Rework networking logic and some miscellaneous code changes #5
Conversation
* Update syno_pihole.sh Initial (incomplete) commit for refining network configuration. * Remainder of initial re-working of networking logic and miscellainious changes. Untested commit. * Fixed check subnet code in validate_settings function. * Fixed prefix size comparison error in function is_cidr_in_subnet. * Added PARAM_HOST_IP check to validate_settings function. Fixed bug in function init_generated_values causing PARAM_HOST_IP not to be properly generated. * Fixed second bug in init_generated_values function - calling the int to ip conversion outside the appropriate conditional statement. * Fixed syntax error in function init_generated_values - comparison of variable integer equality. * Resolved final syntax error in function init_generated_values to make it functional.
Thus 'update' pihole function doesn't work as intended. Pihole lists three version numbers for the core components of Pi-hole: Pi-hole (core?), AdminFTE and FTL. However they have one release number tagged in the repository. Rather than issuing a single release number for the whole project this tagged release number seems to track the version number of which ever of the three core components is highest. This fix is just as fragile as the code it is fixing – it simply changes the component number it checks from Pi-hole to FTL. The Repository currently states FTL is expected to be the highest version number going forward, so this fragile version detection may well work for a while going forward, however it should really be more rigorous or perhaps an issue raised with Pi-hole project.
Moves bug fixes to master from old branch Kieren-patch-1.
|
Hi @Kieren, thanks a lot for the extensive PR! I do realize Docker networking is not my strong suit per se, so your code suggestions and feedback are much appreciated. Below my first comments.
You are right, the original intent was to assign a static IP address to Pi-Hole on the same subnet where the Synology NAS resides. Imagine the following network environment:
The script then assigns an address range of the subnet to a macvlan network, for example
If I understand your proposal correctly, you suggest the ability to assign a proper subnet (e.g.
Would you be ok to update the Some final thoughts, I noticed my |
|
Hi @markdumay I'm glad this is a welcome contribution to your efforts. On diving into this my sense has been that there is some confusion in some of the internet (blog) content on both the linux networking and how docker utilises that in this sort of set up. I've come across a number of similar docker setup posts that seem to differ slightly in how they are described and implemented, contributing to confusion. Some of this I think lies around the use of macvlan within docker and the additional macvlan interface that is manually configured on the host. The clearest description I have found on the macvlan bridge network as used in syno_pihole.sh is here Docker Docs: Get started with macvlan Network Driver. The first example there gives a clear description of the very same setup used here. Note:Comparing syno_pihole with the documentation there, parameters PARAM_IP_RANGE, PARAM_PIHOLE_IP and PARAM_GATEWAY are all on the very same subnet, namely PARAM_SUBNET. Consider your example:
I don't think there is a downside as you mention In short my patch defaults the size of PARAM_IP_RANGE to /32 unless otherwise specified and on validation checks that the actual network broadcast address of the subnet (192.168.0.255 in your example) is not used. I think it's worth mentioning an oversight in this patch; it does not currently check that the network address (192.160.0.0 as per example) is not used. I hope this clarifies the intent of my patch for the Docker macvlan network. As for the host macvlan network named (PARAM_VLAN_NAME), I have found this article Bridge vs Macvlan helpful in clarifying its purpose, particularly why assigning it the range of addresses PARAM_IP_RANGE is not appropriate. This interface is only enabling the host and the pihole container to communicate and since the interface assigns the host a new MAC address, in my patch, PARAM_HOST_IP is assigned to it and used when communicating with the Pihole – as determined by the created route. Again I hope this is helpful. I will look at updating the README.md too. As an aside there have already been a couple of bugs pop up that I've addressed in my patch. Would you prefer that I make any further changes and bug fixes etc on a seperate branch to this PR so it doesn't complicate the pull process? |
Updated the readme to better reflect the changes made to the script in this patch. Particularly adding the new optional --host-ip parameter.
|
Hi @Kieren, thanks for your elaborate response. Both linked articles are indeed very clear and relevant. So in short, we revise the script to simply apply the macvlan network to the current subnet (
I suggest to track the individual issues (like #7) and to put the fixes on a separate branch indeed. It looks like you're on a roll, so I can imagine you'll find additional issues. ;-)
I noticed your update - is the PR ready for review? |
|
Hi @Kieren, I finally got around review your PR - apologies for the delay! Below my findings. Some of the observations appear unrelated to your code changes. However, I included them here with the updated line numbers for simplicity's sake. Let me know if you would like to address below observations yourself, or if I should merge the PR first so we can address them afterwards. Besides the observations, the revised script appears to be working fine. Thanks again for all your effort, much appreciated! Observation 1 Observation 2 Observation 3 Observation 4 Observation 5 The code should be corrected to this. Similarly, the code to detect the version of the currently running Pi-hole container is also incorrect. The global variable at line #29 should be removed. |
|
@Kieren Thank for your help. I did not understand one thing, do you mean HOST_IP in the script, as the new IP address, and not the currently assigned IP address of Synology NAS. So it means we need 2 IP address for host(synology nas) - 1 is actual which is already used in the network and other IP is just to link(synology with macvlan(pihole container))? |
@krswin, yes that is what I mean, HOST_IP is a new IP address because the macvlan interface created to bridge the host to the pihole has a new MAC address – HOST_IP is assigned to that. It is worth mentioning this new IP address is another valid address on the network accessible from the rest of the network. Because of this, if the same IP address is used for both host MAC addresses, I believe you will probably have routing issues with your ethernet frames on the network just as you would with any other IP address clash on a network. This additional macvlan interface (and IP address) for the host is a workaround to enable the host to communicate with the Pi-hole container on it's own interface, however as mentioned it's effects apply to the network more broadly which you are right to consider. I'm not aware of another way to provide host to Pi-hole container communication purely on the host. |
Hi @markdumay, Thanks for making all these observations, as you can see I've not spent time on this for a while. While I'd like to address all of them in a timely manner I can't guarantee that will happen, so perhaps merging the PR will make managing the script easier incase anybody has their own fixes? I agree the script is mostly functional with careful use to avoid the already noted issues. |
|
Done! Thanks again - I'll work on the observations and will add issues as needed. Feel free to contribute any time! ;-) |
Update syno_pihole.sh
This patch reworks the network logic of the script, making a distinction between a CIDR notated range (by convenience) of addresses and an actual IPv4 subnet which has a (all ones host identifier) broadcast address. Conflating a range of addresses in CIDR notation within a (LAN) subnet with an actual subnet seems to be the reason for the original script logic.
This patch considers the PARAM_IP_RANGE parameter to designate a pool of addresses reserved for Docker to use in its generated Docker macvlan network called 'synology-pihole_macvlan' – as is indicated by the use of PARAM_IP_RANGE in the docker-compose.yml file. In the same way the network DHCP server reserves a pool of addresses, this range helps avoid address collisions on the network, especially with the DHCP server. Docker should allocate any container attached to the synology-pihole_macvlan network an address from this pool if a static address (PARAM_PIHOLE_IP) were not already specified.
While the Docker generated macvlan synology-pihole_macvlan uses PARAM_IP_RANGE to reserve a pool of addresses for its use, the host macvlan network (default name macvlan0) named by PARAM_VLAN_NAME in the function execute_create_macvlan only needs a new host address to attach to this interface in order for it to communicate with containers attached to synology-pihole_macvlan. Hence this patch introduces a new parameter (--host-ip | HOST_IP | PARAM_HOST_IP) to allow the user to specify an address for this purpose, otherwise a reasonable address is attempted.
In the process of writing the patch a number of other changes were made, notably:
The is_valid_cidr function variable CIDR_REGEX (line 168) - removed '([^0-9.]|$)' from the end of the regex because its purpose was unknown and did not seem to affect its function.
Edits to the Usage instructions were made to try and clarify parameter usage.
The parameter validation/initialisation functions were edited to allow a broader range of valid user configurations and to not consume more address space than necessary.