PiHole Docker 2022.5 error on Synology DSM7 upon DHCP start

The issue I am facing:
DNSMASQ_CONFIG FTL failed to start due to process is missing required capability NET_ADMIN
Debug Log: https://tricorder.pi-hole.net/YcSg1NsW

Details about my system:
Synology NAS DSM7 up to date
Docker version 20.10.3, build b455053
Docker Tag 2022.05 Pi-hole v5.10 FTL v5.15 Web Interface v5.12

What I have changed since installing Pi-hole:
macvlan for unique IP on network

I have 2 PiHoles in my home
My primary on a RaspberryPi and a secondary/backup in NAS Docker.
The primary uses unbound DNS and is my LAN DHCP.
The NAS uses Cloudflared DNS as configured in GUI.

This morning my Primary was offline so I activated the DHCP on the docker PiHole, but got the error:
FTL failed to start due to process is missing required capability NET_ADMIN

When I disable DHCP the PiHole runs normally again.

I was running 2022.4.2, so grabbed the latest image 2022.5, but I get the same error.

I got my primary back up and running, so I'm back to where I was, but it would be good to have the NAS DHCP working in case I need it active for a while.

Checkout the "cap_add:" bit in the README:

I do believe that's it, but I don't think I can add that through the Docker UI as it isn't an environment entry.

I've looked through the NAS for the docker-compose.yaml to add that in manually, but I've not been able to locate it yet. It's like they've hidden it ... or have it in a database rather than a flat file :thinking:

Almost there ....

I exported the config for the PiHole container and at the top of the pihole.json file I could see:

   "CapAdd" : null,
   "CapDrop" : null,
   "cmd" : "",
   "cpu_priority" : 50,
   "enable_publish_all_ports" : false,
   "enable_restart_policy" : true,
   "enabled" : false,
   "env_variables" : [

So I added NET_ADMIN to CapAdd ("CAPADD" : "NET_ADMIN",) and imported as a new container.
Still didn't work :frowning:

I tried variations of Cap_Add and Cap-Add, but PiHole reeally didn't like that.

Did you try changing the DNSMASQ_USER as mentioned in the Upgrade Notes at the top of the docs linked by deHakkelaar?

Change it to root? It already was :slight_smile:
When standing up a new instance it later I noticed that setting had changed to pihole (comparing to my original config) so I changed it back to root before launching

Got it working.
Limitations of the Synology GUI needed circumventing to get the required cap-add added.
Adding the full ground up solution here in case someone else is in the same spot and is trying to work out the fix with Synology docker.
Running via Docker Run rather than a docker-compose.yml .. just because

NOTE: this assumes you have/want a macvlan network set up for an IP different to the NAS.
Example macvlan name: nameofyourmacvlan
Example PiHole IP:
Example volume path for persistent PiHole data: /volume1/docker/pihole


If you want a unique IP on the LAN separate from your Synology, then you need to set up a macvlan.
This creates virtual NAT using the host hardware and allows us to create containers with unique IP addresses.
We can only create one macvlan per NIC, but once done you can create other containers with custom IPs as long as they use the macvlan as the network.

In the example below I'm defining a single IP to be used by Pihole (the /32 part of the IP address).
If the IP isn't specified then this will be the IP automatically assigned to the container.
To make a larger dhcp pool for the macvlan, check this link for more on subnets

Finally, some (all?) Synology NAS have 2 physical ethernet ports in them. Make sure you pick the one you have connected or prefer, or if you've network bonded them to a single ethernet then change the parent from eth0 to ovs_bond0

docker network create -d macvlan \
--subnet= \
--ip-range= \
--gateway= \
-o parent=eth0 nameofyourmacvlan

You should now see your new personal macvlan network in the Synology Network tab.
Stop your existing PiHole container in Docker and rename it to something like pihole_old.
If there are problems then you can always restart this one.

From the CMD line as root, type:

docker run -d \
--name pihole \
-h pihole \
--net nameofyourmacvlan \
-p 53/tcp \
-p 53/udp \
-p 67/udp \
-p 80/tcp \
--ip \
-e ServerIP= \
-e PIHOLE_DNS_=\; \
-e DNSMASQ_USER=root \
-e IPv6=False \
-e HOSTNAME=pihole \
-e PIHOLE_DOMAIN=mydomain \
-e HOME=/root \
-v /volume1/docker/pihole/pihole:/etc/pihole \
-v /volume1/docker/pihole/dnsmasq.d:/etc/dnsmasq.d \
--cap-add CAP_NET_ADMIN \
--restart=unless-stopped \

Once run the container should show in the Synology Docker.
In the Synology Docker you should also see pihole added to the macvlan network.

Stop the container and change settings as required, memory, CPU Priority, Auto-Start
Start it up and it should be good to go.

If you don't want to create a macvlan and use a custom IP, then remove the following from the above

--net nameofyourmacvlan \
--ip \

and change your port 80 so that it doesn't conflict the Synology.
If you don't do this then you'll get an failure error saying that the container can't be created as port 80 is already in use. This example uses port 81 to connect (e.g. http://pi.hole:81/admin)

-p 81:80/tcp \

Thank you for coming back here and sharing your solution with us. :clap:

For clarity: You are referring to a pure Docker macvlan configuration here, rather than a direct manual configuration of the Linux kernel module, right?
If so, please consider to edit that detail in your solution post.

Also, I took the freedom to include your DSM version in your topic's title, as we've seen some different, possibly version specific behaviour when it comes to running a dockered Pi-hole on Synology's DSM.

And finally, not related to your issue:

Note that *.local FQDNs are reserved for usage by the mDNS protocol , as implemented e.g. by Apple's Bonjour or Linux' avahi, and shouldn't be used with DNS.

I'd recommend switching to another domain name.

Yes. A Docker macvlan.
Edited to show how to create a macvlan as well as what to change if not using one.

Thanks for adding the DSM7 to the title.
It should be the same as other versions.... should, but you never know :smiley:

Changed the domain value to a more self explanatory name as requested.
All of the variables in the example are different to what I'm using here, so was trying to come up with more generic values for the file.

Thanks :pray: :v:

1 Like