You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Docker secrets has a couple of characteristics that may cause baffling
errors where configuration looks correct but the pihole container cannot
read the secret. The UID and GID of the secret file on the host must be
set to the same value used by the pihole process in the container
(typically 1000).
Signed-off-by: Bradley G Smith <[email protected]>
Copy file name to clipboardExpand all lines: README.md
+10-1Lines changed: 10 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -144,7 +144,7 @@ If this variable is not detected and you have not already set one via `pihole se
144
144
| `FTLCONF_[SETTING]` | unset | As per documentation | Customize pihole.toml with settings described in the [API Documentation](https://docs.pi-hole.net/api).<br><br>Replace `.` with `_`, e.g for `dns.dnssec=true` use `FTLCONF_dns_dnssec: 'true'`.<br/>Array type configs should be delimited with `;`.|
145
145
| `PIHOLE_UID` | `1000` | Number | Overrides image's default pihole user id to match a host user id.<br/>**IMPORTANT**: id must not already be in use inside the container!|
146
146
| `PIHOLE_GID` | `1000` | Number | Overrides image's default pihole group id to match a host group id.<br/>**IMPORTANT**: id must not already be in use inside the container!|
147
-
| `WEBPASSWORD_FILE` | unset| `<Docker secret file>` | Set an Admin password using [Docker secrets](https://docs.docker.com/engine/swarm/secrets/). If `FTLCONF_webserver_api_password` is set, `WEBPASSWORD_FILE` is ignored. If `FTLCONF_webserver_api_password` is empty, and `WEBPASSWORD_FILE` is set to a valid readable file, then `FTLCONF_webserver_api_password` will be set to the contents of `WEBPASSWORD_FILE`. |
147
+
| `WEBPASSWORD_FILE` | unset| `<Docker secret file>` | Set an Admin password using Docker secrets with [Swarm](https://docs.docker.com/engine/swarm/secrets/) or [Compose](https://docs.docker.com/compose/how-tos/use-secrets/). If `FTLCONF_webserver_api_password` is set, `WEBPASSWORD_FILE` is ignored. If `FTLCONF_webserver_api_password` is empty, and `WEBPASSWORD_FILE` is set to a valid readable file, then `FTLCONF_webserver_api_password` will be set to the contents of `WEBPASSWORD_FILE`. **IMPORTANT**: see Docker secrets in Tips and Tricks below.|
148
148
149
149
### Advanced Variables
150
150
@@ -182,6 +182,15 @@ Here is a rundown of other arguments for your docker-compose / docker run.
182
182
- **Note:** This only applies to web interface ports (80 and 443). DNS (53), DHCP (67), and NTP (123) ports must still be handled via Docker port mappings or host networking.
183
183
- Docker's default network mode `bridge` isolates the container from the host's network. This is a more secure setting, but requires setting the Pi-hole DNS option for _Interface listening behavior_ to "Listen on all interfaces, permit all origins".
184
184
- If you're using a Red Hat based distribution with an SELinux Enforcing policy, add `:z` to line with volumes.
185
+
- If using Docker Secrets to set the web admin password with a file, keep in mind that:
186
+
1. The secret file is mounted as a read-only volume in the container;
187
+
1. Permissions are set to user read-only;
188
+
1. The user and group ID (UID and GID) for the file on the Docker host are retained in the container. The UID and GID for the file **must** be identical to the Pi-Hole user (typically 1000) otherwise the `pihole` process cannot read the secret and a random password will be set. On the host do something like:
189
+
``` bash
190
+
# secret file is webpass.txt; default pihole UID of 1000 is used
0 commit comments