2

Problem

I am trying to setup a local DNS server (pihole) inside a docker container on my debian 11 server in my home network with a static IPv6, such that I can point all lookups from my router to it.

What I have so far

  • As this is a home network, my router reconnects in certain intervals, which does not allow me to use theglobal IPv6 prefix.

  • docker service is running on my server

  • I'm using docker-compose, the compose file looks like this currently:

     version: "3"

 # More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
 services:
   pihole:
     container_name: pihole
     image: pihole/pihole:latest
     ports:
       - "53:53/tcp"
       - "53:53/udp"
       - "67:67/udp"
       - "80:80/tcp"
     environment:
       TZ: 'Europe/Berlin'
       # WEBPASSWORD: 'set a secure password here or it will be random'
       WEBPASSWORD: 'XXXXXXXXX'
     # Volumes store your data between container upgrades
     volumes:
       - type: bind
         source: ./etc-pihole/
         target: /etc/pihole/
       - type: bind
         source: ./etc-dnsmasq.d
         target: /etc/dnsmasq.d/
     # Recommended but not required (DHCP needs NET_ADMIN)
     #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
     cap_add:
       - NET_ADMIN
   #option not needed wen used in combinationwith systemd
   #restart: unless-stopped
     networks:
       macvlan:
         ipv4_address: 10.10.1.51
         ipv6_address: fd00:0:0:1:50::51


 networks:
   macvlan:
     driver: macvlan
     enable_ipv6: true
     driver_opts:
       parent: enp7s0
     ipam:
       config:
         - subnet: 10.10.1.50/24
           gateway: 10.10.1.1
         - subnet: fd00:0:0:1:50::/80
           gateway: fd00:0:0:1:2e91:abff:fe91:baa0

  • The whole IPv4 setup is working, however I do not fully understand how to setup the macvlan, such that the dockered pihole can work as a DNS server in my home network.

  • The fd00:0:0:1:2e91:abff:fe91:baa0 is the local address of my router.

  • docker-compose up yields:

    failed to create network dc_pihole_macvlan: Error response from daemon: Invalid subnet fd00:0:0:1:50:/80 : invalid CIDR address: fd00:0:0:1:50:/80

Questions

  • Is what I am trying to do feasible at all?
  • Is this the correct setup for what I am trying to do?
  • How can I get the container to start?

Edits 1

  • After the suggested syntax fixes,the docker container starts. From a bash inside the container, I can ping my router at fd00:0:0:1:2e91:abff:fe91:baa0. I can also ping ipv6.google.com and it gets resolved to the correct IPv6, but strangely, only one of four packets is transmitted. Why? See attached output, where PROVIDER-PREFIX-RM is my (current) scope global prefix:

     root@c4ca40297eaa:/# ping ipv6.google.com -c 4
 PING ipv6.google.com(fra24s11-in-x0e.1e100.net (2a00:1450:4001:830::200e)) 56 data bytes
 From PROVIDER-PREFIX-RM:42:aff:fe0a:133 (PROVIDER-PREFIX-RM:42:aff:fe0a:133): icmp_seq=1 Destination unreachable: Address unreachable
 From PROVIDER-PREFIX-RM:42:aff:fe0a:133 (PROVIDER-PREFIX-RM:42:aff:fe0a:133): icmp_seq=2 Destination unreachable: Address unreachable
 From PROVIDER-PREFIX-RM:42:aff:fe0a:133 (PROVIDER-PREFIX-RM:42:aff:fe0a:133): icmp_seq=3 Destination unreachable: Address unreachable
 64 bytes from fra24s11-in-x0e.1e100.net (2a00:1450:4001:830::200e): icmp_seq=4 ttl=115 time=18.7 ms

 --- ipv6.google.com ping statistics ---
 4 packets transmitted, 1 received, +3 errors, 75% packet loss, time 95ms
 rtt min/avg/max/mdev = 18.738/18.738/18.738/0.000 ms, pipe 3

  • Addendum: Obviously I am new to this, so if you feel like suggesting a betternumbering scheme, by all means, do.

marc
  • 121
  • 3
  • I don't use docker so my answer is less useful. You could use something like hurricane's IPv6 gw. Though this requires that your internet provider can give you a static IP address allocation. – Stefan Skoglund Jan 04 '22 at 18:52
  • Thanks for your input,but changing anything from the routeronwards is absolutely not up for debate. – marc Jan 04 '22 at 19:14
  • I use a virtual bridge in my machine so that multiple qemu provided machines can get direct access to the network and also being reachable from outside. Another alternative is reserving one ethernet for the virtual machines so that they are reachable from the host. – Stefan Skoglund Jan 04 '22 at 19:56
  • Before I delve into further detail, it looks like you have a syntax error. fd00:0:0:1:50:/80 Should be fd00:0:0:1:50::/80 with a double :: – Philip Couling Jan 04 '22 at 21:13
  • @StefanSkoglund I thought in the dockerworld, thiswas exactly thepurpose of a macvlan? Also, do yo mean to reserve one extra physical interface for communication with the router network? If so, I'd like circumventing adding another ethernet adapter, and I only have one right now. – marc Jan 05 '22 at 00:10
  • @PhilipCouling Thanks for the info, I updated that and got a bit further. The question has been updated. – marc Jan 05 '22 at 00:11
  • If the host's interface is defined the usual way, and then that interface also used in the virtual machine's definition, neither the host or the virtual machine is visible to each other. One method of circumventing that trouble is reserving one interface for the virtual machines. The other one is to use a virtual bridge created by the host's OS. – Stefan Skoglund Jan 05 '22 at 01:33
  • I use the older tap-devices for the virtual machines connection. Those if the host and the virtual machine needs to reach each other, requires either hairpin-able switch/router or the usage of a virtual switch in the host. Separate vlan is one method. – Stefan Skoglund Jan 05 '22 at 01:44
  • Is it bind or dns-masq you are trying to use ? – Stefan Skoglund Jan 05 '22 at 01:45
  • Hurricane Electric delegates a whole /48 to users. Personally i split that into many /64. – Stefan Skoglund Jan 05 '22 at 01:53
  • I'm a bit surprised that the container can reach the switch.... The gw's network address is to my eyes different from the container's. fd00:0:0:1:2e91:: compared with fd00:0:0:1:50:: – Stefan Skoglund Jan 05 '22 at 02:01
  • @StefanSkoglund be very careful applying virtual machine logic to docker. It is not a virtual machine at all. – Philip Couling Jan 06 '22 at 22:24
  • @StefanSkoglund Sorry for the late reply, but in your comments there were so many new concepts for me and I had to read up on most of them. I still have not got it working the way I want, but it seems like a bridge aka "virtual switch" would actually be the route I need to take. From my revised understanding, every device which needs to connect to the internet needs to get a GUA from my providers-assigned (chaning) subnet. To reach each device locally from my home network, I can DHCP some adresses on a LUA subnet and also manually assign the DNS and DHCPv6 LUA. Did I get this right? – marc Jan 13 '22 at 09:25
  • @PhilipCouling can i run a windows 95 machine in a docker image ? – Stefan Skoglund Jan 13 '22 at 14:34
  • @PhilipCouling then i could test how to do connect a windows machine to the internet while doing so in docker (doing so with a true virtual machine like with qemu is less of usage to TS) – Stefan Skoglund Jan 13 '22 at 14:37
  • @StefanSkoglund not on a linux host machine no [you cannot run a windows docker image on a linux host](https://stackoverflow.com/a/42185265/453851). On linux, for linux containers, Docker is little more than a wrapper around [cgroups](https://en.wikipedia.org/wiki/Cgroups) and [namespaces](https://en.wikipedia.org/wiki/Linux_namespaces). You can even see the container's processes on the host machine with `ps -ef`. There are things like Docker Desktop which can install a Linux virtual machone to use as the docker host. But docker itself is not a virtual machine. – Philip Couling Jan 13 '22 at 14:49
  • @StefanSkoglund It might also be possible to run a virtual machine hypervisor inside a docker container. I've thought about how you'd set that up but then that's going way off topic for this question. – Philip Couling Jan 13 '22 at 15:02
  • Ok, then docker is like Solaris zones ie the docker image's processes is really run by the host's OS BUT the host's processes/services/daemons isn't directly visible to a 'ps ef' done in the docker image. – Stefan Skoglund Jan 13 '22 at 16:27
  • And which also means that the docker image will run the same version of debian as the real host does (the docker image uses the host's OS image) and which also means that it is sketchy running something which want's to modify the host's files from inside docker. – Stefan Skoglund Jan 13 '22 at 16:29

0 Answers0