Run Pi-hole as a container with Podman


There is arguably no better way to protect devices on your local network from unwanted content than Pi-hole. Add a machine running Pi-hole to your network, and it will quietly scrub all incoming traffic from pesky stuff like ads and trackers in the background. As the name suggests, Pi-hole was initially designed to run on a Raspberry Pi. But if you already have a Linux server on your network, you can deploy a Pi-hole container on it instead. That's what I did when I replaced a QNAP NAS appliance with a ThinkPad T410 running Linux Mint. But instead of Docker, I chose to use Podman Deploying Pi-hole on Linux Mint (and by extension, on any Ubuntu-based Linux distribution) requires a few steps, but it's not beyond the wit of man.

Start with installing Podman. On Ubuntu 20.10 or higher, this can be done using the sudo apt install libpod command. Installing Podman on an earlier version is a matter of running the commands below:

. /etc/os-release
echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/Release.key | sudo apt-key add -
sudo apt update
sudo apt upgrade
sudo apt install podman

A Pi-hole container needs the 80 and 53 ports. However, on Ubuntu-based Linux distributions, port 53 is occupied by the systemd-resolved service. To make the port available for use with Pi-hole, run the commands below.

sudo sed -r -i.orig 's/#?DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf
sudo sh -c 'rm /etc/resolv.conf && ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf'
systemctl restart systemd-resolved

Pull then the Pi-hole image and start a container:

sudo podman run -d \
	--name=pihole \
	-e TZ=Europe/Berlin \
	-e WEBPASSWORD=password \
	-e SERVERIP=127.0.0.1 \
	-v pihole:/etc/pihole \
	-v dnsmasq:/etc/dnsmasq.d \
	-p 80:80 \
	-p 53:53/tcp \
	-p 53:53/udp \
	--restart=unless-stopped \
	pihole/pihole

Replace the example values of the TZ, WEBPASSWORD, and SERVERIP parameters with the correct timezone (see the timezone database), the desired password, and the IP of the Linux machine.

In most cases, you'd want the container to start automatically when the server starts and when you reboot it. One way to make it happen is to create a systemd service that automatically starts the container on boot. Use the sudo nano /etc/systemd/system/pihole.service command to create a system unit and open it for editing in the nano text editor. Specify the following configuration:

[Unit]
Description=Pi-hole Podman container
Wants=syslog.service
[Service]
Restart=always
ExecStart=/usr/bin/podman start -a pihole
ExecStop=/usr/bin/podman stop -t 10 pihole
[Install]
WantedBy=multi-user.target

Save the changes, then enable and start the service:

sudo systemctl enable pihole.service
sudo systemctl start pihole.service

Reboot the machine, point the browser to http://127.0.0.1/admin (replace 127.0.0.1 with the IP address of the Linux machine running the Pi-hole container), and you should see Pi-hole's web interface. You can then log in using the specified password.

Finally, configure the router to use Pi-hole as a DNS server, and you're done.


© Dmitri Popov