Error "attempt to write a readonly database" when adding adlist

[xhanrot]

This is a: Run Issue

Details

When I try to add any blocklist, a red popup shows in upper right corner with the following message, and the list isn't added :

Related Issues

• I have searched this repository/Pi-hole forums for existing issues and pull requests that look similar

#751
#610

How to reproduce the issue

Go to adlist group management page
Add a new adlist (https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt)
Click "Add" button

1. Environment data

• Operating System: Synology DSM
• Hardware: Synology
• Kernel Architecture: x86/amd64
• Docker Install Info and version:
  • Software source: OS provided package
  • Supplimentary Software: synology, portainer
• Hardware architecture: x86

2. docker-compose.yml contents, docker run shell command, or paste a screenshot of any UI based configuration of containers here
   
   

3. any additional info to help reproduce

These common fixes didn't work for my issue

• I have tried removing/destroying my container, and re-creating a new container
• I have tried fresh volume data by backing up and moving/removing the old volume data
• I have tried running the stock docker run example(s) in the readme (removing any customizations I added)
• I have tried a newer or older version of Docker Pi-hole (depending what version the issue started in for me)
• I have tried running without my volume data mounts to eliminate volumes as the cause

If the above debugging / fixes revealed any new information note it here.
Add any other debugging steps you've taken or theories on root cause that may help.

[chinmayb]

Observing the same issue.

This is the output from inside the container

docker exec -it pihole bash
root@pi:/#
root@pi:/# pihole -w test.google.com
  [i] Adding test.google.com to the whitelist...
  [✓] Reloading DNS lists
root@pi:/# cat /etc/sudoers.d/pihole
# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Allows the WebUI to use Pi-hole commands
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.
#
www-data ALL=NOPASSWD: /usr/local/bin/pihole
root@pi:/# ls -l /etc/pihole
total 27892
-rw-r--r-- 1 root   root         18 Jun  1 17:31 GitHubVersions
-rw-r--r-- 1 root   root          0 May 30 15:35 adlists.list
-rw-r--r-- 1 root   root          0 May 30 15:31 adlists.list.old
-rw-r--r-- 1 root   root         19 May 26 10:50 custom.list
-rw-r--r-- 1 pihole pihole      535 May 22 17:19 dhcp.leases
-rw-r--r-- 1 root   root        618 Jun  2 08:53 dns-servers.conf
-rw-rw-r-- 1 pihole pihole  6905856 Jun  5 12:26 gravity.db
-rw-r--r-- 1 root   root    1700355 May 30 04:49 list.1.raw.githubusercontent.com.domains
-rw-r--r-- 1 root   root         95 May 30 04:49 list.1.raw.githubusercontent.com.domains.sha1
-rw-r--r-- 1 root   root      43529 May 22 20:10 list.5.s3.amazonaws.com.domains
-rw-r--r-- 1 root   root         86 May 22 20:10 list.5.s3.amazonaws.com.domains.sha1
-rw-r--r-- 1 root   root     575634 May 30 04:49 list.7.v.firebog.net.domains
-rw-r--r-- 1 root   root         83 May 30 04:49 list.7.v.firebog.net.domains.sha1
-rw-r--r-- 1 root   root        100 May 30 04:49 local.list
-rw-r--r-- 1 root   root         20 Jun  5 12:20 localbranches
-rw-r--r-- 1 root   root         42 Jun  5 12:20 localversions
drwxr-xr-x 2 root   root       4096 May 15 22:58 migration_backup
-rw-r--r-- 1 pihole pihole       24 May 23 01:21 pihole-FTL.conf
-rw-r--r-- 1 root   root   19267584 Jun  5 12:27 pihole-FTL.db
-rw-r--r-- 1 root   root        692 Jun  5 12:17 setupVars.conf
-rw-r--r-- 1 root   root        692 Jun  2 08:53 setupVars.conf.update.bak

update: Downgraded the pi-hole docker image version to v5.7 instead of latest, its working fine now.

[dschaper]

Please don't use latest. It's a floating tag and you'll never really know what version you are using. Please always use a versioned tag, this is general advice for all docker images.

As for the thumbs up and the additional report: Are you all on Synology?

[hardwareadictos]

Same issue here trying to restore from teleporting:

root@Pihole-RPI02:/# tail -f /var/log/lighttpd/error.log
2021-06-23 13:05:03: (mod_fastcgi.c.421) FastCGI-stderr: PHP Warning:  SQLite3::exec(): no such table: blacklist in /var/www/html/admin/scripts/pi-hole/php/teleporter.php on line 90
2021-06-23 13:05:03: (mod_fastcgi.c.421) FastCGI-stderr: PHP Warning:  SQLite3::exec(): no such table: regex_blacklist in /var/www/html/admin/scripts/pi-hole/php/teleporter.php on line 90
2021-06-23 13:05:03: (mod_fastcgi.c.421) FastCGI-stderr: PHP Warning:  SQLite3::exec(): attempt to write a readonly database in /var/www/html/admin/scripts/pi-hole/php/teleporter.php on line 90
2021-06-23 13:05:03: (mod_fastcgi.c.421) FastCGI-stderr: PHP Warning:  SQLite3::exec(): attempt to write a readonly database in /var/www/html/admin/scripts/pi-hole/php/teleporter.php on line 90
2021-06-23 13:05:03: (mod_fastcgi.c.421) FastCGI-stderr: PHP Warning:  SQLite3::exec(): attempt to write a readonly database in /var/www/html/admin/scripts/pi-hole/php/teleporter.php on line 90
2021-06-23 13:05:03: (mod_fastcgi.c.421) FastCGI-stderr: PHP Warning:  SQLite3::exec(): attempt to write a readonly database in /var/www/html/admin/scripts/pi-hole/php/teleporter.php on line 90
2021-06-23 13:05:03: (mod_fastcgi.c.421) FastCGI-stderr: PHP Warning:  SQLite3::exec(): attempt to write a readonly database in /var/www/html/admin/scripts/pi-hole/php/teleporter.php on line 90
2021-06-23 13:05:03: (mod_fastcgi.c.421) FastCGI-stderr: PHP Warning:  SQLite3Stmt::execute(): Unable to execute statement: attempt to write a readonly database in /var/www/html/admin/scripts/pi-hole/php/teleporter.php on line 202
2021-06-23 13:05:03: (mod_fastcgi.c.421) FastCGI-stderr: PHP Warning:  SQLite3::exec(): no such table: whitelist in /var/www/html/admin/scripts/pi-hole/php/teleporter.php on line 90
2021-06-23 13:05:03: (mod_fastcgi.c.421) FastCGI-stderr: PHP Warning:  SQLite3::exec(): no such table: regex_whitelist in /var/www/html/admin/scripts/pi-hole/php/teleporter.php on line 90

Using docker on RPi4. Pi-hole v5.3.1 Web Interface v5.5 FTL v5.8.1

docker-compose file:

version: "3"

# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md

services:
  pihole:
    container_name: Pihole-01
    hostname: Pihole-RPI02
    image: pihole/pihole:v5.8.1
    # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "67:67/udp"
      - "81:80/tcp"
    environment:
      TZ: 'Europe/Madrid'
      PUID: 1000
      PGID: 1000
      # WEBPASSWORD: 'set a secure password here or it will be random'
    # Volumes store your data between container upgrades
    volumes:
      - './etc-pihole/:/etc/pihole/'
      - './etc-dnsmasq.d/:/etc/dnsmasq.d/'
      # run `touch ./var-log/pihole.log` first unless you like errors
      # - './var-log/pihole.log:/var/log/pihole.log'
    # Recommended but not required (DHCP needs NET_ADMIN)
    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    cap_add:
      - NET_ADMIN
    restart: unless-stopped

Front GUI reports -2 as domains on blocklist:

Saw some pihole-FTL.conf permission issues:

drwxr-xr-x 3  999 spi  4,0K jun 23 14:50 ./
drwxr-xr-x 4 root root 4,0K jun 23 14:49 ../
-rw-r--r-- 1 root root   65 jun 23 14:39 adlists.list
-rw-r--r-- 1 root root    0 jun 23 14:36 custom.list
-rw-r--r-- 1 root root  618 jun 23 14:49 dns-servers.conf
-rw-r--r-- 1 root root  96K jun 23 14:50 gravity.db
-rw-r--r-- 1 root root   20 jun 23 14:49 localbranches
-rw-r--r-- 1 root root   42 jun 23 14:49 localversions
drwxr-xr-x 2 root root 4,0K jun 23 14:36 migration_backup/
-rw-r--r-- 1  999 spi     0 jun 23 14:36 pihole-FTL.conf   <----------------------------------------- !!!!!
-rw-r--r-- 1 root root 128K jun 23 14:50 pihole-FTL.db
-rw-r--r-- 1 root root  254 jun 23 14:50 setupVars.conf
-rw-r--r-- 1 root root  232 jun 23 14:49 setupVars.conf.update.bak

This sympthom is also reported on #610

[mike-lloyd03]

I am having these same issues. Has anyone had any luck?

[jeff47]

Please don't use latest. It's a floating tag and you'll never really know what version you are using. Please always use a versioned tag, this is general advice for all docker images.

As for the thumbs up and the additional report: Are you all on Synology?

The advice against "latest" seems inconsistent with the guidance on Github for this package...

pihole/pihole:latest   
This version of the docker aims to be as close to a standard Pi-hole installation by using the recommended base OS and
 the exact configs and scripts (minimally modified to get them working). This enables fast updating when an update comes 
from Pi-hole.
``

[jeff47]

Same issues using Pihole docker on RPi (buster). Have deleted the Docker images and volumes and pulled from fresh, same error when attempting anything. Can't write to database in any of the operations I've attempted: whitelist, adlist, groups, etc. I also have the odd "Domains on blocklist: -2" on the dashboard.

I have tried pihole/pihole:lasest and pihole/pihole:v5.8.1-buster. I deleted the docker images and the mounted volumes and let them be recreated, same issue permissions issue.

What is strange is that I did have pihole working in docker before, but then migrated to a SSD instead of the SDcard as my boot partition. I've had trouble ever since.

2021-08-02 11:29:44: (server.c.1464) server started (lighttpd/1.4.53) 
2021-08-02 11:29:44: (gw_backend.c.476) unlink /var/run/lighttpd/php.socket-0 after connect failed: Connection refused 
2021-08-02 11:30:17: (mod_fastcgi.c.421) FastCGI-stderr: PHP Warning:  SQLite3Stmt::execute(): Unable to execute statement: attempt to write a readonly database in /var/www/html/admin/scripts/pi-hole/php/groups.php on line 90

Could the "readonly database" error be caused by the connection refused error on the php socket?

[ANFADEV]

have you tried updating the gravity lists from the ui (adress/admin/gravity.php) ?

it worked for me: #751 (comment)

[mike-lloyd03]

Updating Gravity from the web UI just hangs. Updating Gravity with docker exec returns:

[✗] DNS resolution is currently unavailable

[asyba]

any news? I got the same issue on fresh install RPI4 , I change from latest to v5.8.1 but same error.
"While executing: attempt to write a readonly database"

[asyba]

any news? I got the same issue on fresh install RPI4 , I change from latest to v5.8.1 but same error.
"While executing: attempt to write a readonly database"

going back to v5.7 , works

[danteali]

Having the same issue. Ended up adding this to my container startup script to resolve:
docker exec pihole chown -R www-data:pihole /etc/pihole

I've no idea what root cause is since I can run pihole without any mounted volumes and everything works fine but when I mount volumes it has the permission issues. Even though /etc/pihole/* looks identical from an ownership/group/permission perspective with or without mounted volumes.

[jeff47]

I had the group permissions wrong on the pihole directory, which seemed to fix it.

[nobbylark]

I had the group permissions wrong on the pihole directory, which seemed to fix it.

How did you fix?

[pbarone]

Having the same issue. Ended up adding this to my container startup script to resolve: docker exec pihole chown -R www-data:pihole /etc/pihole

I've no idea what root cause is since I can run pihole without any mounted volumes and everything works fine but when I mount volumes it has the permission issues. Even though /etc/pihole/* looks identical from an ownership/group/permission perspective with or without mounted volumes.

This seems to do the trick for me as well... looks like for whatever reason permissions on the /etc/pihole directory are wrong

[tamis-laan]

Why has this not yet been fixed? Devs working on other things?

[pagesix1536]

Why has this not yet been fixed? Devs working on other things?

Show stopping issue is still around and not fixed. Strange for sure. I just ran into the issue here running from a container under Docker Swarm cluster. I'm going to revert back to a previous tag and see what happens. Looks like the container tags have changed from being version numbers to year.month naming now. Not sure where exactly in the progression this broke, but folks above state 5.7 version is the working one.

[PromoFaux]

Why has this not yet been fixed? Devs working on other things?

To be honest, I hadn't even seen this issue thread. Reading through some of the responses, and at least some of the latter ones:

looks like for whatever reason permissions on the /etc/pihole directory are wrong

This is the reason.

Looking over the release notes for :v5.8, (https://github.com/pi-hole/docker-pi-hole/releases/tag/v5.8) I can't see anything there (also followed the release notes for the internal Pi-hole components) that changed since :v5.7 that would cause this to be an issue.

I don't see this on either my :dev instance, or :latest instance that I have running here - so it is difficult to debug if it I cannot reproduce it.

Container tag version changes explained in 2021.09 release notes.

[aperullo]

Looking over the release notes for :v5.8, (https://github.com/pi-hole/docker-pi-hole/releases/tag/v5.8) I can't see anything there (also followed the release notes for the internal Pi-hole components) that changed since :v5.7 that would cause this to be an issue.

I don't see this on either my :dev instance, or :latest instance that I have running here - so it is difficult to debug if it I cannot reproduce it.

Just going down the rabbit hole myself on this one. Its not a new issue so its no surprise you didn't see anything in the latest release notes that might affect it. Here's a few of the related threads if that helps: one, two, three, four, five. Some of them are from 2020, way before 5.7.

It clearly has something to do with the persistent volumes recommended in the docker-compose quick start because when I remove them, the issue goes away. Adding them back makes this issue occur like clockwork.

I can get the error to happen pretty reliably on a raspberry pi 400.
So starting from scratch. My docker-compose is

version: '3'
services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    restart: unless-stopped
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "67:67/udp"
      - "90:80/tcp"
    environment:
      TZ: 'America/Chicago'
    volumes:
      - './pihole/etc-pihole/:/etc/pihole/'
      - './pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/'
    # fix slow web ui
    ulimits:
      nofile:
        soft: 1024
        hard: 4096

> docker-compose up -d`
> docker exec -it pihole /bin/bash
root@73a511eaca4:/# pihole -a -p
Enter New Password (Blank for no password): 
Password Removed

Log in to web ui. Go to blacklist and try to add "github.com"

Error, something went wrong!
While executing INSERT OT IGNORE: attempt to write a readonly database.

docker exec back into pihole.

>ls -al /etc/dnsmasq.d

drwxr-xr-x 2 root root 4096 Dec  9 17:28 .
drwxr-xr-x 1 root root 4096 Dec  9 17:28 ..
-rw-r--r-- 1 root root 1339 Dec  9 17:28 01-pihole.conf
-rw-r--r-- 1 root root 2119 Dec  9 17:28 06-rfc6761.con

>ls -al /etc/pihole

drwxr-xr-x 3 pihole pihole  4096 Dec  9 17:41 .
drwxr-xr-x 1 root   root    4096 Dec  9 17:36 ..
-rw-r--r-- 1 root   root      15 Dec  9 17:36 GitHubVersions
-rw-r--r-- 1 root   root      65 Dec  9 17:36 adlists.list
-rw-r--r-- 1 root   root       0 Dec  9 17:28 custom.list
-rw-r--r-- 1 root   root     651 Dec  9 17:36 dns-servers.conf
-rw-r--r-- 1 root   root   94208 Dec  9 17:28 gravity.db
-rw-r--r-- 1 root   root      20 Dec  9 17:40 localbranches
-rw-r--r-- 1 root   root      37 Dec  9 17:40 localversions
drwxr-xr-x 2 root   root    4096 Dec  9 17:28 migration_backup
-rw-r--r-- 1 pihole pihole    20 Dec  9 17:36 pihole-FTL.conf
-rw-rw-r-- 1 root   root   90112 Dec  9 17:41 pihole-FTL.db
-rw-r--r-- 1 root   root     169 Dec  9 17:37 setupVars.conf
-rw-r--r-- 1 root   root     169 Dec  9 17:36 setupVars.conf.update.bak

Neither of pihole and pihole-ftl logs move when I attempt to add to the blacklist.

If I apply the chown var-www:pihole etc/pi-hole fix inside the container it begins to work. Permissions are reverted to the above after a docker-compose stop && up.

The container's logs themselves also bear nothing particularly of interest:

s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying... 
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 20-start.sh: executing... 
 ::: Starting docker specific checks & setup for docker pihole/pihole
Assigning random password: Y87GsM3Q
  [i] Installing configs from /etc/.pihole...
  [i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
  [✓] Installed /etc/dnsmasq.d/01-pihole.conf
  [✓] Installed /etc/dnsmasq.d/06-rfc6761.conf
Existing DNS servers detected in setupVars.conf. Leaving them alone
DNSMasq binding to default interface: eth0
...
...
 ::: Docker start setup complete
  Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
  Pi-hole version is v5.6 (Latest: v5.6)
  AdminLTE version is v5.8 (Latest: v5.8)
  FTL version is v5.11 (Latest: v5.11)
  Container tag is: 2021.11
[cont-init.d] 20-start.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
Starting pihole-FTL (no-daemon) as root
Starting lighttpd
Starting crond
[services.d] done.

I don't know if I've brought anything new to the table but this is what I'm able to provide in terms of recreation so far.

[aperullo]

For those who stumble across this and are just looking for an automatic fix that works right now, I added the manual chown fix to the startup script. Here is what I'm doing:

My docker-compose.yml looks like this

version: '3'
services:
  pihole:
    container_name: pihole
    build: ./pihole
    ...
    volumes:
      - 'pihole/etc-pihole/:/etc/pihole/'
      - 'pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/'

Inside the ./pihole folder create a file called start.sh and paste the contents from the official repo's start.sh into it. On the last line add the following and save it.

chown -R www-data:pihole /etc/pihole
echo " ::: applied permissions fix"

Inside the ./pihole folder create a file called Dockerfile and add these contents

FROM pihole/pihole:latest
COPY ./start.sh /

Now do docker-compose build and docker-compose up -d. Once the container starts docker logs pihole will show the fix log some 10-ish lines up

...
 ::: applied permissions fix
...

Since this clearly isn't the correct solution I won't be submitting this as a PR; the correct one probably involves s6-init or lighthttd which I don't know enough about it. But your pihole should work without manual intervention until either the official start.sh is updated or the issue is fixed.

[danteali]

Thanks @aperullo.

Appreciate the suggestion. This should fix it temporarily and feels like a reasonable workaround.

However, I think you might still run into issues. In my circumstances (noted here), even if I fix at container startup, the permissions are somehow reverted while the container is running if Gravity is updated.

[PromoFaux]

Are these all mounted volumes? Is it something that the host machine is doing? I've seen a couple of people mention synology above

[klutchell]

This is happening for me with docker volumes, not bind mounts.

[danteali]

I'm on a vanilla Ubuntu LTS server (can't recall exact version now). Volumes are just mounted on basic ext4 formatted disks.
No permission issues when I don't mount volumes. Issue occurs for me when I mount the volumes.

No similar issues with the 30+ other containers I have running.

Weird thing is that ALL folder and file ownership/permissions are identical when I log into the container whether I have the volumes mounted or not. So feels strange that mounting the volumes is causing a problem.

Also, pretty sure these issues are describing the same thing:
#751 , #610 , #943 (closed)

[PromoFaux]

I'm still not able to reproduce this locally, and I am still struggling to see what could be doing this. Some thinking out loud:

• Is it something in the way docker handles things?
• Is it the gravity script that's causing this?
• Does the cli tools work? e.g pihole -g/pihole -w /pihole -b, is it just using the web interface that is facing issues?
• Is it, in fact, pihole-FTL that is affecting things? (@DL6ER - any help here would be appreciated)
• Is it an issue with our documentation? Are we advising things be set up in a "wrong" way? (Note on this - I'd really like to get the documentation sorted out and ported over to docs.pi-hole.net, and away from the README.md here - it's just finding the time (and energy) to sit down and do it.

Clearly this is a real issue, as so many are reporting it -and I'd like to get to the bottom of what is causing it so that we can reliably troubleshoot in the future

(Working) Permissions for /etc/pihole in my container:

root@pihole-docker:/# ls -lah /etc/pihole/
total 282M
drwxrwxr-x 3 pihole pihole 4.0K Dec 11 13:46 .
drwxr-xr-x 1 root   root   4.0K Dec 11 11:40 ..
-rw-r--r-- 1 root   root     15 Dec 11 11:41 GitHubVersions
-rw-r--r-- 1 root   root     65 Nov  1 17:48 adlists.list
-rw-r--r-- 1 root   root    291 Nov  6 15:07 custom.list
-rw-r--r-- 1 root   root    651 Dec 11 11:40 dns-servers.conf
-rw-rw-r-- 1 pihole pihole  33M Dec 11 11:41 gravity.db
-rw-rw-r-- 1 pihole pihole  33M Dec  9 17:16 gravity_old.db
-rw-r--r-- 1 root   root   2.0M Dec  9 17:16 list.1.raw.githubusercontent.com.domains
-rw-r--r-- 1 root   root     95 Dec  9 17:16 list.1.raw.githubusercontent.com.domains.sha1
-rw-r--r-- 1 root   root   9.9M Dec  9 17:16 list.2.www.github.developerdan.com.domains
-rw-r--r-- 1 root   root     97 Dec  9 17:16 list.2.www.github.developerdan.com.domains.sha1
-rw-r--r-- 1 root   root   4.4K Dec  9 17:16 list.3.raw.githubusercontent.com.domains
-rw-r--r-- 1 root   root     95 Nov  7 03:15 list.3.raw.githubusercontent.com.domains.sha1
-rw-r--r-- 1 root   root     65 Dec  9 17:16 local.list
-rw-r--r-- 1 root   root     29 Dec 11 13:40 localbranches
-rw-r--r-- 1 root   root     46 Dec 11 13:40 localversions
drwxr-xr-x 2 root   root   4.0K Nov  1 17:27 migration_backup
-rw-r--r-- 1 pihole pihole   26 Dec 11 11:40 pihole-FTL.conf
-rw-rw-r-- 1 root   root   204M Dec 11 13:46 pihole-FTL.db
-rw-r--r-- 1 root   root    721 Dec 11 11:40 setupVars.conf
-rw-r--r-- 1 root   root    721 Dec 11 11:40 setupVars.conf.update.bak

And my compose file, for good measure

version: '3.3'
services:

  pihole:
    container_name: pihole
    hostname: pihole-docker
    depends_on:
      - unbound
    image: pihole/pihole:nightly
    environment:
      TZ: Europe/London
      ServerIP: 192.168.1.253
      REV_SERVER: 'true'
      REV_SERVER_DOMAIN: lan
      REV_SERVER_TARGET: 192.168.0.1
      REV_SERVER_CIDR: 192.168.0.0/16
      SKIPGRAVITYONBOOT: 1
      PIHOLE_DNS_: 192.168.1.254#5053
    volumes:
      - ./configs/pihole/:/etc/pihole/
      - ./configs/dnsmasq.d:/etc/dnsmasq.d/
    cap_add:
      - NET_ADMIN
      - SYS_NICE
    mac_address: d0:ca:ab:cd:ef:fe
    dns:
     - 8.8.8.8
    networks:
      home:
        ipv4_address: 192.168.1.253
    restart: always
    labels:
      - traefik.enable=true
      - traefik.docker.network=home
  ##### tcp
    ### services
      # backend port
      - traefik.tcp.services.svc_PiholeDns.loadbalancer.server.port=53
    ### routers
      # DoT forward
      - traefik.tcp.routers.rou_PiholeDot.entrypoints=dot
      - traefik.tcp.routers.rou_PiholeDot.rule=HostSNI(`[mydomainforDOT]`)
      - traefik.tcp.routers.rou_PiholeDot.tls=true
      - traefik.tcp.routers.rou_PiholeDot.tls.certresolver=zerossl
      - traefik.tcp.routers.rou_PiholeDot.tls.options=default
      - traefik.tcp.routers.rou_PiholeDot.service=svc_PiholeDns

  unbound:
    container_name: unbound
    image: klutchell/unbound
    hostname: unbound-docker
    # volumes:
    #   - ./unbound/:/etc/unbound
    mac_address: d0:ca:ab:cd:ef:ff
    networks:
      home:
        ipv4_address: 192.168.1.254


networks:
  home:
    external: true

[PromoFaux]

Tagging in some more top minds here: @diginc , @lightswitch05

[barry-luijten]

