Synology DS220+ Docker dnsmasq: cannot access directory /etc/dnsmasq.d: Permission denied

logematf · January 10, 2022, 6:51pm

Good evening,

I have a Synology DS220+ and using Pi Hole through Docker.

It has always worked without problems, however, since the last update it no longer works.
As soon as I start the container, it automatically goes out again.
I have not changed anything in the permissions etc. Watchtower has updated automatically.

Log:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying...
[fix-attrs.d] 01-resolver-resolv: exited 1.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 20-start.sh: executing...
::: Starting docker specific checks & setup for docker pihole/pihole
Assigning random password: 8jaWXs7Q
[i] Installing configs from /etc/.pihole...
[i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
[i] Installing /etc/dnsmasq.d/01-pihole.conf...
[✓] Installed /etc/dnsmasq.d/01-pihole.conf
[i] Installing /etc/.pihole/advanced/06-rfc6761.conf...
[✓] Installed /etc/dnsmasq.d/06-rfc6761.conf
Existing DNS servers detected in setupVars.conf. Leaving them alone
::: Pre existing WEBPASSWORD found
DNSMasq binding to default interface: eth0
Added ENV to php:

		"PIHOLE_DOCKER_TAG" => "2022.01",
		"PHP_ERROR_LOG" => "/var/log/lighttpd/error.log",
		"ServerIP" => "0.0.0.0",
		"CORS_HOSTS" => "",
		"VIRTUAL_HOST" => "0.0.0.0",

Using IPv4 and IPv6
::: Preexisting ad list /etc/pihole/adlists.list detected ((exiting setup_blocklists early))
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
dnsmasq: cannot access directory /etc/dnsmasq.d: Permission denied
::: Testing pihole-FTL DNS: [cont-init.d] 20-start.sh: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

alexvasceanu · January 14, 2022, 11:27am

I have stumbled upon the same problem after upgrading to latest image, running on synology DS218+ with docker.

I tried to comment out the volumes section of the docker compose file, and that made pihole to start, but obviously all the custom configs were lost. I did check the owner of /etc/dnsmasq.d and that was the root user.

This is the permission for the etc-dnsmasq.d folder on the host (777 and owned by root):

drwxrwxrwx+ 1 root root     58 Jan 14 13:16 etc-dnsmasq.d

I wonder if its related to this change Update embedded dnsmasq by DL6ER · Pull Request #1273 · pi-hole/FTL · GitHub

I reverted to using the 2012.12.1 image version for now.

theoxis · February 1, 2022, 3:52pm

UPDATE: Solved for me!

I have this exact same issue on a DS920+. Can't seem to be able to fix it myself.
Has been so since the latest update. Container keeps restarting. The logs report:

::: Testing pihole-FTL DNS: sudo: unable to resolve host PiHole: Name or service not known
dnsmasq: cannot access directory /etc/dnsmasq.d: Permission denied

/etc/dnsmasq.d points to a local folder /scripts/pihole/newdnsmasq.d containing:
01-pihole.conf
06-rfc6761.conf

# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Dnsmasq config for Pi-hole's FTLDNS
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.

###############################################################################
#      FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE.      #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
#                                                                             #
#        IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN:          #
#                      /etc/pihole/setupVars.conf                             #
#                                                                             #
#        ANY OTHER CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE           #
#                    WITHIN /etc/dnsmasq.d/yourname.conf                      #
###############################################################################

addn-hosts=/etc/pihole/local.list
addn-hosts=/etc/pihole/custom.list


localise-queries


no-resolv



cache-size=10000

log-queries
log-facility=/var/log/pihole.log

log-async
server=8.8.8.8
server=8.8.4.4
server=213.46.228.196
server=62.179.104.196
domain-needed
expand-hosts
bogus-priv
dnssec
trust-anchor=

local-service

# Pi-hole: A black hole for Internet advertisements
# (c) 2021 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# RFC 6761 config file for Pi-hole
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.

###############################################################################
#      FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE.      #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
#                                                                             #
#             CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE                #
#                    WITHIN /etc/dnsmasq.d/yourname.conf                      #
###############################################################################

# RFC 6761: Caching DNS servers SHOULD recognize
#     test, localhost, invalid
# names as special and SHOULD NOT attempt to look up NS records for them, or
# otherwise query authoritative DNS servers in an attempt to resolve these
# names.
server=/test/
server=/localhost/
server=/invalid/

# The same RFC requests something similar for
#     10.in-addr.arpa.      21.172.in-addr.arpa.  27.172.in-addr.arpa.
#     16.172.in-addr.arpa.  22.172.in-addr.arpa.  28.172.in-addr.arpa.
#     17.172.in-addr.arpa.  23.172.in-addr.arpa.  29.172.in-addr.arpa.
#     18.172.in-addr.arpa.  24.172.in-addr.arpa.  30.172.in-addr.arpa.
#     19.172.in-addr.arpa.  25.172.in-addr.arpa.  31.172.in-addr.arpa.
#     20.172.in-addr.arpa.  26.172.in-addr.arpa.  168.192.in-addr.arpa.
# Pi-hole implements this via the dnsmasq option "bogus-priv" (see
# 01-pihole.conf) because this also covers IPv6.

# OpenWRT furthermore blocks    bind, local, onion    domains
# see https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob_plain;f=package/network/services/dnsmasq/files/rfc6761.conf;hb=HEAD
# and https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
# We do not include the ".local" rule ourselves, see https://github.com/pi-hole/pi-hole/pull/4282#discussion_r689112972
server=/bind/
server=/onion/

Not sure if this info has added value, but just to be complete

UPDATE: Simple chmod -R 777 /scripts/pihole/newdnsmasq.d did the job!

Wolf359 · August 28, 2022, 3:55am

Thanks for this, was able to fix a non-Synology system.