Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker on Synology keeps stopping with Failed to set capabilities for pihole-FTL. Cannot run as non-root. #963

Closed
1 of 6 tasks
imro2 opened this issue Jan 4, 2022 · 117 comments
Labels

Comments

@imro2
Copy link

imro2 commented Jan 4, 2022

This is a: Run Issue (running Pi-hole container failing),

Details

After watchtower pulled latest image, pi-hole docker will not start.

Related Issues

  • I have searched this repository/Pi-hole forums for existing issues and pull requests that look similar

How to reproduce the issue

  1. Environment data
  • Operating System: Linux Synology 4.4.180+ GNU/Linux synology_geminilake_920+
  • Hardware: Synology DS920+
  • Kernel Architecture: x86_64
  • Docker Install Info and version:
    • Software source: official docker
    • Supplimentary Software: synology
  • Hardware architecture: amd64
  1. docker-compose.yml contents, docker run shell command, or paste a screenshot of any UI based configuration of containers here
version: "2"
services:
  pihole:
    container_name: pihole
    domainname: docker
    hostname: pihole
    image: pihole/pihole:latest
    ports:
      - '53:53/tcp'
      - '53:53/udp'
    expose:
      - 80
      - 443
    networks:
      - proxied
    restart: unless-stopped
    volumes:
      - ${BASEDIR}/pihole:/etc/pihole
      - ${BASEDIR}/pihole.log:/var/log/pihole.log
      - ${BASEDIR}/dnsmasq.d:/etc/dnsmasq.d
    environment:
      - ServerIP=${SERVER_IP}
      - PROXY_LOCATION=pihole
      - VIRTUAL_HOST=pihole.${DOMAINNAME}
      - VIRTUAL_PORT=80
      - TZ=${TZ}
      - DNSMASQ_LISTENING=all
      - WEBPASSWORD=${WEBUIPASS}
      - DNS1=8.8.8.8
      - DNS2=1.1.1.1
      - DNSMASQ_USER:pihole
    dns:
      - 1.1.1.1
      - 1.0.0.1
    labels:
      - "traefik.enable=true"
      - "traefik.backend=pihole"
      ...
  1. any additional info to help reproduce
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying...
[fix-attrs.d] 01-resolver-resolv: exited 1.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 20-start.sh: executing...
 ::: Starting docker specific checks & setup for docker pihole/pihole
Failed to set capabilities on file `/usr/bin/pihole-FTL' (Operation not supported)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
ERROR: Failed to set capabilities for pihole-FTL. Cannot run as non-root.
[cont-init.d] 20-start.sh: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.

These common fixes didn't work for my issue

  • I have tried removing/destroying my container, and re-creating a new container
  • I have tried fresh volume data by backing up and moving/removing the old volume data
  • I have tried running the stock docker run example(s) in the readme (removing any customizations I added)
  • I have tried a newer or older version of Docker Pi-hole (depending what version the issue started in for me)
  • I have tried running without my volume data mounts to eliminate volumes as the cause

Dropping back to version 2021.12.1 resolved the issue

@kayaozalp
Copy link

I have the same issue since upgrading to 2022.01
Rolled back to 2021.12.1 and it starts correctly.

@grmbl99
Copy link

grmbl99 commented Jan 4, 2022

Same issue here,
I fixed this by adding DNSMASQ_USER=root to my docker-compose.yml file.
The default for this was changed from root to pihole

@Enn0
Copy link

Enn0 commented Jan 4, 2022

the "DNSMASQ_USER=root" fixed it for me.

@PromoFaux
Copy link
Member

Does it make a difference if you add the capabilities to the container (without setting the DNSMASQ_USER to root?

https://github.com/pi-hole/docker-pi-hole#note-on-capabilities

for compose yml add:

 cap_add:
      - NET_ADMIN
      - SYS_NICE
      - CHOWN

@grmbl99
Copy link

grmbl99 commented Jan 4, 2022

Does it make a difference if you add the capabilities to the container (without setting the DNSMASQ_USER to root?

https://github.com/pi-hole/docker-pi-hole#note-on-capabilities

for compose yml add:

 cap_add:
      - NET_ADMIN
      - SYS_NICE
      - CHOWN

I tried removing the DNSMASQ_USER=root and adding the above cap_add, but then the 2022.1 image again does not start.