I'm not sure if this particular problem was actually ever solved, but it is still occurring in my Docker Swarm deployment, with image tag 2022.04.3 (PiHole 5.10).
I believe the root cause of this problem lies within the fact that group ownership inside the container does not have any meaning to the host OS (the OS hosting the persistent volume). In other words, if the www-data user is a member of the pihole group inside the container, but the host user with the same uid is not a member of the host group with gid 999, it does not have write access to a file that is owned by pihole:pihole (999:999) with chmod 644.
I noticed the security settings on the gravity.db file in the /etc/pihole directory are automatically reset while starting the container, but also during operations. chown www-data:pihole /etc/pihole/gravity.db therefore only works for a limited time. I found multiple scripts responsible for doing this, like /start.sh and /etc/services.d/pihole-FTL/run, but there are probably others too, because I tried to replace these files with modified versions and the acls on the file kept being reset to pihole:pihole. Annoying. I'm almost up to the point to schedule a cron job (there is a cron daemon active in the container) to re-reset the acl to www-data:pihole, but I hope there will be a cleaner solution.

Update:
The solution 2 of @danteali (setting environment var WEB_GID=999) works for me and is the most elegant for now.

[mkleef]

Agreed. There seems to be significant issues with anything but local storage for the gravity.db. I'm trying to use this on Azure. Just tested again and same issue. Basically if it's using local storage, not a problem. The moment I map the storage (NFS) it all falls over. [✗] Unable to create new database /etc/pihole/gravity.db_temp Runtime error near line 191: database is locked (5) And permissions are: *** [ DIAGNOSING ]: Gravity Database -rwxrwxrwx 1 root root 0 Jan 11 19:38 /etc/pihole/gravity.db lightttpd also seems to have some major issues, suspecting permissions relating to NFS mapping. Is there any work planned to address? If not, I'll try to move this local. But I'd REALLY like this to be in the cloud...

…

On Tue, May 10, 2022 at 10:08 AM barry-luijten ***@***.***> wrote: I'm not sure if this particular problem was actually ever solved, but it is still occurring in my Docker Swarm deployment, with image tag 2022.04.3 (PiHole 5.10). I believe the root cause of this problem lies within the fact that group ownership inside the container does not have any meaning to the host OS (the OS hosting the persistent volume). In other words, if the www-data user is a member of the pihole group inside the container, but the host user with the same uid is not a member of the host group with gid 999, it does *not* have write access to a file that is owned by pihole:pihole (999:999) with chmod 644. I noticed the security settings on the gravity.db file in the /etc/pihole directory are automatically reset while starting the container, but also during operations. chown www-data:pihole /etc/pihole/gravity.db therefore only works for a limited time. I found multiple scripts responsible for doing this, like /start.sh and /etc/services.d/pihole-FTL/run, but there are probably others too, because I tried to replace these files with modified versions and the acls on the file kept being reset to pihole:pihole. Annoying. I'm almost up to the point to schedule a cron job (there is a cron daemon active in the container) to re-reset the acl to www-data:pihole, but I hope there will be a cleaner solution. — Reply to this email directly, view it on GitHub <#860 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEIZUTB4QWU6MI6K3WMJV6LVJKJY3ANCNFSM45WG7JMQ> . You are receiving this because you commented.Message ID: ***@***.***>

[mkleef]

@DesktopECHO - great insight! Is there any way to disable WAL?

…

On Wed, Mar 30, 2022 at 4:15 AM DesktopECHO ***@***.***> wrote: I recall running into a similar problem for an unrelated project when SQLite3 utilizes write-ahead logging. Not sure if this is applicable here, but TL;DR was WAL could not be safely used over non-local filesystems. With WAL enabled, databases on NFS and CIFS mounted paths fail, with SQLite3 throwing lock or corruption errors in a very similar fashion to what we're seeing in these reports. In the end, a flag needed to get added to allow disabling of WAL for users that had NFS-mounted /home directories. — Reply to this email directly, view it on GitHub <#860 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEIZUTEMF5Q3F3WEQCI2APLVCQZUJANCNFSM45WG7JMQ> . You are receiving this because you commented.Message ID: ***@***.***>

[yzlnew]

1. Set all 4 variables Set pihole and web-data to match each other:

environment:
  - PIHOLE_UID=1000
  - PIHOLE_GID=999
  - WEB_UID=1000
  - WEB_GID=999

In this case, 1000 is the user ID of my main ubuntu system user, and 999 is the 'docker' group on my system. But that's just coincidence as it also works with some random values which didn't match any host or container user/group IDs. I'm effectively trying to turn the two users into the same single user by setting them equal to each other. I would assume that if pihole and www-data match then the permission issue will be resolved. Although probably not the best practice as we're eliminating any role separation.

2. Set web-user GID only The above solution with the 4 environment variables works but so does just using WEB_GID=999 (999 is the pihole group inside the container). My thoughts here were to just try explicitly setting www-data to be part of the group with permission to edit these files - seems to have worked but don't know why it does unless there is a part of the pihole script which also does this but is not being run for some reason.

I'm getting all pihole/ files owned by root both in/outside container, this approach doesn't work.

