Failed to bind DHCP server socket: Permission denied

dolejskad · March 25, 2022, 9:07am

I am running PiHole in docker using:

version: "3.7"
services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    network_mode: host
      - TZ=Europe/Prague
    volumes:
      - ./data/pihole:/etc/pihole
      - ./data/dnsmasq.d:/etc/dnsmasq.d
      - ./data/dhcpd.conf:/etc/dhcpd.conf
      - ./scripts/lighttpd-change_port.sh:/etc/cont-init.d/30-lighttpd-change_port.sh
      - ./config/lighttpd.conf:/etc/lighttpd/external.conf
    cap_add:
      - NET_BIND_SERVICE
      - NET_RAW
      - NET_ADMIN
    restart: unless-stopped

PiHole was working until today. I have no idea what happened, I think the server restarted with some update and since then, PiHole refuses to launch with the failed to bind DHCP server socket: Permission denied error message.

Appreciate all the help, thank you.

Actual Behaviour:

docker-compose logs keeps spamming "no process found" as PiHole fails to launch:

pihole    | [services.d] starting services
pihole    | Starting crond
pihole    | Starting pihole-FTL (no-daemon) as pihole
pihole    | Starting lighttpd
pihole    | [services.d] done.
pihole    | Stopping pihole-FTL
pihole    | Starting pihole-FTL (no-daemon) as pihole
pihole    | Stopping pihole-FTL
pihole    | pihole-FTL: no process found
pihole    | Starting pihole-FTL (no-daemon) as pihole
pihole    | Stopping pihole-FTL
pihole    | pihole-FTL: no process found

pihole-FTL.conf contains the following message:

[2022-03-25 10:01:04.822 11940M] Successfully accessed setupVars.conf
[2022-03-25 10:01:04.822 11940M] FATAL ERROR in dnsmasq core: failed to bind DHCP server socket: Permission denied
[2022-03-25 10:01:04.824 11940M] ########## FTL terminated after 40ms  (code 1)! ##########

$ cat /etc/os-release
NAME="CentOS Stream"
VERSION="8"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Stream 8"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream

Debug Token:

https://tricorder.pi-hole.net/s5cFKaMq/

Bucking_Horn · March 25, 2022, 11:46am

Your Pi-hole is configured for eth0, while your host seems to be using enp2s0:

*** [ DIAGNOSING ]: Setup variables
    PIHOLE_INTERFACE=eth0

This can normally ignored as long as you don't restrict Pi-hole's Interface listening behaviour to eth0 (which you correctly don't, according to your debug log).

In your case, your docker-compose is also missing the FTLCONF_REPLY_ADDR4 address, which should be set to your Docker host's private range LAN IP address.
This substitutes the older ServerIP setting, and is slightly buggy in the current image if not set.

dolejskad:

      - ./data/dhcpd.conf:/etc/dhcpd.conf
      - ./scripts/lighttpd-change_port.sh:/etc/cont-init.d/30-lighttpd-change_port.sh
      - ./config/lighttpd.conf:/etc/lighttpd/external.conf

Likely not related to your issue, but assuming you are using the latter two lines to switch Pi-hole's web server to a different port, I'd like to suggest it may be easier to just set your Pi-hole container's respective environment variable instead, unless you have to rely on one of Pi-hole's legacy blocking modes (which may be removed in a future release).

To address all above issues, please set the following Recommended and Advanced Environment variables for your Pi-hole container:
FTLCONF_REPLY_ADDR4 and
INTERFACE
WEB_PORT

And just to be curious:
Why do you mount /etc/dhcpd.conf?
I'm not sure that would even exist in a Pi-hole image.

dolejskad · March 25, 2022, 12:24pm

I'm unable to set PIHOLE_INTERFACE to a custom value because it keeps being reset to the eth0 after the container is restarted. This also happens when trying to configure REPLY_ADDR4 (which is being reset to 0.0.0.0.

I was able to inject it but it doesn't seem to help: https://tricorder.pi-hole.net/mz261FzM/

Thank you for the tips about web port, I either missed it or it was added after I configured the service.

Bucking_Horn · March 25, 2022, 12:55pm

Neither of those exist as an environment variable for a Pi-hole container.
Please use the names as I've provided them, and consider following the links to our Docker documentation I've provided above.

dolejskad · March 25, 2022, 1:21pm

I meant variables in setupVars.conf and pihole-FTL.conf files. Now I realise you have meant variables in the Docker environment, sorry. However, I have updated those to match what you have provided, yet it still refuses to launch.

version: "3.7"
services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    network_mode: host
    environment:
      - TZ=Europe/Prague
      - FTLCONF_REPLY_ADDR4=172.20.1.1
      - INTERFACE=enp2s0
      - WEB_PORT=10100
    volumes:
      - ./data/pihole:/etc/pihole
      - ./data/dnsmasq.d:/etc/dnsmasq.d
      - ./config/lighttpd.conf:/etc/lighttpd/external.conf
    cap_add:
      - NET_BIND_SERVICE
      - NET_RAW
      - NET_ADMIN
    restart: unless-stopped

$ docker exec -it pihole env
PATH=/opt/pihole:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=server.dev.lan
TERM=xterm
TZ=Europe/Prague
FTLCONF_REPLY_ADDR4=172.20.1.1
INTERFACE=enp2s0
WEB_PORT=10100
phpver=php
PIHOLE_DOCKER_TAG=2022.02.1
S6_OVERLAY_VERSION=v2.1.0.2
PIHOLE_INSTALL=/etc/.pihole/automated install/basic-install.sh
PHP_ENV_CONFIG=/etc/lighttpd/conf-enabled/15-fastcgi-php.conf
PHP_ERROR_LOG=/var/log/lighttpd/error.log
IPv6=True
S6_LOGGING=0
S6_KEEP_ENV=1
S6_BEHAVIOUR_IF_STAGE2_FAILS=2
ServerIP=0.0.0.0
FTL_CMD=no-daemon
DNSMASQ_USER=pihole
HOME=/root

https://tricorder.pi-hole.net/cTrKyaj7/

john2you · March 25, 2022, 2:09pm

I'm having seemingly the same problem, running docker pi-hole. This morning I updated (apt update && apt full-upgrade -y --auto-remove) my Pi4 (buster) which I noted updated docker (Docker version 20.10.14, build a224086), after a reboot the pi-hole status reports 'DNS service not running' on the PI-Hole diagnosis page 'FTL failed to start due to failed to bind DHCP server socket: Permission denied' - apart from the update I ran this morning I hadn't changed anything else, my pi-hole in this configuration had been running happerly for over a year. Any help would be much appricated.

DanSchaper · March 25, 2022, 4:06pm

If you apt updated then you have the newest docker version that has a major change in it that affects a number of images, including ours.

Can you run docker info and post the version you are seeing? If it is 20.10.14 then you have the affected version. Discussion is at PiHole Broken after docker update to 20.10.14 · pi-hole/docker-pi-hole · Discussion #1021 · GitHub

If you could try with the pihole/pihole:dev image and see if that is working for you please?

john2you · March 25, 2022, 4:08pm

Thanks Dan, will check out the link.

john2you · March 25, 2022, 4:22pm

BTW setting the env var DNSMASQ_USER to root workaround got my Pi-hole running again.

system · April 15, 2022, 4:23pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.