@PromoFaux
Copy link
Member

Interesting to know, thanks . I wonder what is different there... I have a synology NAS here that I can try to spin something up on later to play... DSM7 and docker installed via the package manager?

@grmbl99
Copy link

grmbl99 commented Jan 4, 2022

I'm on DSM 6.2.4-25556 Update 2 (which is the latest DSM 6 version)
Docker installed via package manager

@Enn0
Copy link

Enn0 commented Jan 4, 2022

I'm on DSM 6.2.4-25556 Update 2 (which is the latest DSM 6 version) Docker installed via package manager

Same for me.

@PromoFaux
Copy link
Member

This might be different for me, as I am on DSM7... don't currently have a way of testing DSM6

but with a very basic compose file of:

version: "3"

# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
  pihole:
    container_name: pihole
    image: pihole/pihole
    volumes:
      - './etc-pihole/:/etc/pihole/'
      - './etc-dnsmasq.d/:/etc/dnsmasq.d/'
    # Recommended but not required (DHCP needs NET_ADMIN)
    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    # cap_add:
    #   - NET_ADMIN
    #   - SYS_NICE
    #   - CHOWN
    restart: unless-stopped

It starts, with or without the cap_add section

image

@r2ixuz
Copy link

r2ixuz commented Jan 4, 2022

For me, 2022.01 is failing at

dnsmasq: cannot access directory /etc/dnsmasq.d: Permission denied
::: Testing pihole-FTL DNS: [cont-init.d] 20-start.sh: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

I did not find any chown at bash_functions.sh for this directory and the user pihole ?

I'm using bindmounts not volumes. OS Gentoo with Docker Version: 20.10.9 amd64

@r2ixuz
Copy link

r2ixuz commented Jan 4, 2022

dnsmasq.d directory has 0700 while normally it should have 0755, strange. (Owned by root:root)

@grmbl99
Copy link

grmbl99 commented Jan 4, 2022

For me the the startup failure is caused by the fix_capabilities function in bash_functions.sh
I tried running the code manual from a bash shell in the docker container:

root@pihole:~# setcap CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_NICE,CAP_CHOWN+ei /usr/bin/pihole-FTL 
Failed to set capabilities on file `/usr/bin/pihole-FTL' (Operation not supported)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file

@PromoFaux
Copy link
Member

What does your compose file look like?

@grmbl99
Copy link

grmbl99 commented Jan 4, 2022

version: '3'
services:
  pihole:
    image: pihole/pihole:latest
    hostname: pihole
    domainname: redacted
    networks:
      macvlan_network:
        ipv4_address: xxx.xxx.xxx.xxx
    ports:
      - 53/tcp
      - 53/udp
      - 67/udp
      - 80/tcp
      - 443/tcp
    environment:
      - DNS1=1.1.1.1
      - DNS2=1.0.0.1
      - WEBPASSWORD=redacted
      - ServerIP=xxx.xxx.xxx.xxx
      - VIRTUAL_HOST=pihole.redacted
      - TZ=Europe/Amsterdam
      - DNSMASQ_USER=root
    volumes:
      - /volume2/docker/pihole/dnsmasq.d:/etc/dnsmasq.d
      - /volume2/docker/pihole/pihole:/etc/pihole

networks:
  macvlan_network:
    external: true

@grmbl99
Copy link

grmbl99 commented Jan 4, 2022

the above compose file works with 2022.01
when the DNSMASQ_USER=root line is removed it does not work with 2022.01

In both cases, the setcap error is logged, but when DNSMASQ_USER=root, the error is ignored by the script.

@PromoFaux
Copy link
Member

Can you try setting each cap individually to see if it is a particular one that is throwing the error?

e.g:

setcap CAP_NET_BIND_SERVICE+ei /usr/bin/pihole-FTL 
setcap CAP_NET_RAW+ei /usr/bin/pihole-FTL 
setcap CAP_NET_ADMIN+ei /usr/bin/pihole-FTL 
setcap CAP_SYS_NICE+ei /usr/bin/pihole-FTL 
setcap CAP_CHOWN+ei /usr/bin/pihole-FTL 
setcap CAP_IPC_LOCK+ei /usr/bin/pihole-FTL 

I suspect it's one of the latter three, as they were added in the latest version https://github.com/pi-hole/docker-pi-hole/blob/master/bash_functions.sh#L6

(although I thought I had subsequently removed the CAP_IPC_LOCK check, as it is not required by FTL anyway)

@opicron
Copy link

opicron commented Jan 4, 2022

@grmbl99 I see you mapped folders on synology. What permissions do the folders have? I had to add [everybody] because Pihole could not save the settings. Would you mind checking for me?

@grmbl99
Copy link

grmbl99 commented Jan 4, 2022

they all fail with the same error:

Failed to set capabilities on file `/usr/bin/pihole-FTL' (Operation not supported)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file

@grmbl99
Copy link

grmbl99 commented Jan 4, 2022

@grmbl99 I see you mapped folders on synology. What permissions do the folders have? I had to add [everybody] because Pihole could not save the settings. Would you mind checking for me?

I wonder if that is relevant, as the setcap error is on an executable which is not in any of the mapped folders.

@PromoFaux
Copy link
Member

PromoFaux commented Jan 4, 2022

At this stage I have to assume this is a docker on DSM6 thing, because I am not seeing this same error on docker on DSM7.

I suppose the workaround is that DNSMASQ_USER is set to root as it used to be (though ideally pihole-FTL should not be running as root - hence the change) Do you see the setcap error on previous versions of the container?

as the setcap error is on an executable which is not in any of the mapped folders.

Yeah, I had wondered if you were doing some odd mapping of /usr/bin, which was what prompted me to ask for your compose file.

Don't suppose you feel like being brave and upping to DSM7 to see if you still see the issue? 😉

Side Note: I actually ended up moving all of my docker containers off of my Synology and onto a Rpi4 as I always felt that docker on Synology was a bit... odd.

@grmbl99
Copy link

grmbl99 commented Jan 4, 2022

Do you see the setcap error on previous versions of the container?

Yep, they were there (at least with the 2021.12.1 version); but it did not block the starting of the container

Don't suppose you feel like being brave and upping to DSM7 to see if you still see the issue?

Nope, no proper USB support (yet) :-)

@imro2
Copy link
Author

imro2 commented Jan 4, 2022

@PromoFaux

At this stage I have to assume this is a docker on DSM6 thing, because I am not seeing this same error on docker on DSM7.

For what it is worth, I have the issue on DSM7, though I have not have time to test anything else but going back a version. I will try brand new Docker with caps set later on today.

@PromoFaux
Copy link
Member

@grmbl99 can you add FTLCONF_DEBUG_CAPS=true to your environment, and then look for some lines in /var/log/pihole-FTL.log that look like this:

image

@imro2, thanks for confirming you're seeing it also on DSM7 - odd to note that I am not!

@grmbl99
Copy link

grmbl99 commented Jan 4, 2022

Screenshot 2022-01-04 at 14 59 55

@PromoFaux
Copy link
Member

Sorry, and same thing again with the three mentioned caps explicitly set in the compose file (NET_ADMIN, SYS_NICE, IPC_LOCK)

@grmbl99
Copy link

grmbl99 commented Jan 4, 2022

Screenshot 2022-01-04 at 15 08 01

(still running as DNSMASQ_USER=root)

@PromoFaux
Copy link
Member

Interesting. Thanks. So that shows that with the caps explicitly set, FTL is able to grab the caps it needs... so the question remains - why does setcap throw that error on container start?

As an experiment, maybe make a copy of start.sh on your host filesystem, comment out the call to fix_capabilities, and then bind mount it to the container? This should then skip the check that causes everyhing to fall over if DNSMASQ_USER is pihole instead of root (needless to say, this experiment should be done with DNSMASQ_USER=root)

@rpthms
Copy link

rpthms commented Jan 4, 2022

@PromoFaux I'm assuming this is because Docker is not adding the CAP_SETFCAP capabiliity (required to use setcap) in some instances. I haven't tested it out yet but adding the SETFCAP capability to the docker-compose file might fix things.

@imro2
Copy link
Author

imro2 commented Jan 4, 2022

@rpthms

I haven't tested it out yet but adding the SETFCAP capability to the docker-compose file might fix things.

does not seem to work for me

@grmbl99
Copy link

grmbl99 commented Jan 4, 2022

@rpthms

I haven't tested it out yet but adding the SETFCAP capability to the docker-compose file might fix things.

does not seem to work for me

same here.

@Vandroiy78
Copy link

Please, I'm a bit newbie with pi-hole How did you the fallback to previous version?

First you need to stop the currently running pihole container (if you have the same problem, it is probably stopped anyway, hehe). Then you need to go to 'Registry' and search for pihole. You need to re-download the image again. After double clicking it be sure not to select the 'latest' version but 2022.02.1. After having downloaded the image you need to set it up just like you did before. Since 2022.04 did not start at all, you probably can re-use the existing config file. Since you downloaded a specific version, watchtower will not run updates on this one. As soon as the bug has been fixed, you can revert to the 'latest' version (this is why I would not necessarily delete it)

@raboschca
Copy link

Please, I'm a bit newbie with pi-hole How did you the fallback to previous version?

First you need to stop the currently running pihole container (if you have the same problem, it is probably stopped anyway, hehe). Then you need to go to 'Registry' and search for pihole. You need to re-download the image again. After double clicking it be sure not to select the 'latest' version but 2022.02.1. After having downloaded the image you need to set it up just like you did before. Since 2022.04 did not start at all, you probably can re-use the existing config file. Since you downloaded a specific version, watchtower will not run updates on this one. As soon as the bug has been fixed, you can revert to the 'latest' version (this is why I would not necessarily delete it)

I did it and it's working again with same config!

Thanks a lot!

I suspected it was that way, but you know the first time you find that kind of issue you're pretty scared to broke something... and I already stopped Watchtower, I think I prefer to update it by myself after read the changes list.

Last issue with the pihole/root user was a signal, this one the second, I will not let a third one ;-)

@brianbautista
Copy link

Same deal here with me. Watchtower pulled in the latest and it kept failing to start the container.

If using Portainer, simply edit the container and change the image to the following below and redeploy the container. Back to business :)
Screen Shot 2022-04-04 at 10 24 08 AM

@PromoFaux
Copy link
Member

Watchtower pulled in the latest and it kept failing to start the container.

Please review the notes here: https://github.com/pi-hole/docker-pi-hole/releases/tag/2021.09

Personally I wouldn't touch watchtower with a barge pole (for Pi-hole, anyway)

@Vandroiy78
Copy link

Please review the notes here: https://github.com/pi-hole/docker-pi-hole/releases/tag/2021.09

Thank you for this hint. While I completely understand the reasons for rather manually updating, watchtower really saves time in case you run a bunch of containers. Well, not in this case, hehe. I am using the —run-once option with watchtower so I can see right away when there is a problem.

In my case removing the pihole container incl. all config files and reinstalling from scratch did not help. Is it just me?

@annaparker
Copy link

Back to 2022.02.1. Works.

@loral
Copy link

loral commented Apr 11, 2022

Please review the notes here: https://github.com/pi-hole/docker-pi-hole/releases/tag/2021.09

Thank you for this hint. While I completely understand the reasons for rather manually updating, watchtower really saves time in case you run a bunch of containers. Well, not in this case, hehe. I am using the —run-once option with watchtower so I can see right away when there is a problem.

In my case removing the pihole container incl. all config files and reinstalling from scratch did not help. Is it just me?

Not just you. No matter what I try I'm still having issues with 2022.4.. as well.

  • WARNING: Unable to set capabilities for pihole-FTL.
  • Please ensure that the container has the required capabilities.

@imro2
Copy link
Author

imro2 commented Apr 11, 2022

You can exclude specific containers from being updated by watchtower by adding a label

LABEL com.centurylinklabs.watchtower.enable="false"

Container selection

I am running DSM 7.0 and both 2022.04.2beta and 2022.04.2 work without an issue for me. I am going to exclude pi-hole from watchtower, because although my router fails back to a public DNS when pi-hole isn't available, some Linux service like Docker itself, will not wait long enough for DNS resolution and just plain fail.

@Spartanaco
Copy link

Just wanted to throw some info out there in case it helps anyone.

I am running pihole on an Unraid system in Docker and couldn't get it to boot because of the same fix_capabilities bash function check, even though I added all required capabilities via --cap-add additional parameters.

Turns out if you leave the privileged flag on or pass in --privileged it will cause the startup script to error out on fix_capabilities because the capsh commands checking for the capabilities do not return the correct "Current:" capabilities - I'm not sure why it doesn't return the explicit capabilities when privileged mode is enabled, but this breaks the fix_capabilities check on the recent 2022.04.2 release, so be sure to disable "privileged" mode.

I also updated all of my volume mount permissions to change ownership to pihole (UID=999 GID=999) and ensured that the "DNSMASQ_USER" env var is not set to "root" and it's working fine for me now since it defaults to pihole.

Maybe an update to the README.md to clarify not to use --privileged mode would help with recent releases?

Cheers!

@loral
Copy link

loral commented Apr 12, 2022

Just wanted to throw some info out there in case it helps anyone.

I am running pihole on an Unraid system in Docker and couldn't get it to boot because of the same fix_capabilities bash function check, even though I added all required capabilities via --cap-add additional parameters.

Turns out if you leave the privileged flag on or pass in --privileged it will cause the startup script to error out on fix_capabilities because the capsh commands checking for the capabilities do not return the correct "Current:" capabilities - I'm not sure why it doesn't return the explicit capabilities when privileged mode is enabled, but this breaks the fix_capabilities check on the recent 2022.04.2 release, so be sure to disable "privileged" mode.

I also updated all of my volume mount permissions to change ownership to pihole (UID=999 GID=999) and ensured that the "DNSMASQ_USER" env var is not set to "root" and it's working fine for me now since it defaults to pihole.

Maybe an update to the README.md to clarify not to use --privileged mode would help with recent releases?

Cheers!

I thought in my several attempts to recreate the container that I had removed the privileged flag but I must not have. Tried again making sure it was off and it started up just fine with release 2022.04.2. Thanks for the info.

@PromoFaux
Copy link
Member

Maybe an update to the README.md

Consider it updated https://github.com/pi-hole/docker-pi-hole/blob/master/README.md#upgrade-notes

@chenks
Copy link

chenks commented Apr 13, 2022

hi, is there a fix for this yet?
i just updated my docker container image to "latest" on my synology NAS, and now i'm stuck in a restart loop with

13/04/2022 10:15    stdout             Please ensure that the container has the required capabilities.
13/04/2022 10:15    stdout    WARNING: Unable to set capabilities for pihole-FTL.

showing in the logs

i then stopped the container, pulled an older image from the registry, reset the container and restarted and it still got stuck in a restart loop

should note that i already have DNSMASQ_USER=root in my config.

@chenks
Copy link

chenks commented Apr 13, 2022

apparently the fix is, and i have confirmed this fixed it for me, is to untick "Execute container using high privilige" in the container settings.

How on earth is it possible that reducing the set of capabilites can be the solution?
has pihole implemented a check to prevent people from exposing more capabilities than required?

@Vandroiy78
Copy link

Thank you very much, removing that checkbox did the trick also for me. :-)

@dschaper
Copy link
Member

"High Privilege" is Synology's way of saying to run the docker image as privileged. https://phoenixnap.com/kb/docker-privileged

This mode does not include all of the linux system capabilities that are required for running Pi-hole in certain configurations. That mode also ignores and cap-add capabilities included on the command line.

Bottom line is that Pi-hole can now run in a non-root container and be in line with the new Docker security standards.

@chenks
Copy link

chenks commented Apr 16, 2022

"High Privilege" is Synology's way of saying to run the docker image as privileged. https://phoenixnap.com/kb/docker-privileged

This mode does not include all of the linux system capabilities that are required for running Pi-hole in certain configurations. That mode also ignores and cap-add capabilities included on the command line.

Bottom line is that Pi-hole can now run in a non-root container and be in line with the new Docker security standards.

yeah but it would have been nice to get a heads up that having that ticked (which i believe was required originally) now causes the container to get stuck in a restart loop.

does this also mean that DNSMSQ_USER : root is now also not required?

@Vandroiy78
Copy link

does this also mean that DNSMSQ_USER : root is now also not required?

for me it works without setting it to root, yes.

@yebo29
Copy link

yebo29 commented Apr 18, 2022

I left it that variable as root and unticked the "Execute container using high privilige" setting and it worked for me.
This started when watchtower auto-updated the container. I agree, a warning of sorts or even a descriptive log entry would have been nice. But I guess I should have also read the release notes.

@rdwebdesign
Copy link
Member

rdwebdesign commented Apr 18, 2022

This started when watchtower auto-updated the container.

This is not recommended:
https://github.com/pi-hole/docker-pi-hole/blob/master/README.md#upgrade-notes
https://github.com/pi-hole/docker-pi-hole/#note-on-watchtower

@yebo29
Copy link

yebo29 commented Apr 19, 2022

I came here to post that exact thing after sitting back down to read some more. Thanks; I should have been more diligent.

@xMdb
Copy link

xMdb commented May 2, 2022

apparently the fix is, and i have confirmed this fixed it for me, is to untick "Execute container using high privilige" in the container settings.

How on earth is it possible that reducing the set of capabilites can be the solution? has pihole implemented a check to prevent people from exposing more capabilities than required?

Oh wow, thanks! This worked for me too. I am using Ansible to provision my Docker containers and I had privileged: yes added. Removing it solved my issue. :)

@JohnDoeIsKIng
Copy link

JohnDoeIsKIng commented May 2, 2022

Dear ladies and gents,

I'd like to participate in this thread as I'm also having problems to get pihole on DSM7 inside portainer on docker to work.
These are the logs as user pihole:

[cont-init.d] executing container initialization scripts...
[cont-init.d] 05-changer-uid-gid.sh: executing... 
[cont-init.d] 05-changer-uid-gid.sh: exited 0.
[cont-init.d] 20-start.sh: executing... 
 ::: Starting docker specific checks & setup for docker pihole/pihole
Failed to set capabilities on file `/usr/bin/pihole-FTL' (Operation not supported)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
ERROR: Unable to set capabilities for pihole-FTL. Cannot run as non-root.
       If you are seeing this error, please set the environment variable 'DNSMASQ_USER' to the value 'root'
[cont-init.d] 20-start.sh: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying... 
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 05-changer-uid-gid.sh: executing... 
[cont-init.d] 05-changer-uid-gid.sh: exited 0.
[cont-init.d] 20-start.sh: executing... 
 ::: Starting docker specific checks & setup for docker pihole/pihole
Failed to set capabilities on file `/usr/bin/pihole-FTL' (Operation not supported)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
ERROR: Unable to set capabilities for pihole-FTL. Cannot run as non-root.
       If you are seeing this error, please set the environment variable 'DNSMASQ_USER' to the value 'root'
[cont-init.d] 20-start.sh: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying... 
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 05-changer-uid-gid.sh: executing... 
[cont-init.d] 05-changer-uid-gid.sh: exited 0.
[cont-init.d] 20-start.sh: executing... 
 ::: Starting docker specific checks & setup for docker pihole/pihole
Failed to set capabilities on file `/usr/bin/pihole-FTL' (Operation not supported)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
ERROR: Unable to set capabilities for pihole-FTL. Cannot run as non-root.
       If you are seeing this error, please set the environment variable 'DNSMASQ_USER' to the value 'root'
[cont-init.d] 20-start.sh: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying... 
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 05-changer-uid-gid.sh: executing... 
[cont-init.d] 05-changer-uid-gid.sh: exited 0.
[cont-init.d] 20-start.sh: executing... 
 ::: Starting docker specific checks & setup for docker pihole/pihole
Failed to set capabilities on file `/usr/bin/pihole-FTL' (Operation not supported)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
ERROR: Unable to set capabilities for pihole-FTL. Cannot run as non-root.
       If you are seeing this error, please set the environment variable 'DNSMASQ_USER' to the value 'root'
[cont-init.d] 20-start.sh: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying... 
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 05-changer-uid-gid.sh: executing... 
[cont-init.d] 05-changer-uid-gid.sh: exited 0.
[cont-init.d] 20-start.sh: executing... 
 ::: Starting docker specific checks & setup for docker pihole/pihole
Failed to set capabilities on file `/usr/bin/pihole-FTL' (Operation not supported)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
ERROR: Unable to set capabilities for pihole-FTL. Cannot run as non-root.
       If you are seeing this error, please set the environment variable 'DNSMASQ_USER' to the value 'root'
[cont-init.d] 20-start.sh: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.```

Since there are massive problems to change environment vars on an existing container on DSM, I started from scratch with env var DNSMASQ_USER root. These are the logs:

```[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying... 
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 05-changer-uid-gid.sh: executing... 
[cont-init.d] 05-changer-uid-gid.sh: exited 0.
[cont-init.d] 20-start.sh: executing... 
 ::: Starting docker specific checks & setup for docker pihole/pihole
Failed to set capabilities on file `/usr/bin/pihole-FTL' (Operation not supported)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
Assigning random password: K-4SbsRH

  [i] Installing configs from /etc/.pihole...
  [i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
  [i] Installing /etc/dnsmasq.d/01-pihole.conf...
  [✓] Installed /etc/dnsmasq.d/01-pihole.conf
  [i] Installing /etc/.pihole/advanced/06-rfc6761.conf...
  [✓] Installed /etc/dnsmasq.d/06-rfc6761.conf
Creating empty /etc/pihole/setupVars.conf file.
Setting DNS servers based on PIHOLE_DNS_ variable
  [✓] New password set
DNSMasq binding to default interface: eth0
Added ENV to php:
			"TZ" => "Europe/Berlin",
			"PIHOLE_DOCKER_TAG" => "2022.04.3",
			"PHP_ERROR_LOG" => "/var/log/lighttpd/error.log",
			"ServerIP" => "0.0.0.0",
			"CORS_HOSTS" => "",
			"VIRTUAL_HOST" => "0.0.0.0",
Using IPv4 and IPv6
::: setup_blocklists now setting default blocklists up: 
::: TIP: Use a docker volume for /etc/pihole/adlists.list if you want to customize for first boot
::: Blocklists (/etc/pihole/adlists.list) now set to:
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
::: Testing lighttpd config: Syntax OK
::: All config checks passed, cleared for startup ...
::: Enabling Query Logging
  [i] Enabling logging...

  [✓] Logging has been enabled!
 ::: Docker start setup complete
  Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
  Pi-hole version is v5.10 (Latest: ERROR)
  AdminLTE version is v5.12 (Latest: ERROR)
  FTL version is v5.15 (Latest: ERROR)
  Container tag is: 2022.04.3
[cont-init.d] 20-start.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
Starting pihole-FTL (no-daemon) as root
Starting lighttpd
Starting crond
[services.d] done.```

Neither I can reach the web-gui nor does the pihole-IP seem to be registered on my LAN-DNS. Any hints are most appreciated.
Please ask if I can deliver some further infos.
Regards

JD.

@SethG911
Copy link

SethG911 commented May 3, 2022

All I had to do was add PGID=101 and PUID=1026 to the env variables in order to give the container the right file permissions. They are likely going to be different for you , but here's how to find them: https://mariushosting.com/synology-how-to-find-uid-userid-and-gid-groupid/

@pralor-bot
Copy link

This issue has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/pihole-wont-start-after-docker-pull/55459/12

@pralor-bot
Copy link

This issue has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/domain-on-blocklist-didnt-increase/56742/5

@pralor-bot
Copy link

This issue has been mentioned on Pi-hole Userspace. There might be relevant details there:

https://discourse.pi-hole.net/t/setupvars-error-in-webinterface/58913/9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests