||
# echo " [i] skip_setup_blocklists requested $exit_string"
|
||||
# return
|
||||
# fi
|
||||
|
||||
# 2. The adlist file exists already (restarted container or volume mounted list)
|
||||
if [ -f "${adlistFile}" ]; then
|
||||
echo " [i] Preexisting ad list ${adlistFile} detected $exit_string"
|
||||
return
|
||||
fi
|
||||
# # 2. The adlist file exists already (restarted container or volume mounted list)
|
||||
# if [ -f "${adlistFile}" ]; then
|
||||
# echo " [i] Preexisting ad list ${adlistFile} detected $exit_string"
|
||||
# return
|
||||
# fi
|
||||
|
||||
echo " [i] ${FUNCNAME[0]} now setting default blocklists up: "
|
||||
echo " [i] TIP: Use a docker volume for ${adlistFile} if you want to customize for first boot"
|
||||
installDefaultBlocklists
|
||||
# echo " [i] ${FUNCNAME[0]} now setting default blocklists up: "
|
||||
# echo " [i] TIP: Use a docker volume for ${adlistFile} if you want to customize for first boot"
|
||||
# # installDefaultBlocklists
|
||||
|
||||
echo " [i] Blocklists (${adlistFile}) now set to:"
|
||||
cat "${adlistFile}"
|
||||
}
|
||||
# echo " [i] Blocklists (${adlistFile}) now set to:"
|
||||
# cat "${adlistFile}"
|
||||
# }
|
|
@ -0,0 +1,111 @@
|
|||
#!/bin/bash -e
|
||||
|
||||
if [ "${PH_VERBOSE:-0}" -gt 0 ] ; then
|
||||
set -x ;
|
||||
fi
|
||||
|
||||
|
||||
# The below functions are all contained in bash_functions.sh
|
||||
# shellcheck source=/dev/null
|
||||
. /usr/bin/bash_functions.sh
|
||||
|
||||
|
||||
# shellcheck source=/dev/null
|
||||
# SKIP_INSTALL=true . /etc/.pihole/automated\ install/basic-install.sh
|
||||
|
||||
echo " [i] Starting docker specific checks & setup for docker pihole/pihole"
|
||||
|
||||
# TODO:
|
||||
#if [ ! -f /.piholeFirstBoot ] ; then
|
||||
# echo " [i] Not first container startup so not running docker's setup, re-create container to run setup again"
|
||||
#else
|
||||
# regular_setup_functions
|
||||
#fi
|
||||
|
||||
# Initial checks
|
||||
# ===========================
|
||||
fix_capabilities
|
||||
# validate_env || exit 1
|
||||
ensure_basic_configuration
|
||||
|
||||
|
||||
apply_FTL_Configs_From_Env
|
||||
|
||||
# Web interface setup
|
||||
# ===========================
|
||||
# load_web_password_secret
|
||||
# setup_web_password
|
||||
|
||||
# Misc Setup
|
||||
# ===========================
|
||||
# setup_blocklists
|
||||
|
||||
# FTL setup
|
||||
# ===========================
|
||||
|
||||
# setup_FTL_User
|
||||
# setup_FTL_query_logging
|
||||
|
||||
[ -f /.piholeFirstBoot ] && rm /.piholeFirstBoot
|
||||
|
||||
echo " [i] Docker start setup complete"
|
||||
echo ""
|
||||
|
||||
|
||||
echo " [i] pihole-FTL ($FTL_CMD) will be started as ${DNSMASQ_USER}"
|
||||
echo ""
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#!/usr/bin/env bash
|
||||
|
||||
if [ "${PH_VERBOSE:-0}" -gt 0 ] ; then
|
||||
set -x ;
|
||||
fi
|
||||
|
||||
# Remove possible leftovers from previous pihole-FTL processes
|
||||
rm -f /dev/shm/FTL-* 2> /dev/null
|
||||
rm -f /run/pihole/FTL.sock
|
||||
|
||||
# install /dev/null files to ensure they exist (create if non-existing, preserve if existing)
|
||||
mkdir -pm 0755 /run/pihole /var/log/pihole
|
||||
[[ ! -f /run/pihole-FTL.pid ]] && install /dev/null /run/pihole-FTL.pid
|
||||
[[ ! -f /var/log/pihole/FTL.log ]] && install /dev/null /var/log/pihole/FTL.log
|
||||
[[ ! -f /var/log/pihole/pihole.log ]] && install /dev/null /var/log/pihole/pihole.log
|
||||
[[ ! -f /etc/pihole/dhcp.leases ]] && install /dev/null /etc/pihole/dhcp.leases
|
||||
|
||||
# Ensure that permissions are set so that pihole-FTL can edit all necessary files
|
||||
chown pihole:pihole /run/pihole-FTL.pid /var/log/pihole/FTL.log /var/log/pihole/pihole.log /etc/pihole/dhcp.leases /run/pihole /etc/pihole
|
||||
chmod 0644 /run/pihole-FTL.pid /var/log/pihole/FTL.log /var/log/pihole/pihole.log /etc/pihole/dhcp.leases /etc/pihole/pihole.toml
|
||||
|
||||
# Ensure that permissions are set so that pihole-FTL can edit the files. We ignore errors as the file may not (yet) exist
|
||||
chmod -f 0644 /etc/pihole/macvendor.db || true
|
||||
# Chown database files to the user FTL runs as. We ignore errors as the files may not (yet) exist
|
||||
chown -f pihole:pihole /etc/pihole/pihole-FTL.db /etc/pihole/gravity.db /etc/pihole/macvendor.db || true
|
||||
# Chown database file permissions so that the pihole group (web interface) can edit the file. We ignore errors as the files may not (yet) exist
|
||||
chmod -f 0664 /etc/pihole/pihole-FTL.db || true
|
||||
|
||||
# Backward compatibility for user-scripts that still expect log files in /var/log instead of /var/log/pihole/
|
||||
# Should be removed with Pi-hole v6.0
|
||||
if [ ! -f /var/log/pihole.log ]; then
|
||||
ln -s /var/log/pihole/pihole.log /var/log/pihole.log
|
||||
chown -h pihole:pihole /var/log/pihole.log
|
||||
|
||||
fi
|
||||
if [ ! -f /var/log/pihole-FTL.log ]; then
|
||||
ln -s /var/log/pihole/FTL.log /var/log/pihole-FTL.log
|
||||
chown -h pihole:pihole /var/log/pihole-FTL.log
|
||||
fi
|
||||
|
||||
pihole -g
|
||||
|
||||
capsh --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null" &
|
||||
tail -f /var/log/pihole-FTL.log
|
||||
|
||||
# Notes on above:
|
||||
# - DNSMASQ_USER default of pihole is in Dockerfile & can be overwritten by runtime container env
|
||||
# - /var/log/pihole/pihole*.log has FTL's output that no-daemon would normally print in FG too
|
||||
# prevent duplicating it in docker logs by sending to dev null
|
Loading…
Reference in New Issue