-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker on Synology keeps stopping with Failed to set capabilities for pihole-FTL. Cannot run as non-root. #963
Comments
I have the same issue since upgrading to 2022.01 |
Same issue here, |
the "DNSMASQ_USER=root" fixed it for me. |
Does it make a difference if you add the capabilities to the container (without setting the DNSMASQ_USER to root? https://github.com/pi-hole/docker-pi-hole#note-on-capabilities for compose yml add:
|
I tried removing the DNSMASQ_USER=root and adding the above cap_add, but then the 2022.1 image again does not start. |
Interesting to know, thanks . I wonder what is different there... I have a synology NAS here that I can try to spin something up on later to play... DSM7 and docker installed via the package manager? |
I'm on DSM 6.2.4-25556 Update 2 (which is the latest DSM 6 version) |
Same for me. |
This might be different for me, as I am on DSM7... don't currently have a way of testing DSM6 but with a very basic compose file of: version: "3"
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
pihole:
container_name: pihole
image: pihole/pihole
volumes:
- './etc-pihole/:/etc/pihole/'
- './etc-dnsmasq.d/:/etc/dnsmasq.d/'
# Recommended but not required (DHCP needs NET_ADMIN)
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
# cap_add:
# - NET_ADMIN
# - SYS_NICE
# - CHOWN
restart: unless-stopped
It starts, with or without the cap_add section |
For me, 2022.01 is failing at
I did not find any chown at bash_functions.sh for this directory and the user pihole ? I'm using bindmounts not volumes. OS Gentoo with Docker Version: 20.10.9 amd64 |
dnsmasq.d directory has 0700 while normally it should have 0755, strange. (Owned by root:root) |
For me the the startup failure is caused by the fix_capabilities function in bash_functions.sh
|
What does your compose file look like? |
version: '3'
services:
pihole:
image: pihole/pihole:latest
hostname: pihole
domainname: redacted
networks:
macvlan_network:
ipv4_address: xxx.xxx.xxx.xxx
ports:
- 53/tcp
- 53/udp
- 67/udp
- 80/tcp
- 443/tcp
environment:
- DNS1=1.1.1.1
- DNS2=1.0.0.1
- WEBPASSWORD=redacted
- ServerIP=xxx.xxx.xxx.xxx
- VIRTUAL_HOST=pihole.redacted
- TZ=Europe/Amsterdam
- DNSMASQ_USER=root
volumes:
- /volume2/docker/pihole/dnsmasq.d:/etc/dnsmasq.d
- /volume2/docker/pihole/pihole:/etc/pihole
networks:
macvlan_network:
external: true |
the above compose file works with 2022.01 In both cases, the setcap error is logged, but when DNSMASQ_USER=root, the error is ignored by the script. |
Can you try setting each cap individually to see if it is a particular one that is throwing the error? e.g:
I suspect it's one of the latter three, as they were added in the latest version https://github.com/pi-hole/docker-pi-hole/blob/master/bash_functions.sh#L6 (although I thought I had subsequently removed the |
@grmbl99 I see you mapped folders on synology. What permissions do the folders have? I had to add [everybody] because Pihole could not save the settings. Would you mind checking for me? |
they all fail with the same error:
|
I wonder if that is relevant, as the setcap error is on an executable which is not in any of the mapped folders. |
At this stage I have to assume this is a docker on DSM6 thing, because I am not seeing this same error on docker on DSM7. I suppose the workaround is that
Yeah, I had wondered if you were doing some odd mapping of Don't suppose you feel like being brave and upping to DSM7 to see if you still see the issue? 😉 Side Note: I actually ended up moving all of my docker containers off of my Synology and onto a Rpi4 as I always felt that docker on Synology was a bit... odd. |
Yep, they were there (at least with the 2021.12.1 version); but it did not block the starting of the container
Nope, no proper USB support (yet) :-) |
For what it is worth, I have the issue on DSM7, though I have not have time to test anything else but going back a version. I will try brand new Docker with caps set later on today. |
Sorry, and same thing again with the three mentioned caps explicitly set in the compose file (NET_ADMIN, SYS_NICE, IPC_LOCK) |
Interesting. Thanks. So that shows that with the caps explicitly set, FTL is able to grab the caps it needs... so the question remains - why does As an experiment, maybe make a copy of |
@PromoFaux I'm assuming this is because Docker is not adding the CAP_SETFCAP capabiliity (required to use setcap) in some instances. I haven't tested it out yet but adding the SETFCAP capability to the docker-compose file might fix things. |
does not seem to work for me |
same here. |
First you need to stop the currently running pihole container (if you have the same problem, it is probably stopped anyway, hehe). Then you need to go to 'Registry' and search for pihole. You need to re-download the image again. After double clicking it be sure not to select the 'latest' version but 2022.02.1. After having downloaded the image you need to set it up just like you did before. Since 2022.04 did not start at all, you probably can re-use the existing config file. Since you downloaded a specific version, watchtower will not run updates on this one. As soon as the bug has been fixed, you can revert to the 'latest' version (this is why I would not necessarily delete it) |
I did it and it's working again with same config! Thanks a lot! I suspected it was that way, but you know the first time you find that kind of issue you're pretty scared to broke something... and I already stopped Watchtower, I think I prefer to update it by myself after read the changes list. Last issue with the pihole/root user was a signal, this one the second, I will not let a third one ;-) |
Please review the notes here: https://github.com/pi-hole/docker-pi-hole/releases/tag/2021.09 Personally I wouldn't touch watchtower with a barge pole (for Pi-hole, anyway) |
Thank you for this hint. While I completely understand the reasons for rather manually updating, watchtower really saves time in case you run a bunch of containers. Well, not in this case, hehe. I am using the —run-once option with watchtower so I can see right away when there is a problem. In my case removing the pihole container incl. all config files and reinstalling from scratch did not help. Is it just me? |
Back to 2022.02.1. Works. |
Not just you. No matter what I try I'm still having issues with 2022.4.. as well.
