pihole-FTL: Operation not permitted

Good morning,

watchtower did its job tonight and found an update for phiole:latest and updated it.
After that, the container no longer started. According to log, there is probably a problem with phiole-FTL: /Opt/pihole/updatecheck.sh: line 77: /usr/bin/pihole-FTL: Operation not permitted

Change the image back to pihole-2022.02.1 solved the problem (volumes are the same).
I can't come up with my mistake right now, can someone give me a hint?

And: the phiole_docker_tag is set to nightly (but the image is the latest).

Cheers, Tobias

The entire log can be found here:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying... 
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 05-changer-uid-gid.sh: executing... 
[cont-init.d] 05-changer-uid-gid.sh: exited 0.
[cont-init.d] 20-start.sh: executing... 
 ::: Starting docker specific checks & setup for docker pihole/pihole

  [i] Installing configs from /etc/.pihole...
  [i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
  [i] Installing /etc/dnsmasq.d/01-pihole.conf...
  [✓] Installed /etc/dnsmasq.d/01-pihole.conf
  [i] Installing /etc/.pihole/advanced/06-rfc6761.conf...
  [✓] Installed /etc/dnsmasq.d/06-rfc6761.conf
/opt/pihole/updatecheck.sh: line 77: /usr/bin/pihole-FTL: Operation not permitted
/opt/pihole/updatecheck.sh: line 91: /usr/bin/pihole-FTL: Operation not permitted
Existing DNS servers detected in setupVars.conf. Leaving them alone
::: Pre existing WEBPASSWORD found
DNSMasq binding to default interface: eth0
Added ENV to php:
			"TZ" => "Europe/Berlin",
			"PIHOLE_DOCKER_TAG" => "nightly",
			"PHP_ERROR_LOG" => "/var/log/lighttpd/error.log",
			"ServerIP" => "192.168.42.4",
			"CORS_HOSTS" => "",
			"VIRTUAL_HOST" => "192.168.42.4",
Using IPv4 and IPv6
::: Preexisting ad list /etc/pihole/adlists.list detected ((exiting setup_blocklists early))
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
::: Testing lighttpd config: Syntax OK
::: All config checks passed, cleared for startup ...
::: Enabling Query Logging
  [i] Enabling logging...

  [✓] Logging has been enabled!
 ::: Docker start setup complete
  Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
  Pi-hole version is v5.9.1 (Latest: v5.9.1)
  AdminLTE version is v5.11 (Latest: v5.11)
/opt/pihole/version.sh: line 23: /usr/bin/pihole-FTL: Operation not permitted
/opt/pihole/version.sh: line 127: /usr/bin/pihole-FTL: Operation not permitted
  Latest FTL version is v5.14
  Container tag is: nightly
[cont-init.d] 20-start.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
Starting crond
Starting lighttpd
Starting pihole-FTL (no-daemon) as pihole
[services.d] done.
Unable to set inheritable capabilities: Operation not permitted
Stopping pihole-FTL
pihole-FTL: no process found
Starting pihole-FTL (no-daemon) as pihole
Unable to set inheritable capabilities: Operation not permitted
Stopping pihole-FTL
pihole-FTL: no process found
Starting pihole-FTL (no-daemon) as pihole
Unable to set inheritable capabilities: Operation not permitted
Stopping pihole-FTL
pihole-FTL: no process found
Starting pihole-FTL (no-daemon) as pihole
Unable to set inheritable capabilities: Operation not permitted
Stopping pihole-FTL
pihole-FTL: no process found
Starting pihole-FTL (no-daemon) as pihole
Unable to set inheritable capabilities: Operation not permitted
Stopping pihole-FTL
pihole-FTL: no process found
Starting pihole-FTL (no-daemon) as pihole
Unable to set inheritable capabilities: Operation not permitted
Stopping pihole-FTL
pihole-FTL: no process found
1 Like

In fixing a security issue, one of Docker's latest updates changed the way permissions were grantable to containers, see After an update to 20.10.14 containers no longer get NET_ADMIN capability · Issue #43420 · moby/moby · GitHub.
You are likely observing the effect of that Docker issue on your Pi-hole container.

We are working on a fix to realign Pi-hole's image with those Docker changes, see PiHole Broken after docker update to 20.10.14 · pi-hole/docker-pi-hole · Discussion #1021 · GitHub.

