PiHole container does not start on UDMPSE

[fingerboxes]

I followed instructions pretty precisely, then had to fiddle a bit - honestly not sure what all I ended up needing to do. Had to modify the systemd unit file for udm-onboot to match #316

The behavior that I'm experiencing is that on boot (unclean reboot?) of the UDM, the container fails to start despite the on-boot script running.

root@centurion:~# systemctl status udm-boot
● udm-boot.service - Run On Startup UDM
   Loaded: loaded (/etc/systemd/system/udm-boot.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Fri 2022-01-28 19:18:32 CST; 33s ago
  Process: 1056 ExecStart=/bin/bash -c mkdir -p /mnt/data/on_boot.d && find -L /mnt/data/on_boot.d -mindepth 1 -maxdepth      CPU: 2.026s

Jan 28 19:18:31 centurion bash[1056]: Cannot find device "br2.mac"
Jan 28 19:18:31 centurion bash[1056]: grep: /run/dnsmasq.conf.d/custom.conf: No such file or directory
Jan 28 19:18:31 centurion bash[1056]: /mnt/data/on_boot.d/10-dns.sh: 66: /mnt/data/on_boot.d/10-dns.sh: cannot create /rJan 28 19:18:31 centurion bash[1056]: cat: /run/dnsmasq.pid: No such file or directory
Jan 28 19:18:31 centurion bash[1056]: /mnt/data/on_boot.d/10-dns.sh: 67: kill: Illegal number:
Jan 28 19:18:31 centurion bash[1056]: time="2022-01-28T19:18:31-06:00" level=error msg="Error tearing down partially creJan 28 19:18:31 centurion bash[1056]: Error: unable to start container "cad335eb3882c0dbb268a463164a84fa953aab945a550189Jan 28 19:18:32 centurion systemd[1]: udm-boot.service: Succeeded.
Jan 28 19:18:32 centurion systemd[1]: Started Run On Startup UDM.
Jan 28 19:18:32 centurion systemd[1]: udm-boot.service: Consumed 2.026s CPU time.

Manually starting the container, or manually restarting the systemd unit allows the container to start correctly.

[dadealus]

Im having the same issue, and from what I can tell when the 10-dns.sh is running not everything in the system is ready, like the /run/dnsmasq.conf.d isnt a valid path yet

[dadealus]

seems the /run/dnsmasq.conf.d/ directory is missing at that initial moment the startup script is ran, and I suspect other key components are also not ready yet. I suspect things are happening out of order than the script expects to be ready by the time its fired off on the UDMP-SE.

I by no means understand everything going on here but came to this bandaid by adding in some troubleshooting echos and narrowed it down to things missing at the time of run.

what I have done here is likely a bandaid job but ... I modified the 10-dns.sh after line 32 and inserted the following

while [ ! -d "/run/dnsmasq.conf.d/" ] do /bin/sleep 1 echo "/run/dnsmasq.conf.d/ does not exist yet" done

This tells the script to wait till this directory exists before moving forward

so my 10-dns now looks like

# container name; e.g. nextdns, pihole, adguardhome, etc.
CONTAINER=pihole

while [ ! -d "/run/dnsmasq.conf.d/" ] 
do
    /bin/sleep 1
    echo "/run/dnsmasq.conf.d/ does not exist yet"
done


if ! test -f /opt/cni/bin/macvlan; then
    echo "Error: CNI plugins not found. You can install it with the following command:" >&2
    echo "       curl -fsSLo /mnt/data/on_boot.d/05-install-cni-plugins.sh https://raw.githubusercontent.com/boostchicken/udm-utilities/master/cni-plugins/05-install-cni-plugins.sh && /bin/sh /mnt/data/on_boot.d/05-install-cni-plugins.sh" >&2
    exit 1
fi

[boostchicken]

so the dnsmasq stuff is there for allowing conditional forwarding, where does the UDMPSE keep it's dnsmasq confs?

[dadealus]

so the dnsmasq stuff is there for allowing conditional forwarding, where does the UDMPSE keep it's dnsmasq confs?

Its the same location /run/dnsmasq.conf.d/ ... but it seems when the script gets fired off at boot it doesn't exist yet. the UDMP-SE seems to regenerate that directory on boot. That's why I wrote that logic to monitor the path location, wait for it to exist, and then resume the script.

but now there is a new problem... my SE just updated to Unifi OS 2.3.14 last night and podman did not survive the upgrade. I'm hoping the startup scripts on boot portion survived. The answer might be to have a startup script at the front check/wait till all required locations like the dnsmasq.conf directory to exist. then kick off an initialization script to reinstall all our required bits like podman.

