Dockerized Pi-Hole container without -net=host

Quick notes on Pi-Hole in a docker container. This thing is so good, I actually subscribed and gave them real money!

1) Download and run the container with a pull command.

a) docker pull pihole/pihole:4.1_armhf
b) the "docker run" command shown has a couple of differences to the official documentation.

Essentially the ports needed for DHCP can't work as documentated as far as I can work out. From what I can understand, the clients broadcast a request on a network segment to get an IP address from the DHCP server. Unfortunately the docker containers are all, in effect, on a different segment to the host's physical interfaces. i.e. they will never hear the broadcast requests.

This is why many people use the --net=host setting.  With this docker option the container is directly connected to the host's IP stack. The downside of doing that is it cuts-off the possibility of other containers using those ports, which is not good in a router/filewall. The configuration here will allow for running other container's like a VPN client, a http VPN proxy server, a VPN server etc concurrently on the same pi.

See below for a cure to the broadcast issue. For now, however, note that the container's port 67 is not "published" so as to free it up.

note: computers on the local LAN have been named so as to add them to the container's internal /etc/hosts file via docker's startup mechanism. In --net=host scenario docker will simply copy the entire host's /etc/hosts file in to the container and use that. Hence the requirement for --add-host entries.

note: Port 53 tcp is problematic if you intend to use dnscrypt. See the dnscrypt page for details.

2) Enable the DHCP server in docker container's Pi-Hole settings

3) Install dhcrelay on the host with "dnf install dhcrelay". Note: all pi machines here use Fedora, so RPMs should exist on Centos, RHEL, and derivates.

4) It is essential to use the ID and IU interface specifications in the dhcrelay setup. This tells dhcrelay to listen for broadcasts on one interface and relay to another:

a) cp -a /lib/systemd/system/dhcrelay.service /etc/systemd/system/
b) vi /etc/systemd/system/dhcrelay.service
c) ExecStart=/usr/sbin/dhcrelay -d --no-pid -id eth0 -iu docker0 172.17.0.2

5) Change the dnsmasq options to include:

a) dhcp-option=option:dns-server,192.168.0.254

without this pihole adds the container's address (172.17.0.2) to dhcp's DNS server list ahead of the host's address. This is bad since nobody on the LAN can access 172.17.0.2 and so causes clients to timeout before using PiHole's LAN DNS address (which is the host's interface - 192.168.0.254 in this case).

System diagram

Computers on the Docker0 network are docker container "Machine Images", while computers on eth0 are actual machines (most of the Pi's are also running docker with yet more containers). Eth1 is a USB ethernet adaptor which provides the router/firewall hardware support.

Testing (from the Fedora desktop machine):
1) To release the lease address use: dhclient -v -r eno1
2) To renew a lease use: dhclient -v eno1
3) cat /etc/resolv.conf