watchtower did its job tonight and found an update for phiole:latest and updated it.
After that, the container no longer started. According to log, there is probably a problem with phiole-FTL: /Opt/pihole/updatecheck.sh: line 77: /usr/bin/pihole-FTL: Operation not permitted
Change the image back to pihole-2022.02.1 solved the problem (volumes are the same).
I can't come up with my mistake right now, can someone give me a hint?
And: the phiole_docker_tag is set to nightly (but the image is the latest).
Cheers, Tobias
The entire log can be found here:
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying...
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 05-changer-uid-gid.sh: executing...
[cont-init.d] 05-changer-uid-gid.sh: exited 0.
[cont-init.d] 20-start.sh: executing...
::: Starting docker specific checks & setup for docker pihole/pihole
[i] Installing configs from /etc/.pihole...
[i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
[i] Installing /etc/dnsmasq.d/01-pihole.conf...
[✓] Installed /etc/dnsmasq.d/01-pihole.conf
[i] Installing /etc/.pihole/advanced/06-rfc6761.conf...
[✓] Installed /etc/dnsmasq.d/06-rfc6761.conf
/opt/pihole/updatecheck.sh: line 77: /usr/bin/pihole-FTL: Operation not permitted
/opt/pihole/updatecheck.sh: line 91: /usr/bin/pihole-FTL: Operation not permitted
Existing DNS servers detected in setupVars.conf. Leaving them alone
::: Pre existing WEBPASSWORD found
DNSMasq binding to default interface: eth0
Added ENV to php:
"TZ" => "Europe/Berlin",
"PIHOLE_DOCKER_TAG" => "nightly",
"PHP_ERROR_LOG" => "/var/log/lighttpd/error.log",
"ServerIP" => "192.168.42.4",
"CORS_HOSTS" => "",
"VIRTUAL_HOST" => "192.168.42.4",
Using IPv4 and IPv6
::: Preexisting ad list /etc/pihole/adlists.list detected ((exiting setup_blocklists early))
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
::: Testing lighttpd config: Syntax OK
::: All config checks passed, cleared for startup ...
::: Enabling Query Logging
[i] Enabling logging...
[✓] Logging has been enabled!
::: Docker start setup complete
Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
Pi-hole version is v5.9.1 (Latest: v5.9.1)
AdminLTE version is v5.11 (Latest: v5.11)
/opt/pihole/version.sh: line 23: /usr/bin/pihole-FTL: Operation not permitted
/opt/pihole/version.sh: line 127: /usr/bin/pihole-FTL: Operation not permitted
Latest FTL version is v5.14
Container tag is: nightly
[cont-init.d] 20-start.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
Starting crond
Starting lighttpd
Starting pihole-FTL (no-daemon) as pihole
[services.d] done.
Unable to set inheritable capabilities: Operation not permitted
Stopping pihole-FTL
pihole-FTL: no process found
Starting pihole-FTL (no-daemon) as pihole
Unable to set inheritable capabilities: Operation not permitted
Stopping pihole-FTL
pihole-FTL: no process found
Starting pihole-FTL (no-daemon) as pihole
Unable to set inheritable capabilities: Operation not permitted
Stopping pihole-FTL
pihole-FTL: no process found
Starting pihole-FTL (no-daemon) as pihole
Unable to set inheritable capabilities: Operation not permitted
Stopping pihole-FTL
pihole-FTL: no process found
Starting pihole-FTL (no-daemon) as pihole
Unable to set inheritable capabilities: Operation not permitted
Stopping pihole-FTL
pihole-FTL: no process found
Starting pihole-FTL (no-daemon) as pihole
Unable to set inheritable capabilities: Operation not permitted
Stopping pihole-FTL
pihole-FTL: no process found
As a workaround, you may try to set your Pi-hole container's DNSMASQ_USER environment variable to root. Or, if you were willing to experiment and maybe support fixing the issue, you could try the dev image.
A side note on unattended updates on Pi-hole:
You probably should consider to switch Watchtower from updating to notifying you about Pi-hole changes.
DNS is a critical service for any network. Running unattended Pi-hole updates would preclude you from necessary precautions when switching releases (e.g. backups) and may potentially impair DNS resolution in a time when you are not around to address the issue immediately.
We'd recommend to attentively read the release notes and decide on how and when to update then.
Ok, the first learning is: no debugging before the first coffee
I completely overlooked looking at Github, I apologize.
I am aware of the criticality of DNS, which is why the Docker-Pihole is not the only DNS server in this household. I currently still play around a lot on Docker and get to know the environment, just to learn.
I ran into the same issue: Watchtower upgraded pihole, and pihole no longer runs.
However I changed DNSMASQ_USER=root some time ago, and maybe that is why I see slightly different errors:
/opt/pihole/version.sh: line 23: /usr/bin/pihole-FTL: Operation not permitted
/opt/pihole/version.sh: line 127: /usr/bin/pihole-FTL: Operation not permitted
Invalid Option! Try 'pihole -v --help' for more information.
I will take your advice and turn off unattended updates of my DNS service. But that will not fix the problem I am in right now. Any suggestion how to get out of this?
docker run ... -e DNSMASQ_USER=root --label=com.centurylinklabs.watchtower.monitor-only=true pihole:pihole:2022.02.1
With that I have it running again. My point why this problem is not solved enirely is now: When/how would I go for updates? Which updated version to pick? Since pihole development needs to continue and push changes this problem can likely not be solved in the pihole project.
With that I have it running again. My point why this problem is not solved enirely is now: When/how would I go for updates? Which updated version to pick? Since pihole development needs to continue and push changes this problem can likely not be solved in the pihole project.
I believe the problem could be resolved by improving Watchtower. A lot of users should be able to enjoy the benefit then. Hence I raised
If a Pi-hole release would make changes to data structures that are meant to survive container restarts, and your Docker Pi-hole has been configured accordingly, it may not be possible to return to a last known good configuration by simply using the previous image in case of a failed update.
If you intend to automate this, you'd have to think about and put in place an automated backup and restore strategy for those data as well.
I've ran into the same issue as well however [2022.04.2] has not fixed it for me. I tried the DNSMASQ_USER variable, privileged: true, also cap_add: ALL. Nothing seems to do it.
::: Starting docker specific checks & setup for docker pihole/pihole
WARNING: Unable to set capabilities for pihole-FTL.
Please ensure that the container has the required capabilities.