Adguard home

[BrokenOnedroid]

General information on project

This pull request proposes to add a new rock-on for the following project:

• name: AdGuard Home
• website: https://github.com/AdguardTeam/AdGuardHome
• description: Free and open source, powerful network-wide ads & trackers blocking DNS server.
  Fixes New Rockon using AdGuard Home #403

Information on docker image

• docker image: https://hub.docker.com/r/adguard/adguardhome
• is an official docker image available for this project?: yes

Checklist

• Passes JSONlint validation
• Entry added to root.json in alphabetical order (for new rock-on only)
• "description" object lists and links to the docker image used
• "description" object provides information on the image's particularities (advantage over another existing rock-on for the same project, for instance)
• "website" object links to project's main website

[Hooverdan96]

@BrokenOnedroid is this different from what, for example our pi-hole Rockon provides?

[Hooverdan96]

Well, reading the github page for it, it provides a matrix of same/different ...

https://github.com/AdguardTeam/AdGuardHome

Thanks for submitting this. I think it could be a complementary/alternative offering on Rockstor, since there is overlap but also a few key differences.

[BrokenOnedroid]

Using pi-hole didn't work as well for me as Adguard did. As I have already created the rock-on, I can also submit it.

[kanecko]

I don't see why adguard shouldn't be in Rockstor.

[BrokenOnedroid]

I going to update the volumes. I checked them and there empty .
Looking at the official example they have to be set to:
/opt/adguardhome/work & /opt/adguardhome/conf

[phillxnet]

@BrokenOnedroid Thanks for submitting this Rock-on - a nice counterpart to our Pi-hole by the looks of it.
@Hooverdan96 Can we remove the needs review once this is ready.
@kanecko & @FroggyFlox Thanks for the review and advice on this one.

My tendency re our user visible wording is that we should tent to be brief. Working on what I hope will be an example of where I think we should be going on this front. Full agree that we should at least have a high-level (brief) description though of purpose though.

Happy to publish once it has @Hooverdan96's say-so.

[phillxnet]

@BrokenOnedroid One can move a pull request in and out of Draft mode: i.e. if it is a work-in-progress the draft status is good, and you can leave a comment as to remaining issues that you would like comment on etc. And once all looks to be working at your end, move the pull request out of draft status.

I just noticed more changes since my last comment was all. Nice catch on those internal directories. Always good to check that intended persistent data is actually persisted :).

[Hooverdan96]

@BrokenOnedroid I am probably doing something incorrectly, but somehow I can't connect to the web address of the adguard container.

I created the macvlan using your example syntax (my machine also has eth0 as its NIC id) and configured and installed the adguard item. However, upon trying to connect to 192.168.178.58:3000 (from a different machine) it does not reach the container, pinging it also does not produce any results. Am I missing anything in particular? The docker logs show nothing unusual (i.e. no error messages).

[Hooverdan96]

ok, I think I finally understood the macvlan values that might be needed. I ended up using the same network as the host (192.168.0.0/24), specified an address in that space (192.168.0.58/32) and used the gateway that the host is connected to (192.168.0.1). That then finally gave access to the initial configuration page at 192.168.0.58:3000.

Fundamentally, I don't think any ports need to be mapped really, since this is running on the macvlan network and all ports are exposed by the application.

I will test some more.

[Hooverdan96]

docker inspect adguard

...
        "Config": {
            "Hostname": "c331b7a7cddc",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "3000/tcp": {},
                "3000/udp": {},
                "443/tcp": {},
                "443/udp": {},
                "53/tcp": {},
                "53/udp": {},
                "5443/tcp": {},
                "5443/udp": {},
                "6060/tcp": {},
                "67/udp": {},
                "68/udp": {},
                "784/tcp": {},
                "784/udp": {},
                "80/tcp": {},
                "853/tcp": {},
                "853/udp": {}
...

meaning, it behaves like net=host, i.e. no port mappings are required for the Rockon definition. Since for adguard home there essentially three UI related ports in play between which the user needs to choose, it probably makes no sense to designate any of the three as UI port for the Rockon UI button:

3000 needs to be used once only for the initial setup/configuration of Adguard
80 or 443 are the difference between http vs https for regular access after the configuration. By default it reroutes to port 80 after the initial install.
So, if anything port 80 could be exposed in Rockon UI. Anybody using SSL etc, has to perform some additional config anyway. But I did notice that (probably because of the macvlan) the link to port 80 is not correctly set up (after I removed the other ports and only kept port 80) ... so likely no ports should be/need to be defined but referenced to the documentation for the relevant ones.

New test instance: creating macvlan network:

docker network create -d macvlan --subnet=172.16.0.0/24 --ip-range=172.16.0.254/32 --gateway=172.16.0.1 -o parent=eth0 adguard-home

Test after install going to: http://172.16.0.254:3000

picking eth0 as the WebUI access as well as the DNS server address

set up administrative user, choosing admin and password for testing:

additional instructions screen:

Final screen, pressing Uebersicht oeffnen

automatically rerouted to: http://172.16.0.54

Login and overview page:

Confirming that configuration file in mapped share was created:

-rw------- 1 root  root 3755 Dec 10 17:04 AdGuardHome.yaml

Pinging address from external machine is successful.

However, macvlan is not allowing the host machine to connect to the address (isolation) directly. But setting AdGuard as the DNS server on the home router will prevent from this being a problem? @BrokenOnedroid any clarifications/suggestions, since you've been using it? I can't test this with my network setup without lots of effort at this time.

as an aside on macvlans. Found this, but hopefully not necessary:
Found this here, where a second macvlan interface is required for the communication between host and container:
https://blog.oddbit.com/post/2018-03-12-using-docker-macvlan-networks/

[BrokenOnedroid]

@Hooverdan96 I am not using a second macvlan.
I have no problem using Adguard as a DNS server. My router is the DHCP server in my network, which sets my Adguard installation as DNS-Server network-wide.
I just checked my query log again:

• Plain DNS works
• i can force encryption and at least DNS-over-HTTPS and DNS-over-TLS works

My guess is that unless you can add an IP or domain to the UI-Button setting, the Button won't work because the container does not use the same IP as the host (since it's using the macvlan) Is it possible to disable the UI-button for an container?
Using: "ui": false?

[Hooverdan96]

Ok, that's good to know then, and I take that as proof that it will work as you described.

Yes, you can actually just remove the ui tag (or set it to false for now), then the UI button will not be created/visible. I think it will then be good to add yet another piece of text to the description to indicate how to access the WebUI for the first time (using your example of the macvlan you described).

If/when you or someone else can submit a write-up for this Rockon for the documentation, we can then pare back the description substantially and just reference to the documentation for details and examples. This would bring us then closer @phillxnet's intent on having less of the descriptions on the Rockon page itself.

[Hooverdan96]

Suggested change

"description": "AdGuard Home is a network-wide software for blocking ads and tracking. After you set it up, it'll cover all your home devices, and you won't need any client-side software for that. <p>Based on the official Image: <a href='https://hub.docker.com/r/adguard/adguardhome' target='_blank'>https://hub.docker.com/r/adguard/adguardhome</a>, available for amd64 and arm64 architecture.</p> <p>Create a macvlan to avoid overlapping of ports which are needed by Adguard like 443 & 80. E.g., <code>docker network create -d macvlan --subnet=192.168.178.0/24 --ip-range=192.168.178.58/32 --gateway=192.168.178.1 -o parent=eth0 adguard-home</code></p><p>The docker network has to be named <code>adguard-home</code>!</p> <p>The UI is reachable under the IP-Adress definded in the maxvlan. E.g.: <code>--ip-range=192.168.178</code> and the WebUI-Config Port. E.g.: <code>http://192.168.178.58:3000</code> </p>",

"description": "AdGuard Home is a network-wide software for blocking ads and tracking. After you set it up, it'll cover all your home devices, and you won't need any client-side software for that. <p>Based on the official Image: <a href='https://hub.docker.com/r/adguard/adguardhome' target='_blank'>https://hub.docker.com/r/adguard/adguardhome</a>, available for amd64 and arm64 architecture.</p> <p>Create a macvlan to avoid overlapping of ports which are needed by Adguard like 443 & 80. E.g., <code>docker network create -d macvlan --subnet=192.168.178.0/24 --ip-range=192.168.178.58/32 --gateway=192.168.178.1 -o parent=eth0 adguard-home</code></p><p>The docker network has to be named <code>adguard-home</code>!</p> <p>For the initial setup the UI is reachable under the IP-Adress defined in the macvlan. E.g.: <code>192.168.178.58</code>. and the setup port <code>3000</code>, i.e.: <code>http://192.168.178.58:3000</code>. Once setup is complete, the admin page can be reached using port <code>80</code> e.g.,<code>http://192.168.178.58:80</code>.</p>",

[Hooverdan96]

I know, I'm suggesting more words to be added to the description (whereas @phillxnet is trying to get us to reduce the verbiage in this space), but I think it's relevant to point out that the initial setup port and the "daily" ports will be different. And in absence of a formal writeup in the Rockstor documentation, this will be the only place to clarify that.

[Hooverdan96]

Thanks for pushing the update @BrokenOnedroid. I tried it and it looks good.

I'm thinking, since we now don't have any Rockstor WebUI relevant ports anymore, and the net= option is activate (using the macvlan), that the port specifications are not really needed at all anymore (and as described above one can see that none of the ports are really mapped into the docker container when inspecting it).

So I am proposing to remove the port section from the Rockon entirely (leaving the share mapping only). The initial port for access (3000) you've added to the description and the other ones can be found in the documentation (after some looking around).

Does that make sense?