|
You can exclude specific containers from being updated by watchtower by adding a label
I am running DSM 7.0 and both 2022.04.2beta and 2022.04.2 work without an issue for me. I am going to exclude pi-hole from watchtower, because although my router fails back to a public DNS when pi-hole isn't available, some Linux service like Docker itself, will not wait long enough for DNS resolution and just plain fail. |
Just wanted to throw some info out there in case it helps anyone. I am running pihole on an Unraid system in Docker and couldn't get it to boot because of the same Turns out if you leave the I also updated all of my volume mount permissions to change ownership to Maybe an update to the README.md to clarify not to use --privileged mode would help with recent releases? Cheers! |
I thought in my several attempts to recreate the container that I had removed the privileged flag but I must not have. Tried again making sure it was off and it started up just fine with release 2022.04.2. Thanks for the info. |
Consider it updated https://github.com/pi-hole/docker-pi-hole/blob/master/README.md#upgrade-notes |
hi, is there a fix for this yet?
showing in the logs i then stopped the container, pulled an older image from the registry, reset the container and restarted and it still got stuck in a restart loop should note that i already have DNSMASQ_USER=root in my config. |
apparently the fix is, and i have confirmed this fixed it for me, is to untick "Execute container using high privilige" in the container settings. How on earth is it possible that reducing the set of capabilites can be the solution? |
Thank you very much, removing that checkbox did the trick also for me. :-) |
"High Privilege" is Synology's way of saying to run the docker image as privileged. https://phoenixnap.com/kb/docker-privileged This mode does not include all of the linux system capabilities that are required for running Pi-hole in certain configurations. That mode also ignores and Bottom line is that Pi-hole can now run in a non-root container and be in line with the new Docker security standards. |
yeah but it would have been nice to get a heads up that having that ticked (which i believe was required originally) now causes the container to get stuck in a restart loop. does this also mean that |
for me it works without setting it to root, yes. |
I left it that variable as root and unticked the "Execute container using high privilige" setting and it worked for me. |
This is not recommended: |
I came here to post that exact thing after sitting back down to read some more. Thanks; I should have been more diligent. |
Oh wow, thanks! This worked for me too. I am using Ansible to provision my Docker containers and I had |
Dear ladies and gents, I'd like to participate in this thread as I'm also having problems to get pihole on DSM7 inside portainer on docker to work.
|
All I had to do was add PGID=101 and PUID=1026 to the env variables in order to give the container the right file permissions. They are likely going to be different for you , but here's how to find them: https://mariushosting.com/synology-how-to-find-uid-userid-and-gid-groupid/ |
This issue has been mentioned on Pi-hole Userspace. There might be relevant details there: https://discourse.pi-hole.net/t/pihole-wont-start-after-docker-pull/55459/12 |
This issue has been mentioned on Pi-hole Userspace. There might be relevant details there: https://discourse.pi-hole.net/t/domain-on-blocklist-didnt-increase/56742/5 |
This issue has been mentioned on Pi-hole Userspace. There might be relevant details there: https://discourse.pi-hole.net/t/setupvars-error-in-webinterface/58913/9 |
This is a: Run Issue (running Pi-hole container failing),
Details
After watchtower pulled latest image, pi-hole docker will not start.
Related Issues
How to reproduce the issue
These common fixes didn't work for my issue
docker run
example(s) in the readme (removing any customizations I added)Dropping back to version 2021.12.1 resolved the issue
The text was updated successfully, but these errors were encountered: