Blog History

August 23, 2020

Docker Pi-hole on Odroid XU4 SBC

In my previous post, I explained why I loaded the Unifi controller into my Odroid XU4 SBC via Docker instead of natively within Ubuntu. The main reason for this was the issue with MongoDB >3.6 not playing nice on 32-bit armhf. Containerizing solves this issue as it is abstracted away from the underlying OS.

I was also running Pi-hole on my XU4, and I thought it'd be interesting to put this in a container as well.

The two issues I ran into were related to my previous Ubuntu native install of Pi-hole. Both port 53 and port 80 were already in use:

Error starting userland proxy: listen tcp 0.0.0.0:53: bind: address already in use

Error starting userland proxy: listen tcp 0.0.0.0:80: bind: address already in use

For port 53, turns out, systemd-resolved manages /etc/resolv.conf, and had changed the nameserver to itself, 127.0.0.1. I simply modified this to point to a regular external DNS server. Then I disabled systemd-resolved so it doesn't modify the nameservers again.

For port 80, netstat -ltnp showed me lighttpd was using it. I never installed this webserver, so out of curiosity, systemctl status lighttpd gave me the conf file /etc/lighttpd/lighttpd.conf, which then showed the comment "Lighttpd config for Pi-hole". A simple removal of lighttpd solved the issue. 

Since Pi-hole auto generates the password for the login and spits it out on the terminal, this is not visible when deploying the container via the Portainer stack creation. To fix this, go to the container after it launches, open a console session, and run sudo pihole -a -p

Here are four helpful tips that I configure for my home network:

1. Block ads on Roku TV by blacklisting *.logs.roku.com 

2. Allow Xbox Live functionality by whitelisting mobile.pipe.aria.microsoft.com and vortex.data.microsoft.com

3. Use CloudFlare's family safe 1.1.1.3 and 1.0.0.3 for DNS forwarders inside Pi-hole

4. Stupidly, Google has decided to ignore DHCP DNS and hardcode itself as the DNS (8.8.8.8 & 8.8.4.4) on the Chromecast, which means no ad blocking. I fight back with static redirect routes in my USG to force Chromecasts to use my Pi-hole for DNS.

Destination 8.8.8.8/32 Next Hop <Pi-hole IP>

Destination 8.8.4.4/32 Next Hop <Pi-hole IP> 

Finally, below is my stack config that I modified from the Pi-hole site [1]. See my aforementioned post for details on Portainer installation and stack creation.

---
version: "2.1"
services:
pi-hole:
image: pihole/pihole:latest
container_name: pi-hole
environment:
- PUID=1001
- PGID=101
- MEM_LIMIT=1024M #optional
volumes:
- /var/snap/docker/common/var-lib-docker/volumes/portainer_data/_data:/config
ports:
- 53:53/tcp
- 53:53/udp
- 67:67/udp
- 80:80
- 443:443
restart: unless-stopped

References:

[1] https://github.com/pi-hole/docker-pi-hole

No comments:

Post a Comment