checkpoint

Signed-off-by: Adam Warner <me@adamwarner.co.uk>
2023-02-15 23:48:53 +00:00 · 2023-02-15 23:48:53 +00:00 · d7a25836ad
parent 382367f968
commit d7a25836ad
3 changed files with 295 additions and 94 deletions
--- a/src/Dockerfile
+++ b/src/Dockerfile
@ -1,53 +1,111 @@
-ARG PIHOLE_BASE
-# FROM "${PIHOLE_BASE:-ghcr.io/pi-hole/docker-pi-hole-base:bullseye-slim}"
-FROM debian:bullseye-slim
-RUN apt-get update \
-    && apt-get install --no-install-recommends -y \
-        # Packages Specific to Docker:
-        procps \
-        xz-utils \
-        curl \
-        ca-certificates \
-        git \
-        sudo \
-    && rm -rf /var/lib/apt/lists/*
+# FROM ghcr.io/pi-hole/docker-pi-hole-base:bullseye-slim
+
+FROM alpine:latest
+
+# download a repo from github
+RUN apk add --no-cache git libcap bash
+
+# download a repo from github
+RUN git clone --branch devel-v6 https://github.com/pi-hole/AdminLTE.git /var/www/html/admin
+RUN git clone --branch development-v6 https://github.com/pi-hole/pi-hole.git /etc/.pihole
+
+# Download the latest version of pihole-FTL for alpine:
+# Probably need this to be built for different architectures
+ADD https://ftl.pi-hole.net/new/http/pihole-FTL-musl-linux-x86_64 /usr/bin/pihole-FTL
+ADD https://ftl.pi-hole.net/macvendor.db /macvendor.db
+
+RUN cd /etc/.pihole && \
+    install -Dm755 -d /opt/pihole && \
+    install -Dm755 -t /opt/pihole gravity.sh && \
+    install -Dm755 -t /opt/pihole ./advanced/Scripts/*.sh && \
+    install -Dm755 -t /opt/pihole ./automated\ install/uninstall.sh && \
+    install -Dm755 -t /opt/pihole ./advanced/Scripts/COL_TABLE && \
+    install -Dm755 -t /usr/local/bin pihole && \
+    install -Dm644 ./advanced/bash-completion/pihole /etc/bash_completion.d/pihole


-ARG PIHOLE_DOCKER_TAG
-RUN echo "${PIHOLE_DOCKER_TAG}" > /pihole.docker.tag
+ENV DNSMASQ_USER=pihole
+ENV FTL_CMD=no-daemon
+RUN addgroup -S pihole && adduser -S pihole -G pihole
+# RUN groupadd pihole && useradd -r --no-user-group -g pihole -s /usr/sbin/nologin pihole

-ENTRYPOINT [ "/s6-init" ]
+RUN apk add curl \
+            bind-tools \
+            nmap-ncat \
+            psmisc \
+            sudo \
+            unzip \
+            wget \
+            libidn \
+            nettle \
+            libcap \
+            openresolv \
+            iproute2-ss \
+            jq \
+            coreutils \
+            ncurses \
+            dialog git newt procps dhcpcd openrc ncurses newt git

-COPY s6/debian-root /
-COPY s6/service /usr/local/bin/service
+ADD bash_functions.sh /usr/bin/bash_functions.sh
+ADD start.sh /usr/bin/start.sh

-RUN bash -ex install.sh 2>&1 && \
-    rm -rf /var/cache/apt/archives /var/lib/apt/lists/*
+RUN chmod +x /usr/bin/start.sh
+RUN chmod +x /usr/bin/pihole-FTL

-ARG PHP_ERROR_LOG
-ENV PHP_ERROR_LOG /var/log/lighttpd/error-pihole.log
-
-# Add PADD to the container, too.
-ADD https://raw.githubusercontent.com/pi-hole/PADD/PADD_FTLv6/padd.sh /usr/local/bin/padd
-RUN chmod +x /usr/local/bin/padd
-
-# IPv6 disable flag for networks/devices that do not support it
-ENV IPv6 True
-
-EXPOSE 53 53/udp
-EXPOSE 67/udp
-EXPOSE 80
-
-ENV S6_KEEP_ENV 1
-ENV S6_BEHAVIOUR_IF_STAGE2_FAILS 2
-ENV S6_CMD_WAIT_FOR_SERVICES_MAXTIME 0
-
-# ENV FTLCONF_LOCAL_IPV4 0.0.0.0
-ENV FTL_CMD no-daemon
-ENV DNSMASQ_USER pihole
-
-ENV PATH /opt/pihole:${PATH}

 HEALTHCHECK CMD dig +short +norecurse +retry=0 @127.0.0.1 pi.hole || exit 1

-SHELL ["/bin/bash", "-c"]
+ENTRYPOINT [ "start.sh" ]
+
+
+
+# RUN apt-get update \
+#     && apt-get install --no-install-recommends -y \
+#         # Packages Specific to Docker:
+#         procps \
+#         xz-utils \
+#         curl \
+#         ca-certificates \
+#         git \
+#         sudo \
+#     && rm -rf /var/lib/apt/lists/*
+
+
+# ARG PIHOLE_DOCKER_TAG
+# RUN echo "${PIHOLE_DOCKER_TAG}" > /pihole.docker.tag
+
+# ENTRYPOINT [ "/s6-init" ]
+
+# COPY s6/debian-root /
+# COPY s6/service /usr/local/bin/service
+
+# RUN bash -ex install.sh 2>&1 && \
+#     rm -rf /var/cache/apt/archives /var/lib/apt/lists/*
+
+# ARG PHP_ERROR_LOG
+# ENV PHP_ERROR_LOG /var/log/lighttpd/error-pihole.log
+
+# # Add PADD to the container, too.
+# ADD https://raw.githubusercontent.com/pi-hole/PADD/PADD_FTLv6/padd.sh /usr/local/bin/padd
+# RUN chmod +x /usr/local/bin/padd
+
+# # IPv6 disable flag for networks/devices that do not support it
+# ENV IPv6 True
+
+# EXPOSE 53 53/udp
+# EXPOSE 67/udp
+# EXPOSE 80
+
+# ENV S6_KEEP_ENV 1
+# ENV S6_BEHAVIOUR_IF_STAGE2_FAILS 2
+# ENV S6_CMD_WAIT_FOR_SERVICES_MAXTIME 0
+
+# # ENV FTLCONF_LOCAL_IPV4 0.0.0.0
+# ENV FTL_CMD no-daemon
+# ENV DNSMASQ_USER pihole
+
+# ENV PATH /opt/pihole:${PATH}
+
+# HEALTHCHECK CMD dig +short +norecurse +retry=0 @127.0.0.1 pi.hole || exit 1
+
+# SHELL ["/bin/bash", "-c"]
--- a/src/s6/debian-root/usr/local/bin/bash_functions.sh
+++ b/src/s6/debian-root/usr/local/bin/bash_functions.sh
@ -7,20 +7,75 @@
 # Some of the bash_functions use utilities from Pi-hole's utils.sh
 # shellcheck disable=SC2154
 # shellcheck source=/dev/null
-. /opt/pihole/utils.sh
+# . /opt/pihole/utils.sh
+
+#######################
+# returns value from FTLs config file using pihole-FTL --config
+#
+# Takes one argument: key
+# Example getFTLConfigValue dns.piholePTR
+#######################
+getFTLConfigValue(){
+  pihole-FTL --config -q "${1}"
+}
+
+#######################
+# sets value in FTLs config file using pihole-FTL --config
+#
+# Takes two arguments: key and value
+# Example setFTLConfigValue dns.piholePTR PI.HOLE
+#
+# Note, for complex values such as dns.upstreams, you should wrap the value in single quotes:
+# setFTLConfigValue dns.upstreams '[ "8.8.8.8" , "8.8.4.4" ]'
+#######################
+setFTLConfigValue(){
+  pihole-FTL --config "${1}" "${2}" >/dev/null
+}
+
+# export adlistFile="/etc/pihole/adlists.list"
+
+# shellcheck disable=SC2034
+ensure_basic_configuration() {
+    echo "  [i] Ensuring basic configuration by re-running select functions from basic-install.sh"
+
+
+    # installScripts > /dev/null
+    # installLogrotate || true #installLogRotate can return 2 or 3, but we are still OK to continue in that case
+
+    # set +e
+    mkdir -p /var/run/pihole /var/log/pihole
+    touch /var/log/pihole/FTL.log /var/log/pihole/pihole.log
+    chown -R pihole:pihole /var/run/pihole /var/log/pihole
+
+    # In case of `pihole` UID being changed, re-chown the pihole scripts and pihole command
+    # chown -R pihole:root "${PI_HOLE_INSTALL_DIR}"
+    # chown pihole:root "${PI_HOLE_BIN_DIR}/pihole"
+
+    mkdir -p /etc/pihole
+    echo "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" >> /etc/pihole/adlists.list
+    chown -R pihole:pihole /etc/pihole
+
+
+    # set -e
+
+    # # If FTLCONF_files_macvendor is not set
+    # if [[ -z "${FTLCONF_files_macvendor:-}" ]]; then
+    #     # User is not passing in a custom location - so force FTL to use the file we moved to / during the build
+    #     setFTLConfigValue "files.macvendor" "/macvendor.db"
+    # fi
+}

-export adlistFile="/etc/pihole/adlists.list"

 fix_capabilities() {
    # Testing on Docker 20.10.14 with no caps set shows the following caps available to the container:
    # Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
    # FTL can also use CAP_NET_ADMIN and CAP_SYS_NICE. If we try to set them when they haven't been explicitly enabled, FTL will not start. Test for them first:
    echo "  [i] Setting capabilities on pihole-FTL where possible"
-    /sbin/capsh --has-p=cap_chown 2>/dev/null && CAP_STR+=',CAP_CHOWN'
-    /sbin/capsh --has-p=cap_net_bind_service 2>/dev/null && CAP_STR+=',CAP_NET_BIND_SERVICE'
-    /sbin/capsh --has-p=cap_net_raw 2>/dev/null && CAP_STR+=',CAP_NET_RAW'
-    /sbin/capsh --has-p=cap_net_admin 2>/dev/null && CAP_STR+=',CAP_NET_ADMIN' || DHCP_READY='false'
-    /sbin/capsh --has-p=cap_sys_nice 2>/dev/null && CAP_STR+=',CAP_SYS_NICE'
+    capsh --has-p=cap_chown 2>/dev/null && CAP_STR+=',CAP_CHOWN'
+    capsh --has-p=cap_net_bind_service 2>/dev/null && CAP_STR+=',CAP_NET_BIND_SERVICE'
+    capsh --has-p=cap_net_raw 2>/dev/null && CAP_STR+=',CAP_NET_RAW'
+    capsh --has-p=cap_net_admin 2>/dev/null && CAP_STR+=',CAP_NET_ADMIN' || DHCP_READY='false'
+    capsh --has-p=cap_sys_nice 2>/dev/null && CAP_STR+=',CAP_SYS_NICE'

    if [[ ${CAP_STR} ]]; then
        # We have the (some of) the above caps available to us - apply them to pihole-FTL
@ -53,29 +108,6 @@ fix_capabilities() {
 }


-# shellcheck disable=SC2034
-ensure_basic_configuration() {
-    echo "  [i] Ensuring basic configuration by re-running select functions from basic-install.sh"
-    # TODO: Is this it?
-    installLogrotate || true #installLogRotate can return 2 or 3, but we are still OK to continue in that case
-
-    set +e
-    mkdir -p /var/run/pihole /var/log/pihole
-    touch /var/log/pihole/FTL.log /var/log/pihole/pihole.log
-
-    # In case of `pihole` UID being changed, re-chown the pihole scripts and pihole command
-    chown -R pihole:root "${PI_HOLE_INSTALL_DIR}"
-    chown pihole:root "${PI_HOLE_BIN_DIR}/pihole"
-    chown -R pihole:pihole /etc/pihole
-
-    set -e
-
-    # If FTLCONF_files_macvendor is not set
-    if [[ -z "${FTLCONF_files_macvendor:-}" ]]; then
-        # User is not passing in a custom location - so force FTL to use the file we moved to / during the build
-        setFTLConfigValue "files.macvendor" "/macvendor.db"
-    fi
-}

 apply_FTL_Configs_From_Env(){
    # Get all exported environment variables starting with FTLCONF_ as a prefix and call the setFTLConfigValue
@ -100,7 +132,7 @@ apply_FTL_Configs_From_Env(){
            masked_value=$value
        fi

-        if $(pihole-FTL --config "${name}" "${value}" > /ftlconfoutput); then
+        if $(sudo -u pihole pihole-FTL --config "${name}" "${value}" > /ftlconfoutput); then
            echo "  ${TICK} Applied pihole-FTL setting $name=$masked_value"
        else
            echo "  ${CROSS} Error Applying pihole-FTL setting $name=$masked_value"
@ -165,26 +197,26 @@ setup_web_password() {
    fi
 }

-setup_blocklists() {
-    # Exit/return early without setting up adlists with defaults for any of the following conditions:
-    # 1. skip_setup_blocklists env is set
-    exit_string="(exiting ${FUNCNAME[0]} early)"
+# setup_blocklists() {
+#     # Exit/return early without setting up adlists with defaults for any of the following conditions:
+#     # 1. skip_setup_blocklists env is set
+#     exit_string="(exiting ${FUNCNAME[0]} early)"

-    if [ -n "${skip_setup_blocklists}" ]; then
-        echo "  [i] skip_setup_blocklists requested $exit_string"
-        return
-    fi
+#     if [ -n "${skip_setup_blocklists}" ]; then
+#         echo "  [i] skip_setup_blocklists requested $exit_string"
+#         return
+#     fi

-    # 2. The adlist file exists already (restarted container or volume mounted list)
-    if [ -f "${adlistFile}" ]; then
-        echo "  [i] Preexisting ad list ${adlistFile} detected $exit_string"
-        return
-    fi
+#     # 2. The adlist file exists already (restarted container or volume mounted list)
+#     if [ -f "${adlistFile}" ]; then
+#         echo "  [i] Preexisting ad list ${adlistFile} detected $exit_string"
+#         return
+#     fi

-    echo "  [i] ${FUNCNAME[0]} now setting default blocklists up: "
-    echo "  [i] TIP: Use a docker volume for ${adlistFile} if you want to customize for first boot"
-    installDefaultBlocklists
+#     echo "  [i] ${FUNCNAME[0]} now setting default blocklists up: "
+#     echo "  [i] TIP: Use a docker volume for ${adlistFile} if you want to customize for first boot"
+#     # installDefaultBlocklists

-    echo "  [i] Blocklists (${adlistFile}) now set to:"
-    cat "${adlistFile}"
-}
+#     echo "  [i] Blocklists (${adlistFile}) now set to:"
+#     cat "${adlistFile}"
+# }
--- a/src/start.sh
+++ b/src/start.sh
@ -0,0 +1,111 @@
+#!/bin/bash -e
+
+if [ "${PH_VERBOSE:-0}" -gt 0 ] ; then
+    set -x ;
+fi
+
+
+# The below functions are all contained in bash_functions.sh
+# shellcheck source=/dev/null
+. /usr/bin/bash_functions.sh
+
+
+# shellcheck source=/dev/null
+# SKIP_INSTALL=true . /etc/.pihole/automated\ install/basic-install.sh
+
+echo "  [i] Starting docker specific checks & setup for docker pihole/pihole"
+
+# TODO:
+#if [ ! -f /.piholeFirstBoot ] ; then
+#    echo "   [i] Not first container startup so not running docker's setup, re-create container to run setup again"
+#else
+#    regular_setup_functions
+#fi
+
+# Initial checks
+# ===========================
+fix_capabilities
+# validate_env || exit 1
+ensure_basic_configuration
+
+
+apply_FTL_Configs_From_Env
+
+# Web interface setup
+# ===========================
+# load_web_password_secret
+# setup_web_password
+
+# Misc Setup
+# ===========================
+# setup_blocklists
+
+# FTL setup
+# ===========================
+
+# setup_FTL_User
+# setup_FTL_query_logging
+
+[ -f /.piholeFirstBoot ] && rm /.piholeFirstBoot
+
+echo "  [i] Docker start setup complete"
+echo ""
+
+
+echo "  [i] pihole-FTL ($FTL_CMD) will be started as ${DNSMASQ_USER}"
+echo ""
+
+
+
+
+
+
+#!/usr/bin/env bash
+
+if [ "${PH_VERBOSE:-0}" -gt 0 ] ; then
+    set -x ;
+fi
+
+# Remove possible leftovers from previous pihole-FTL processes
+rm -f /dev/shm/FTL-* 2> /dev/null
+rm -f /run/pihole/FTL.sock
+
+# install /dev/null files to ensure they exist (create if non-existing, preserve if existing)
+mkdir -pm 0755 /run/pihole /var/log/pihole
+[[ ! -f /run/pihole-FTL.pid ]] && install /dev/null /run/pihole-FTL.pid
+[[ ! -f /var/log/pihole/FTL.log ]] && install /dev/null /var/log/pihole/FTL.log
+[[ ! -f /var/log/pihole/pihole.log ]] && install /dev/null /var/log/pihole/pihole.log
+[[ ! -f /etc/pihole/dhcp.leases ]] && install /dev/null /etc/pihole/dhcp.leases
+
+# Ensure that permissions are set so that pihole-FTL can edit all necessary files
+chown pihole:pihole /run/pihole-FTL.pid /var/log/pihole/FTL.log /var/log/pihole/pihole.log /etc/pihole/dhcp.leases /run/pihole /etc/pihole
+chmod 0644 /run/pihole-FTL.pid /var/log/pihole/FTL.log /var/log/pihole/pihole.log /etc/pihole/dhcp.leases /etc/pihole/pihole.toml
+
+# Ensure that permissions are set so that pihole-FTL can edit the files. We ignore errors as the file may not (yet) exist
+chmod -f 0644 /etc/pihole/macvendor.db || true
+# Chown database files to the user FTL runs as. We ignore errors as the files may not (yet) exist
+chown -f pihole:pihole /etc/pihole/pihole-FTL.db /etc/pihole/gravity.db /etc/pihole/macvendor.db || true
+# Chown database file permissions so that the pihole group (web interface) can edit the file. We ignore errors as the files may not (yet) exist
+chmod -f 0664 /etc/pihole/pihole-FTL.db || true
+
+# Backward compatibility for user-scripts that still expect log files in /var/log instead of /var/log/pihole/
+# Should be removed with Pi-hole v6.0
+if [ ! -f /var/log/pihole.log ]; then
+    ln -s /var/log/pihole/pihole.log /var/log/pihole.log
+    chown -h pihole:pihole /var/log/pihole.log
+
+fi
+if [ ! -f /var/log/pihole-FTL.log ]; then
+    ln -s /var/log/pihole/FTL.log /var/log/pihole-FTL.log
+    chown -h pihole:pihole /var/log/pihole-FTL.log
+fi
+
+pihole -g
+
+capsh --user=$DNSMASQ_USER --keep=1 -- -c "/usr/bin/pihole-FTL $FTL_CMD >/dev/null" &
+tail -f /var/log/pihole-FTL.log
+
+# Notes on above:
+# - DNSMASQ_USER default of pihole is in Dockerfile & can be overwritten by runtime container env
+# - /var/log/pihole/pihole*.log has FTL's output that no-daemon would normally print in FG too
+#   prevent duplicating it in docker logs by sending to dev null