As a workaround, you may try to set your Pi-hole container's DNSMASQ_USER environment variable to root. Or, if you were willing to experiment and maybe support fixing the issue, you could try the dev image.

A side note on unattended updates on Pi-hole:
You probably should consider to switch Watchtower from updating to notifying you about Pi-hole changes.

DNS is a critical service for any network. Running unattended Pi-hole updates would preclude you from necessary precautions when switching releases (e.g. backups) and may potentially impair DNS resolution in a time when you are not around to address the issue immediately.

We'd recommend to attentively read the release notes and decide on how and when to update then.

1 Like

Ok, the first learning is: no debugging before the first coffee

I completely overlooked looking at Github, I apologize.

I am aware of the criticality of DNS, which is why the Docker-Pihole is not the only DNS server in this household. I currently still play around a lot on Docker and get to know the environment, just to learn.

I will follow your links, but first -> coffee!

I ran into the same issue: Watchtower upgraded pihole, and pihole no longer runs.
However I changed DNSMASQ_USER=root some time ago, and maybe that is why I see slightly different errors:

/opt/pihole/version.sh: line 23: /usr/bin/pihole-FTL: Operation not permitted
/opt/pihole/version.sh: line 127: /usr/bin/pihole-FTL: Operation not permitted
  Invalid Option! Try 'pihole -v --help' for more information.

I will take your advice and turn off unattended updates of my DNS service. But that will not fix the problem I am in right now. Any suggestion how to get out of this?

Hot off the press!

2 Likes

So I changed my docker run command from

docker run ... -e DNSMASQ_USER=root pihole:pihole

to

docker run ... -e DNSMASQ_USER=root --label=com.centurylinklabs.watchtower.monitor-only=true pihole:pihole:2022.02.1

With that I have it running again. My point why this problem is not solved enirely is now: When/how would I go for updates? Which updated version to pick? Since pihole development needs to continue and push changes this problem can likely not be solved in the pihole project.

Ah, ok. I just saw the info about the new release. Will try it later today...

The new image is not working for me (without NET_ADMIN)

docker run ... -e DNSMASQ_USER=root --label=com.centurylinklabs.watchtower.monitor-only=true pihole:pihole:2022.04.1

Seems to work for me also. Thanks for the quick reaction, guys! :slight_smile:

:confounded:

Can I ask what hardware you are running on? Also what does your run command/compose file look like?

A post was split to a new topic: New docker version does not solve pihole flush

Wah!
Set the DNSMASQ_USER to pihole, instead of pinhole (damn you, autocorrect on MacOS!) works.

Thank you and cheers

hahaha, excellent news. Just FYI DNSMASQ_USER defaults to pihole, so you can safely remove that env var if you like

1 Like

With that I have it running again. My point why this problem is not solved enirely is now: When/how would I go for updates? Which updated version to pick? Since pihole development needs to continue and push changes this problem can likely not be solved in the pihole project.

I believe the problem could be resolved by improving Watchtower. A lot of users should be able to enjoy the benefit then. Hence I raised

I cannot emphasise this enough:

If a Pi-hole release would make changes to data structures that are meant to survive container restarts, and your Docker Pi-hole has been configured accordingly, it may not be possible to return to a last known good configuration by simply using the previous image in case of a failed update.
If you intend to automate this, you'd have to think about and put in place an automated backup and restore strategy for those data as well.

I've ran into the same issue as well however [2022.04.2] has not fixed it for me. I tried the DNSMASQ_USER variable, privileged: true, also cap_add: ALL. Nothing seems to do it.

 ::: Starting docker specific checks & setup for docker pihole/pihole
WARNING: Unable to set capabilities for pihole-FTL.
         Please ensure that the container has the required capabilities.

What hardware do you run your Docker on?
What's your OS version?
And which version of Docker are you running?

I've tried a few docker versions: 17.03.2-ce-1, 20.10.12, 20.10.14 (the ubuntu snap one)

OS is Ubuntu for Raspberry Pi:
5.4.0-1058-raspi #65-Ubuntu SMP PREEMPT Fri Mar 25 12:29:46 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux

The Pi is Raspberry Pi 4B with 8gb of RAM.

I've tried various docker images for pihole: 2022.04.02, 2022.04.01 and lastly dev

Good news: I appear to have progressed past the capabilities errors by removing network_mode: host from my docker compose yaml file.

Bad news: Now I can't seem to have the pihole container call the unbound container for upstream dns.