[broken]

2. Set web-user GID only The above solution with the 4 environment variables works but so does just using WEB_GID=999 (999 is the pihole group inside the container). My thoughts here were to just try explicitly setting www-data to be part of the group with permission to edit these files - seems to have worked but don't know why it does unless there is a part of the pihole script which also does this but is not being run for some reason.

Running the id or groups command in the container (docker exec -it pihole bash) shows that www-data is part of the pihole group, so you expect it should just work.

# id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data),999(pihole)
# groups www-data
www-data : www-data pihole

It baffles my mind why it doesn't work and I need to change the group from pihole to www-data.

[broken]

2. Set web-user GID only

Anybody coming across this, I got it working by setting only the WEB_UID to the pihole user.

- WEB_UID=999

Other things I tried that didn't work:

• Setting only WEB_GID. Assuming this failed because of Same UID and GID in passwd and groups for WEB and PIHOLE #1144 (comment)
• Creating a pihole user outside of the container and setting the corresponding PIHOLE_{U,G}ID values.
• Adding the pihole group to www-data outside of the container. (It's already appended to inside).

[pralor-bot]

This issue has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/pi-hole-says-it-is-blocking-80-of-ads-but-isnt/57870/8

[pete-s]

Observed the same issue on a raspberry pi after performing updates/upgrade to raspbian buster and then running pihole-up.
It was fixed by updating gravity in the UI as mentioned above, and waiting for it to complete.

[antonical]

I am having similar issues. I believe the issue on my system is caused by a conflict between the UID/GID internal in the docker and the host system.

I have zerotier-one installed on the host. This uses UID 999 GID 998

pihole uses UID 999 GID 999 in the docker that is using host mounted volumes.

So in theory setting env variables UID and GID in the docker compose to something else like 900 for instance should solve the issue?

Don't really want to lose all my data, but a momentary interruption in DNS service will be ok.

Updating gravity etc. Did not reset the permissions even though the update completed fine.

The entire mapped /etc directory was set as owned by zerotier-one as that corresponds to the host id 999

SO; if I shutdown the container, change the UID GID values in the env variables in docker compose, create a new user pihole UID 900 GID 900 in the host, set the permissions correctly in the host etc directory and then run the docker compose again...,

Do we think this will come up ok and permissions will be good?

Cheers

[ryanmr]

3. Set web-user GID only

Anybody coming across this, I got it working by setting only the WEB_UID to the pihole user.

- WEB_UID=999

…

FWIW, this worked for me.

Docker Tag 2022.10 Pi-hole v5.13 FTL v5.18.2 Web Interface v5.16

On another older thread, I tried a command docker exec pihole chown -R www-data:pihole /etc/pihole that also worked, but having to run a command at startup was going to be an issue.

I don’t understand the nuances of uid and gid when it comes to host and container systems. I hope this gets easier for folks in the future. Thanks!

[fishkingsin]

sudo chmod 755 -R /var/www/html/pihole works

[danteali]

Really appreciate all the work on this issue. I was one of the original commenters and have been using 22.02 with the WEB_GID=999 workaround.

Decided to eventually update my image and the same issue is still recurring. Unfortunately it hasn't gone away, as evidenced by the other comments above too. Although it does look like it is less pervasive since there are not as many comments.

I'm going to keep using the workaround so it's not a big deal but just wanted to flag for @lightswitch05 and @PromoFaux as it feels like this issue was prematurely closed.

[pralor-bot]

This issue has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/default-pi-image-read-only-database/61049/1

[ChiefRA]

I have encountered the same problem with the latest version on PI:

Error, something went wrong!
While executing: attempt to write a readonly database
Added 0 out of 4 groups

Pi-hole [v5.15.5] FTL [v5.21] Web Interface [v5.18.4]

None of the above examples worked for me, so I did a Repair by typing:
pihole -r

then, selecting Repair
then, reboot

When came back, everything was fine and working correctly: https://www.screencast.com/t/XhJlWkNPotXQ

I hope this will help someone in need! :)

[Krautmaster]

Same issue when running PiHole on truenas scale as app, one time adding a list and broken. Nice work.

[azuma82]

Same issue when running PiHole on truenas scale as app, one time adding a list and broken. Nice work.

here my fix for it

[Krautmaster]

For me it was only the case if I did not wait for gravity to respond with success on that tab. If gravity is interuped it might lock the whole thing

[freebrowser1]

I also had this bug.

I saw that the webroot on Pihole /var/www/html was owned by root which is incorrect.

sudo chown -R www-data:www-data /var/www/html/*

fixed it. Then it is owned by the Apache user (Ubuntu 22.04 on Raspberry 4 Pi).

[madhu-GG]

From my end it was a permission issue with etc-pihole directory.

Reproduction steps:

• Start pihole container via docker-compose from home directory of your user
• Symlink the etc-pihole directory that gets created to the actual place where etc-pihole is expected to reside finally. (maybe in /etc/docker/compose/pihole/etc-pihole ?)

[edgd1er]

I had to use a windows based os to test pihole. I tested it with wsl (ubuntu) to stay as close as possible to a unix system. I had the read only problem at each container's start. Even root was not able to change owner nor the rights.

The solution for me was to add in wsl.conf: options= "metadata"

[automount]
options = "metadata"

[Rowr21]

I had this issue too. I was trying to set the volume to the same volume as all of my other containers which are run by a certain UID/GID.

I changed my paths from /srv/dev-disk-by-uuid-blahblah to this:

      - '/pihole/etc-pihole:/etc/pihole'  # <-- Update to match your real path ; your_nas_path:/etc/pihole
      - '/pihole/etc-dnsmasq.d:/etc/dnsmasq.d' # same here

And redeployed and this solved the issue for me. I assume there's an issue with the permissions of the other volume.

[Gismo1337]

For anyone who ran into
While executing: attempt to write a readonly database Added 0 out of 1 adlists - ERROR

Check permissions: $ stat -c "%U:%G %a %n" /etc/pihole/* | column -t
$ pihole:pihole 644 /etc/pihole/gravity.db should be 664

If not: $ sudo chmod 664 /etc/pihole/gravity.db

[Jarsky]

For anyone who ran into While executing: attempt to write a readonly database Added 0 out of 1 adlists - ERROR

Check permissions: $ stat -c "%U:%G %a %n" /etc/pihole/* | column -t $ pihole:pihole 644 /etc/pihole/gravity.db should be 664

If not: $ sudo chmod 664 /etc/pihole/gravity.db

I'm getting this error and my permission is already 664
If I just reboot Pi-Hole without changing anything it works just fine, it goes into Read-Only within 1 day.

dns1:/opt/pihole/config$ ls -l *.db
-rw-rw-r-- 1 pihole           pihole 261980160 Dec 24 11:34 gravity.db
-rw-rw-r-- 1 systemd-coredump ubuntu 261967872 Dec 24 11:28 gravity_old.db
lrwxrwxrwx 1 pihole           pihole        13 Jan 18  2023 macvendor.db -> /macvendor.db
-rw-rw-r-- 1 systemd-coredump ubuntu 197312512 Dec 24 11:41 pihole-FTL.db

Edit:

My docker runs as user "pihole" which is UID/GID 1003:1003

I already updated my gravity-sync config with this, and it was still going read-only

LOCAL_FILE_OWNER='1003:1003'
REMOTE_FILE_OWNER='1003:1003'

So I tried updating the PiHole container with these environment variables

      PIHOLE_UID: 1003
      PIHOLE_GID: 1003

Restarted it again and now all are showing owned by pihole:pihole. Will see if the problem persists. I havent changed the config in a long time; so not sure what's changed to start causing this issue

dns1:/opt/pihole/config$ ls -l *.db
-rw-rw-r-- 1 pihole pihole 262066176 Dec 24 14:36 gravity.db
-rw-rw-r-- 1 pihole pihole 261980160 Dec 24 11:34 gravity_old.db
lrwxrwxrwx 1 pihole pihole        13 Jan 18  2023 macvendor.db -> /macvendor.db
-rw-rw-r-- 1 pihole pihole 197312512 Dec 24 14:39 pihole-FTL.db

[HugoDL]

Having the same issue. Ended up adding this to my container startup script to resolve: docker exec pihole chown -R www-data:pihole /etc/pihole

I've no idea what root cause is since I can run pihole without any mounted volumes and everything works fine but when I mount volumes it has the permission issues. Even though /etc/pihole/* looks identical from an ownership/group/permission perspective with or without mounted volumes.

Worked here! Thank you very much dude!

[Mailaender]

I can confirm that sudo chown -R www-data:pihole /etc/pihole solved it on Debian.

[splattergamesextended]

since this is still kinda open, here's another idea for a workaround. My PiHole runs on an OMV instance. The docker user (openmediavault-webgui) gets control of the mounted pihole folder every time compose down/up is used. So, I just wrote the most basic script to fix this:

#!/bin/bash 
chown -R www-data /path/to/pihole

added that to run in crontab every 30 minutes (less should be fine too) and now it updates the permissions constantly. www-data should exist on every host, so this fix is pretty universal and it seems that's the only issue with the permissions it has (check your ACLs for every other case).

So full guide for the less experienced: go to a persistent folder (or create one with mkdir)
Inside, create a script:
nano permissionfix.sh

copy and paste the above code (starting with #!/bin/bash)
adjust the "path to pihole" folder (as defined in your compose.yml) with the full path.
save the file with CTRL O and exit with CTRL X
now, make the script executable with chmod +x permissionfix.sh

add a cronjob with crontab -e

In your crontab it should look something like this:

*/30 * * * * /path/to/scriptfolder/permissionfix.sh

Hope that helps you out for a more permanent solution.

Edit: since that time I did the whole thing "properly" after I noticed that every action taken inside the GUI that would access FTL, Update Gravity, etc. would result in the same problem. So I updated the script to change permissions every minute, in case the owner got changed. Mine looks like this (and you will have to adjust the user (in this case openmediavault-webgui) and your path accordingly)

#!/bin/bash


OWNER=$(stat -c %U /docker/pihole/pihole)

if

[[ "$OWNER" == "openmediavault-webgui" ]] 

then
 chown -R www-data /docker/pihole/pihole;

else
 :

fi

I set the cronjob to run every minute now since the problem is very pervasive.