PiHole on Docker and Kubernetes (I almost gave up)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so you're probably familiar with ad blockers things like adblock plus or ghostery can block tracking and ad targeting and those work great on individual devices or browsers but what if you could block all advertisements for your whole entire home or your home network well that's exactly what piehole does so today in this video we're gonna set up piehole and not the traditional way we're not gonna install it on a Raspberry Pi or a physical machine or even a virtual machine we're gonna install it using docker and kubernetes hey welcome back so one techno Tim and today we're gonna talk about installing piehole on docker and then move on to kubernetes as a quick reminder I stream every Tuesday Thursday and Saturday so if you want to continue the conversation there we can so let's talk about piehole so piehole is a network-wide adblocking utility it contains a list of known advertising sites it's community maintained open source and takes very little system requirements you can install it on your own device even something like Iran's berry pie and then use it at your DMS then you just point all your devices to that DNS and it will block access to those advertising sites and then becomes a black hole for advertising so I know this is kind of a touchy topic because the internet runs on advertisements and I get that and I have no problems with sites showing the advertisements that's how they make revenue but I do have a problem with privacy and malware some sites can deliver malware in the payload for the advertisement and other sites are just flat-out tracking you and while I believe that most sites are doing the right thing I'd rather make that decision myself and for my whole entire household so today I'm gonna show you how to set up piehole with docker and then we're gonna move on to kubernetes I'll warn you now that this guide is pretty advanced and there are a lot of places things can go wrong believe me yes hey I actually started recording this video and I got to a point where I actually kind of gave up I stopped recording and for a couple of hours I tried to figure out how to get this to work in kubernetes because I already run this currently in my home on docker but I wanted to move to kubernetes and there are some really interesting challenges with kubernetes and dns along with Pinal but like my other videos I figured out all the hard stuff so that you don't have to so with that out of the way let's get started so first you're going to need a Linux Ubuntu server and on that server you're gonna need to run docker and if you just plan on doing this with docker it's pretty straightforward but you'll need to make sure that you have docker installed and running so you want to SSH into your server and if you're using proxmox you don't have to SSH in you can use the console but I'm going to use SSH after us SH in you'll want to make sure docker is actually working so you want to run docker version and it should return something if it doesn't you'll need to get docker installed and that's pretty straightforward next if you plan on doing this with kubernetes I use kubernetes via Rancher so you want to make sure that you have kubernetes and rancher installed if you need help with that I've got a guide on how to install docker kubernetes and rancher it's everything you'll need to get started it only takes about 15 minutes to spin that up then we'll want to look at the pie hole docker image if you go out to the github page or docker hub you'll see it there we'll want to scroll down and look for the equivalent docker run script and this will show us the docker commands we need to get piehole running it's pretty straightforward but it goes like this so we're gonna run docker as a daemon we're gonna name it piehole then we're gonna expose or publish some ports so we're gonna expose 53 on the inside and on the outside using the TCP protocol next we're gonna do the same thing for UDP so 53 and 53 next we're gonna expose 80 and 80 so this is for the web UI we're gonna change this but you'll see that later and next is exposing the web UI over SSL support for 3 and 443 so then we get into environment variables so we see we have an environment variable of TZ and America Chicago so this is your timezone and then we're gonna persist some volumes so on the local machine we'll need a folder etc' pile and that's gonna map to the containers folder out /et sea piehole next we'll do the same thing for etc' DNS mask D and then we'll map that to the containers et Cie DNS mass dot D so this will persist our config across reboots and container upgrades next we're gonna pass in a dns flag so this helps when you're actually pulling down the docker container and this is where it gets kind of complicated and we're into the problems last night but we're gonna pass in a DNS argument of 127 0.0 that one which is localhost and then they're passing in one dot one dot one dot one which is cloud flirt and that's your upstream DNS in case something goes wrong or when you're actually pulling down the image next we're passing in a hostname of piehole which we're not going to use and then they have some environment variables of virtual host we won't use that proxy location we won't use that either and then server IP we won't use that either and then they're using the docker image Bible with the tag of latest so if we wanted to spin this up right now with docker we would actually paste this into our SSH terminal we would tailor this command for our specific needs and we would hit enter and then dr. would pull down the image it would spit up a new container and we would be running piehole so the plain old docker way is pretty straightforward so again you'll have to tweak this to needs but in a couple of minutes you could have piehole running but I'm gonna continue on and get piehole running in kubernetes with Rancher and after that we'll focus on configuration and settings so before we do this in kubernetes here's where the problem was last night the problem is that if we're using pile as their DNS we temporarily don't have DNS to pull down the docker image and you might run into this too if you're running just the boon to docker and piehole so for a brief moment we can't resolve any DNS names because our doctor container that's spitting up is becoming our DNS and meanwhile our machine doesn't know how to resolve those names so we can't pull down the docker image from dr. hub so my first thought was to just go and make modifications to our resolve calm which is just pointing at herself but this gets rewritten every single time dynamically and so as the service is starting up on my hole it's regenerating a new resolve comp and wiping out any of my changes so I figured it out and here's how we fix it and don't worry all of these commands will be in the discord server there's a link in the description so the first thing we're going to do is we're going to update and next we're gonna install something called resolve comp so once that's installed we can check the status of the service and then we can start it then we'll enable it for future use then we can check again to make sure it started so things look good here now we're going to edit a configuration file that they put there and here we'll want to list our name server so here you can list whatever your upstream DNS server is going to be some people use 8.8.8.8 for google some people use 1.1 1.1 for CloudFlare but I use 999.9 for quad 9 now I've used all three of these in the past and they all work fine but you should do a little research on which DNS you want to use cloud flare and cloud 9 provide a lot of security and privacy but some more than others so this is really going to be up to you on which one you choose you're also free to use your ISPs but for this example I'm gonna use quad 9 so let's say that it's closed out of there let's restart the service and now if we look at our Etsy resolve comp we should see our name server that we put there so again a reminder this is just to help with the very first time it starts up it needs to pull down a docker image or for some reason the piehole service or container stops working and this is only providing DNS to this machine that rancher in kubernetes is running low so let's close out of there and for the sake of argument let's just make sure we can ping a couple things that DNS is working so to ping google.com looks good okay so now that that's working let's go into Rancher once we're in Rancher we'll go to global cluster default and once Flynn here we'll see all of our services now you can see the plex service set is set up last time that's still running so let's add a new service click deploy and let's use that doctor command as a reference while we build up this kubernetes workload so first we're gonna name it piehole next is the docker image we're gonna use that's right here so it's piehole slash piehole and the tag of latest we're gonna keep the namespace default and let's add some ports so first we're gonna name this DNS TCP and that's 53 we're gonna keep that as TCP and we're going to change this to host port and 53 so next we'll need to add the same thing for UDP so it's DNS UDP 53 and we'll change this to UDP and this is going to be host port and that's 53 again then we'll expose the PI whole web console so let's call this Phi whole HTTP and that's 80 host port so on the listening port we're gonna have two changes kubernetes sort of Rancher are listening on port 80 so we need to change this something different so let's just change it to 8000 one next we're gonna need to set our environment variables so what's that TZ here to our timezone and this is America / ACOG Oh obviously you'll need to change this for your timezone next we'll set our DNS so this is our upstream DNS where piehole is gonna go to resolve hostnames and remember before I use 99.99 for quad nine next we'll need to set DNS two and that's the backup in case this one is down and so quad nines backup business 149 112 112 112 so if you're wondering how I'm getting these environment variables they're all documented on docker hub so next we're gonna set server IP now this is optional but I usually set it and this is gonna be the IP address of this kubernetes instance so it's 192 dot 168 at 0 that 211 and those should be the only variables we need now so next we're gonna need to set up our volumes so these are really important so that we can persist our configuration between reboots and container upgrades so let's add a volume we're gonna use bind mount a directory from a node now you can change this to any of the other configurations but I'm using this for the sake of simplicity so if we look at the volumes we need to map we actually need to map this etc' piehole folder which we don't have on our server yet as well as the EDC DNS mask Madi folder so let's create those real quick so back in our server we can see that we don't have this folder yet so let's make a directory called piehole CD into there and nothing there okay now that we have that folder we can actually buy mount these so the first one will name it piehole Etsy and the path on the node is gonna be slash home slash tech note in slash pie hole and Etsy - pie hole and so the mount point is over here so it's at see pie hole okay let's add another volume same thing by mount the directory from the node and we'll name this pie hole DNS mask so the path on the node is going to be our home directory that piehole folder and then we'll grab this over here and the mountain point is right here at CDNs math deep so we'll put that there so far so good next we need to change our scaling upgrade policy now for services like this that we don't normally scale I usually pick this option kill all pods and start new so here's a couple other advanced things that we might want to do so click show Advanced Options go into networking and here we're gonna add a couple of DNS name servers so this represents this flag right here DNS so this is a bug right here I think with docker kubernetes blue - or piehole this should set the DNS properly when it's spinning up so that we can actually pull down the image but it's not and we've already put a fix in place to make sure that that works but I'm still gonna put this here in case they fix this in the future so first we'll choose localhost well add another one and this is gonna be your upstream DNS so if you're using Google or a cloud flare or a quad 9 you'll put that here so mine is 99.9 and now we should be able to spit up pile on kubernetes so let's click launch and let's go into here to see what's going on so it's creating the container and it's running awesome so if you have a problem you'll want to look in events and this was a clue to me to what was going on I could see that when it was pulling down that docker image it couldn't resolve the dr. registry on docker hub but we put that fix in place so none of that matters now but if you have problems you'll want to look in this event section ok let's back out and let's check out our pile server gets up and running and we click login and we don't know our password now there are two ways to solve this one we could have passed in the environment variable with our password so we could have passed in web password and then specified our password but I didn't really want my password hanging out as an environment variable that you could see so what piehole does is automatically create a password for you and pipes it out in the logs so let's look at the logs for this container go into piehole go into this pod save you logs so here's where my password is right here it's in the logs where it's a setting password so let's copy that it's going to the console paste it in log in and brynn so now we want to change our password and you might be thinking ok I can change it in the web UI what you can so piehole provides a command line interface to change your password and senses of funding inside of a docker container we're actually going to have to go inside of the docker container to do that but with rancher and kubernetes that's really easy so here's how you do it go back to Rancher and we're gonna close this once you're into your pod in this specific pod we're gonna execute gel and so really quickly we're inside of this dr. container so if we do LS we can see that this isn't our linux server this is that docker container and so the command we're gonna run to reset our password is piehole - P - P now it's gonna ask for a new password so enter your password enter into again and now it's set now we don't have it hanging out an environment variable where anyone can see it so let's close out of here let's go back to by hole it's actually log out and let's sign in there we go okay so now that this setup piehole is actually running but the status is unknown so this is because it's not enabled yet so before we enable it let's do one thing it's going to tools and let's go to update gravity and let's update our block list okay so it looks like it's up to date now let's start it and now we're active okay so if you're experiencing this status being unknown and orange well here's how to fix it it was actually super hard to track down but that's why I do this to do the hard stuff so that you don't have to so once you're in Rancher we'll go to our pod and then we can look at the logs if we look at the logs we can see here sudo effective UID is not zero is user slash bin size to do on yada yada ya so this is basically saying that we don't have permissions to do something basically to write out to our config so we'll want to edit this deployment and we'll go into edit and then we'll go to show Advanced Options this is really important then we'll go to security and host config and right here we'll want to make sure that privileged is no and privilege escalation is set to yes because the piehole uses escalation and tries to do stuff as sudo so once we hit save well let this redeploy we'll open it up and we'll look at the events so it's scaling down it's gonna remove it and then it's gonna scale back up create a new container and it's running so if we go back into the logs now we shouldn't see that and at the same time if we go back to by hole this is active so we should be able to sign in now and now we can enable/disable permanently disabled start/stop all you'd like so again this is something that the piehole team says that they're working on and they're going to make better however this is how to get it working in kubernetes with rancher so let's test to see if our dns is actually working so we'll test this from our Windows machine we'll open up the network status and we'll change options and we'll go to our Ethernet or our network adapter go to properties will go to ipv4 go to properties and let's change our DNS server to the one we just created just to 11 hit OK hit OK and now let's open up the new tab and let's go to google.com so that's a good sign Google result and if we go in the piehole console we see a query log in right away we see DNS requests when we see some are being blocked so this is a good sign this is working so we have piehole now working within doctor within kubernetes on rancher this is really awesome and here we can choose our allow list and we can choose our block list and tailor this to our needs so one of the things that I usually do is actually go into my tools and I'll go into my audit log and I'll see who's the most chatting we can look at the list of these sites and determine if we should block them or we should allow them so on the left are the ones that are currently allowed and on the right are the ones that currently blocked so if we decided that ad serviced at google.com we can whitelist a here or if we decide that WWE con should be blocked we can block a here so let's go back to the dashboard so we can see here that we're getting queries that queries are being blocked and that 11% are being blocked and there are quite a few domains on the Block list down here we can see the query types and the queries answered enter top permitted domains and our top block domains in our clients total and top clients block now most of our requests are going to come in from client and that's our kubernetes cluster the reason being is because we're not actually using this for DHCP now I purposely skipped over that because we want our router or our network firewall to still handle DHCP now we know that blacklist can handle DHCP but we don't want to do that now I know what you're saying that this is great and I'm Dina's working on one of my machines but I want it from my whole home and this is where we'll set it so if you remember from a previous guide I hope to set a PF sense on top of proxmox so be virtualized our whole entire network appliance and currently pfSense is resolving all DNS requests which are actually being forwarded to my ISP so here's how we change it in pfSense go to services then we'll go down to DNS servers and we'll put in our DNS server of our piehole it's 192 dot 168 at 0 2 to 11 and so now when we hand out DCP addresses it'll actually hand out this DNS server of our piehole 2 so let's say that okay so let's try google.com again so this looks like it's working let's refresh our queries we see the google.com hit ok let's go to our audit log and let's say for instance we went up block google.com we can add this to our block list it's added and if we refresh we can't even get there so it actually thinks we don't have internet access but we do if we go to YouTube it works so we can add some in here I've added a couple like Twitter if we wanted to block Twitter we can go to Twitter comm that doesn't respond and if we were looking in the console and refresh it again we can see that this failed and keep in mind there are lots of settings within piehole that you can configure my normal flow is look at my query log see if I need to block it if I do I'll block in and if something's getting blocked I don't want blocked I'll unlock it you'll also want to make sure too that you update your block list regularly and that you keep your piehole docker container up-to-date and please remember to use this responsibly a lot of websites survive on advertisements and not all of them are bad so are you using piehole at home if so let me know in the comments below I hope you found this video helpful and if you did please give it a thumbs up and consider subscribing and as a minder I stream every Tuesday Thursday and Saturday so if you have a question about this video or any of my other videos hop in my stream and I love to have you so thanks so much for watching and till next time stream all my friends [Music]

Info

Channel: Techno Tim

Views: 43,655

Rating: undefined out of 5

Keywords: ad blocker, pihole docker, docker container, pihole setup, docker pihole, pi-hole docker, pi hole, ad block, pi-hole install, raspberry pi, how to, pi-hole setup guide, pihole setup guide, ad blocking, pihole kubernetes, pi-hole kubernetes, pihole rancher, pi-hole rancher, can you install pihole on kubernetes, pihole k8s, pihole pfsense, pihole, containerize pihole, dockerize pihole, pihole docker image, raspberry pi ideas, raspberry pi projects, docker projects

Id: NRe2-vye3ik

Channel Id: undefined

Length: 21min 23sec (1283 seconds)

Published: Sat May 30 2020