As my first noteworthy venture in containerization I decided to jump on the hype train and run a Pi-hole instance on my NAS to block ads and the-like in my local network.

The NAS runs Arch Linux and I opted for LXC as it seemed to be the leaner approach compared to Docker. Here's how I did it.

Install LXC

On Arch all you need to do for being able to run (privileged) LXC containers is installing it:

$ pacman -S lxc

I want containers to look like proper network clients instead of having them NAT'ed and routed by their host (the NAS) so I changed the default config to use macvlan in bridge mode for container networking:

# /etc/lxc/default.conf = macvlan = bridge = eth0 = up = eth0

Note: the last line sets the name of the virtual interface that appears inside the container to eth0. This is not required, but many images seem to have issues dealing with generated interface names.

Create the Container

I chose to go with the current Debian release for my Pi-hole container, which is Buster.

$ lxc-create -t download -n pi-hole -- -d debian -r buster -a amd64

This sets up a (refreshingly minimal) Debian image.

The only thing that I changed inside the container is switching to static addressing for IPv4 as I did not want the container to query my router for DHCP:

# /etc/network/interfaces

auto eth0
eth0 inet static

(Urr, feels so ancient when you're used to systemd-networkd...)

Install Pi-hole

There are some requirements to install first:

$ apt-get install wget curl

Then the official Pi-hole install script can be used.

I really hate the attitude behind curl'ing install scripts and directly piping them to Bash as root user which seems en vogue these days. In my head this rings all alarm bells in terms of security. But I guess that's what comes with the nature of containers: they're isolated and volatile, so they're a disposable object that is cared less about.

I still refuse to do so and instead download them, give them at least a quick scroll and fire them up afterwards. Thus with the Pi-hole installer:

$ curl -sSL -o
$ less $_
$ bash $_

The installer then took care of the rest.

Final Touches

Don't forget to make the container autorun at boot using

$ systemctl enable lxc@pi-hole

A highly considerable improvement to my setup will be switching to unprivileged containers for increased degree of isolation.