[maggarwal]

@dadealus I have following bash script which runs on boot to create symlinks so that podman can run after update.

#!/bin/bash

mkdir -p /usr/share/containers
mkdir -p /usr/libexec/podman
mkdir -p /etc/containers
mkdir -p /etc/containers/registries.conf.d

ln -sf /mnt/data/podman/usr/share/containers/seccomp.json /usr/share/containers/seccomp.json
ln -sf /mnt/data/podman/usr/libexec/podman/conmon /usr/libexec/podman/conmon
ln -sf /mnt/data/podman/usr/bin/runc /usr/bin/runc
ln -sf /mnt/data/podman/usr/bin/podman /usr/bin/podman
ln -sf /mnt/data/podman/etc/containers/containers.conf /etc/containers/containers.conf
ln -sf /mnt/data/podman/policy.json /etc/containers/policy.json
ln -sf /mnt/data/podman/storage.conf /etc/containers/storage.conf
ln -sf /mnt/data/podman/docker.conf /etc/containers/registries.conf.d/docker.conf

So, instead of installing podman, I just have symlinks to all the files which get recreated on boot.

Let me know if you need any help getting this working, I had my challanges getting pi-hole working on my UDMPSE but seems to be working smoothly now.

[amomchilov]

@maggarwal The artifact I downloaded from https://github.com/boostchicken-dev/udm-utilities/actions/runs/2014794526 only had a etc and usr folder in it. Where did you get policy.json, storage.conf and docker.conf from?

[maggarwal]

@amomchilov I just created them myself, following are each of them.

policy.json

{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],
    "transports":
        {
            "docker-daemon":
                {
                    "": [{"type":"insecureAcceptAnything"}]
                }
        }
}

storage.conf

# This file is is the configuration file for all tools
# that use the containers/storage library. The storage.conf file
# overrides all other storage.conf files. Container engines using the
# container/storage library do not inherit fields from other storage.conf
# files.
#
#  Note: The storage.conf file overrides other storage.conf files based on this precedence:
#      /usr/containers/storage.conf
#      /etc/containers/storage.conf
#      $HOME/.config/containers/storage.conf
#      $XDG_CONFIG_HOME/containers/storage.conf (If XDG_CONFIG_HOME is set)
# See man 5 containers-storage.conf for more information
# The "container storage" table contains all of the server options.
[storage]

# Default Storage Driver, Must be set for proper operation.
driver = "vfs"

# Temporary storage location
runroot = "/run/containers/storage"

# Primary Read/Write location of container storage
# When changing the graphroot location on an SELINUX system, you must
# ensure  the labeling matches the default locations labels with the
# following commands:
# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH
# restorecon -R -v /NEWSTORAGEPATH
graphroot = "/var/lib/containers/storage"


# Storage path for rootless users
#
# rootless_storage_path = "$HOME/.local/share/containers/storage"

[storage.options]
# Storage options to be passed to underlying storage drivers

# AdditionalImageStores is used to pass paths to additional Read/Only image stores
# Must be comma separated list.
additionalimagestores = [
]

# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
# a container, to the UIDs/GIDs as they should appear outside of the container,
# and the length of the range of UIDs/GIDs.  Additional mapped sets can be
# listed and will be heeded by libraries, but there are limits to the number of
# mappings which the kernel will allow when you later attempt to run a
# container.
#
# remap-uids = 0:1668442479:65536
# remap-gids = 0:1668442479:65536

# Remap-User/Group is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting
# with an in-container ID of 0 and then a host-level ID taken from the lowest
# range that matches the specified name, and using the length of that range.
# Additional ranges are then assigned, using the ranges which specify the
# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
# until all of the entries have been used for maps.
#
# remap-user = "containers"
# remap-group = "containers"

# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partitioned
# to containers configured to create automatically a user namespace.  Containers
# configured to automatically create a user namespace can still overlap with containers
# having an explicit mapping set.
# This setting is ignored when running as rootless.
# root-auto-userns-user = "storage"
#
# Auto-userns-min-size is the minimum size for a user namespace created automatically.
# auto-userns-min-size=1024
#
# Auto-userns-max-size is the minimum size for a user namespace created automatically.
# auto-userns-max-size=65536

[storage.options.overlay]
# ignore_chown_errors can be set to allow a non privileged user running with
# a single UID within a user namespace to run containers. The user can pull
# and use any image even those with multiple uids.  Note multiple UIDs will be
# squashed down to the default uid in the container.  These images will have no
# separation between the users in the container. Only supported for the overlay
# and vfs drivers.
#ignore_chown_errors = "false"

# Inodes is used to set a maximum inodes of the container image.
# inodes = ""

# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
#mount_program = "/usr/bin/fuse-overlayfs"

# mountopt specifies comma separated list of extra mount options
mountopt = "nodev"

# Set to skip a PRIVATE bind mount on the storage home directory.
# skip_mount_home = "false"

# Size is used to set a maximum size of the container image.
# size = ""

# ForceMask specifies the permissions mask that is used for new files and
# directories.
#
# The values "shared" and "private" are accepted.
# Octal permission masks are also accepted.
#
#  "": No value specified.
#     All files/directories, get set with the permissions identified within the
#     image.
#  "private": it is equivalent to 0700.
#     All files/directories get set with 0700 permissions.  The owner has rwx
#     access to the files. No other users on the system can access the files.
#     This setting could be used with networked based homedirs.
#  "shared": it is equivalent to 0755.
#     The owner has rwx access to the files and everyone else can read, access
#     and execute them. This setting is useful for sharing containers storage
#     with other users.  For instance have a storage owned by root but shared
#     to rootless users as an additional store.
#     NOTE:  All files within the image are made readable and executable by any
#     user on the system. Even /etc/shadow within your image is now readable by
#     any user.
#
#   OCTAL: Users can experiment with other OCTAL Permissions.
#
#  Note: The force_mask Flag is an experimental feature, it could change in the
#  future.  When "force_mask" is set the original permission mask is stored in
#  the "user.containers.override_stat" xattr and the "mount_program" option must
#  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
#  extended attribute permissions to processes within containers rather then the
#  "force_mask"  permissions.
#
# force_mask = ""

[storage.options.thinpool]
# Storage Options for thinpool

# autoextend_percent determines the amount by which pool needs to be
# grown. This is specified in terms of % of pool size. So a value of 20 means
# that when threshold is hit, pool will be grown by 20% of existing
# pool size.
# autoextend_percent = "20"

# autoextend_threshold determines the pool extension threshold in terms
# of percentage of pool size. For example, if threshold is 60, that means when
# pool is 60% full, threshold has been hit.
# autoextend_threshold = "80"

# basesize specifies the size to use when creating the base device, which
# limits the size of images and containers.
# basesize = "10G"

# blocksize specifies a custom blocksize to use for the thin pool.
# blocksize="64k"

# directlvm_device specifies a custom block storage device to use for the
# thin pool. Required if you setup devicemapper.
# directlvm_device = ""

# directlvm_device_force wipes device even if device already has a filesystem.
# directlvm_device_force = "True"

# fs specifies the filesystem type to use for the base device.
# fs="xfs"

# log_level sets the log level of devicemapper.
# 0: LogLevelSuppress 0 (Default)
# 2: LogLevelFatal
# 3: LogLevelErr
# 4: LogLevelWarn
# 5: LogLevelNotice
# 6: LogLevelInfo
# 7: LogLevelDebug
# log_level = "7"

# min_free_space specifies the min free space percent in a thin pool require for
# new device creation to succeed. Valid values are from 0% - 99%.
# Value 0% disables
# min_free_space = "10%"

# mkfsarg specifies extra mkfs arguments to be used when creating the base
# device.
# mkfsarg = ""

# metadata_size is used to set the `pvcreate --metadatasize` options when
# creating thin devices. Default is 128k
# metadata_size = ""

# Size is used to set a maximum size of the container image.
# size = ""

# use_deferred_removal marks devicemapper block device for deferred removal.
# If the thinpool is in use when the driver attempts to remove it, the driver
# tells the kernel to remove it as soon as possible. Note this does not free
# up the disk space, use deferred deletion to fully remove the thinpool.
# use_deferred_removal = "True"

# use_deferred_deletion marks thinpool device for deferred deletion.
# If the device is busy when the driver attempts to delete it, the driver
# will attempt to delete device every 30 seconds until successful.
# If the program using the driver exits, the driver will continue attempting
# to cleanup the next time the driver is used. Deferred deletion permanently
# deletes the device and all data stored in device will be lost.
# use_deferred_deletion = "True"

# xfs_nospace_max_retries specifies the maximum number of retries XFS should
# attempt to complete IO when ENOSPC (no space) error is returned by
# underlying storage device.
# xfs_nospace_max_retries = "0"

docker.conf

unqualified-search-registries=["docker.io"]