A combination of Unbound and Pi-hole in a pair of docker containers communicating over a private network - for the Raspberry Pi. I run this on raspi 3B and 3B+ devices, though I imagine that it would work on a 4B as well.
Basically, I've followed the steps from Pi-hole Unbound Docker Setup on a Raspberry Pi
- Install docker and docker-compose - this is not necessarily as easy as it seems.
- Clone this repository.
- Create the sub-directories
pihole
,dnsmasq.d
, andunbound
if it doesn't already exist. - Adjust docker-compose.yml, and edit .env to suit your enviroment.
- You can then stepwise start-up unbound and test it, then pihole and test it as in the url above - I often do
docker-compose up
without putting it into daemon mode so I can see the initial log output.
If you have not added yourself to the docker group with sudo usermod -aG docker ${USER}
, you may need to add sudo
to the docker command below.
docker-compose up -d unbound
dig www.google.com @172.20.0.7 -p 5053
dig www.google.com @127.0.0.1 -p 5053
docker-compose up -d pihole
dig www.google.com @172.20.0.6 -p 53
dig www.google.com @127.0.0.1 -p 53
- Also access http://<raspi_ipaddr>/admin/index.php to configure pihole blocklist, etc.
If you run into the following error:
pihole | s6-svscan: warning: unable to iopause: Operation not permitted
pihole | s6-svscan: warning: executing into .s6-svscan/crash
pihole | s6-svscan crashed. Killing everything and exiting.
pihole | s6-supervise s6-linux-init-shutdownd: fatal: unable to iopause: Operation not permitted
pihole | s6-linux-init-hpr: fatal: unable to reboot(): Operation not permitted
You need to add the backported version of libseccomp2 in order for docker to start the pihole container, see Fix/Workaround - libseccomp2 and Alpine 3.13 - Installing Raspbian Docker 19.04+ on Raspberry Pi 4 Buster
In short the commands are:
# Get signing keys to verify the new packages, otherwise they will not install
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138
# Add the Buster backport repository to apt sources.list
echo 'deb http://httpredir.debian.org/debian buster-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list.d/debian-backports.list
sudo apt update
sudo apt install libseccomp2 -t buster-backports
docker ps
docker inspect <container name, such as pihole or unbound>
docker logs pihole
docker pull pihole/pihole:latest
docker pull mvance/unbound-rpi:latest
docker stop pihole
docker stop unbound
docker rm pihole
docker rm unbound
docker-compose up -d unbound
docker-compose up -d pihole
You can still pull stats data into telegraf using the inputs.exec tool. THe format looks like this:
[[inputs.exec]]
commands = ["/bin/sh -c \"docker exec unbound /opt/unbound/sbin/unbound-control stats | grep -v thread0 | sed 's/total\\.//'\""]
name_override = "unbound"
data_format = "logfmt"
data_type = "float"
interval = "10m"
You must also add telegraf to the docker group, like so sudo usermod -aG docker telegraf