-
-
Notifications
You must be signed in to change notification settings - Fork 417
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error when trying to run pihole container on UDM SE #510
Comments
It seems that Ubiquiti has nerfed the ability to run containers via podman. The kernel seems to be compiled without the ability to leverage BPF syscalls. root@UDMSE:/sys/fs/cgroup# zcat /proc/config.gz | grep -E 'CONFIG_BPF|CONFIG_FREEZER' CONFIG_BPF_SYSCALL is not setCONFIG_FREEZER=y CONFIG_BPFILTER is not setCONFIG_BPF_JIT=y |
yeah I have the kernel source and we can make our own, someone was trying with @fabianishere. @fabianishere any word? |
@boostchicken Working on porting udm-kernel-tools to firmware v2.x/v3.x at the moment, but haven’t had much time to test the changes. |
BPF SysCTL tweaks do not work on 2.4.X and 2.5.X for me either. |
Well it's clear now that podman/docker won't work without a custom kernel that enables CONFIG_BPF_SYSCALL, but it's easy enough to create a container yourself without podman by using systemd-nspawn and install whatever you want within it (e.g. pihole). The process is a bit more involved, but it's pretty easy. Basically, you just use debootstrap to create a directory under /data with a base debian system (this directory is your container), then you can boot and login to that container with systemd-nspawn or machinectl. After that, you can just install whatever you want in that container with apt-get or manually as any debian system (the container storage is persistent). This way your custom system changes don't affect the main Unifi system with regards to dependencies or conflicts with their files, and Unifi can't screw up your configuration with an update. I've been running a debian unstable container on UDMP 3.x, with pihole, nginx, dnsdist, and some other programs. Works really well. You can even use pacstrap instead of debootstrap to create and run an Arch Linux container, or create a fedora, openSUSE, or other system container (examples). Also, the debian base system is only like 300MB so the container size doesn't start off so high, but the container size can get to 1GB+ if you start installing a lot of large softwares (this applies to podman too, I guess). Edit: Here's a guide I wrote on how to create and configure your own custom container on 3.x. |
So I have not upgraded yet, but on 2.5x is overlayfs working, I expect it will work on 3 as well. So the disk space issue is now fixed @peacey I am pretty sure I can get podman running on the UDMSE. See BPF is used for security lockdown on syscalls. We are always root anyways so it doesnt matter. I am going to drop seccomp and apparmor from the UDMP-UDMSE build and edit configs accordingly and I think that will get you in business. Also, they new podman builds come with crun, if you want to use it. It's much better on resources. Uses less memory, and executes faster Also, netavark is built and in the latest zips as well. This is a replacement for CNI which is now deprecated. It has cool things like macvlan dhcp working, but its not zero effort to migrate your networks, syntax of the files is quite different. I would move to netavark ASAP. It makes containers much much much faster and much less latent on the network. It is written in Rust instead of Go (much like crun). I also included the dhcp-client-proxy if anyone wants to macvlan dhcp working. I am not sure when I can move to 3. If someone would volunteer to test my new build for 3 build with the mods above I'll crank it out asap that would be awesome. |
New builds are running that I think shoudl work on 3 seccomp.json removes permissions for bpf syscall, there is an update to the registries, cni is gone, replaced by netavark. Crun is also available if you want to. If my IPFS server is being garbage use this link to get at the latest builds. Also you should use this link just to check if the builds are done. Even when they are done, it doesn't mean they are on IPFS. However, they all have versioned names now to make it clear which one you are getting. https://github.com/unifi-utilities/unifios-utilities/actions |
Sorry @boostchicken, I tried your new build and it still doesn't seem to work on 3.x. Still the same issue with BPF syscall with your new build and config files. I tried both crun and runc and also with and without With runc I get,
And with crun I get,
It seems So I don't think this will work unfortunately. Kernel is too locked down. But systemd-nspawn works well! |
Just throwing this out there... There are other firewall vendors that embrace the community and actually give you instructions on how to run Pi-hole on their hardware. Why continue to try and fill the feature gaps that Ubiquiti continues to leave in their products when other products already have the features and they let you add your own stuff too? https://help.firewalla.com/hc/en-us/articles/360051625034-Guide-How-to-install-Pi-Hole-on-Gold-Purple-Beta- |
@sprocktech I mean the whole point of a modding community is to mod the device. When someone comes here, they don't want to hear it can't be done. They want to hear how it can be done. For all of us that do like to use the UDM-series routers, it's nice to have this modding resource and community for all the extra bells and whistles. And the UDMP/SE is a very capable, relatively low-cost router with a quad-core CPU! It would be a shame to let it go to waste. IMO, with its Debian architecture, it makes it very easy to mod for a Linux sysadmin. |
@peacey I'm with you. I'm just saying that Ubiquiti is not with you. Actually, they are against you, as you know already from these recent firmware changes. Frankly, I've never seen anything like it before. It's an uphill battle my friend, and I'd rather put my money and effort elsewhere. |
I can see the point behind Ubiquiti's decision. If they have a large percentage of customer support calls that end up being due to people having modded their UDM without a real understanding of what they're doing and how to solve problems that might arise, it is tempting to close the gates in order to keep the customer support costs (and quality) manageable. It's still unfortunate, and I really love the fact that I don't have to run a Raspberry Pi on the side when the UDM can run the same software much more efficiently. |
@peacey Thanks for the tip regarding nspawn it actually seems good fit for the UDMP/SE. But I have some questions I hope you can answer :-) In my case I've been testing Traefik using nspawn, at it works fine, either just using the traefik binary (you do need to have at least /usr/bin) defined in the rootfs otherwise nspawn won't start the "container" or using a complete rootfs (I tested using busybox:musl image). But cannot seem figure out to make macvlan working with nspawn? I'm using the same network setup as I used with podman (using the found instruction on this site).
When I start the container with
I need to figure out what to do inside the container to make things work? The information I can find on Internet suggest also using systemd inside container to configure container network (which I do not want to do). I do not know what cni/ipam actually does when podman starts a container, but I'm guessing, it simply added necessary routes and assigns address to a virtual device, or am I missing something. Any help is appreciated :-) UPDATE! If I add a default route inside the container it works, so all in all I do this inside the container
Then I can reach the other networks just fine :-) It should be easy from there to setup nameservers. |
Here's my guide on how to create and configure your own debian container on 3.x and install some services in it. It goes over how to isolate the container with a macvlan network too and gives an example on how to install pihole or adguard home in the container. Hopefully it helps those who are unfamiliar with systemd-nspawn. Will eventually do a pull request to get this guide merged to this repository, but use that link for now. |
What is bad about recent UDM firmware changes? |
Same here with version 3.x it doesn't work, got the same errors with the newest builds... |
@peacey, was trying guide on UDM Pro with v2.5.17, and having this error thrown during install root@Home:~# apt -y install systemd-container debootstrap
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
systemd-container : Depends: systemd (= 232-25+deb9u14) but 241-5~bpo9+1 is to be installed
Recommends: btrfs-progs but it is not going to be installed or
btrfs-tools
Recommends: libnss-mymachines but it is not going to be installed
E: Unable to correct problems, you have held broken packages. edit: nvm, the guide is for Unifi os 3.x |
@peacey I've spun up pihole in an nspawn container using your guide, but UDP traffic to the host seems to be broken. Inside the container DNS queries to the host time out:
On the host, tcpdump complains about bad udp checksums:
... and TCP is no better...
Any ideas? |
I'm having the same issue with DNS queries to host. Has this been resolved yet? |
When trying local and reverse lookups in pi.hole (10.0.5.3) I have the same problem. When I disable "Use Conditional Forwarding" the timeout problem disappeared with the disadvantage that local lookups fail. |
@rloomans - The checksums won't match as these NICs use network offloading. You can check using Edit: On 3.1.9, I do not have these DNS issues as well. |
Everyone, if you're having issues with pihole via nspawn, please open your own separate issue and detail the problem. Trying to follow multiple conversations here makes things very confusing. FYI, on 3.1.9, the nspawn approach works fine for me. And I don't have issues with DNS resolutions. |
I too have successfully got the nspawn pi-hole working. |
As it turns out, the solution appears to be to get dnsmasq to listen on the
extra network interface:
#550
…On Fri, 26 May 2023 at 03:37, Ryan Gates ***@***.***> wrote:
@rloomans <https://github.com/rloomans> - The checksums won't match as
these NICs use network offloading. You can check using ethtool
--show-offload brXX
—
Reply to this email directly, view it on GitHub
<#510 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAWPZLPET2LU5XKCEDFVRLXH6KFVANCNFSM6AAAAAAVPHHHNU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
@boostchicken sorry to jump in here but how did you get overlayfs working on 2.5?
|
Describe the bug
When i follow the instructions for pihole I get the following error on step 5
root@UDMSE:/data/podman/cni# podman run -d
--network dns
--restart always
--name pihole
-e TZ="America/Chicago"
--cap-add=NET_ADMIN
-v "/data/etc-pihole/:/etc/pihole/"
-v "/data/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
--dns=127.0.0.1
--dns=1.1.1.1
--dns=8.8.8.8
--hostname pi.hole
-e VIRTUAL_HOST="pi.hole"
-e PROXY_LOCATION="pi.hole"
-e FTLCONF_REPLY_ADDR4="10.0.0.5"
-e IPv6="False"
pihole/pihole:latest
Error: OCI runtime error: runc create failed: unable to start container process: error during container init: error setting cgroup config for procHooks process: bpf_prog_query(BPF_CGROUP_DEVICE) failed: function not implemented
UDM Information
The text was updated successfully, but these errors were encountered: