Turning on DHCP server, requiring NET_RAW

Syrus_Yeung · January 11, 2025, 4:10pm

Hi All,

When turning on the DHCP function, I get a diagnosis of:

	FTL failed to start due to process is missing required capability NET_RAW

I know I could add this in my cap_add, but I'm not quite sure why I require this capability, and if I'd want to?

Github says this:

CAP_NET_RAW: use raw and packet sockets (needed for handling DHCPv6 requests, and verifying that an IP is not in use before leasing it)

I don't think I've enabled any Ipv6 unless it's on by default, but, all tutorials/guides for dhcp didn't require this cap. Here is my compose file:

  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    networks:
      pihole_network:
        ipv4_address: '192.168.50.20'
    # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "67:67/udp" # Only required if you are using Pi-hole as your DHCP server
      - "80:80/tcp"
      - "443:443/tcp"
      - "80:80/tcp"
    environment:
      TZ: 'America/Chicago'
      WEBPASSWORD: '*********'
    # Volumes store your data between container upgrades
    volumes:
      -  /home/svon/podman/pihole/etc-pihole:/etc/pihole
      -  /home/svon/podman/pihole/etc-dnsmasq.d:/etc/dnsmasq.d
    cap_add:
      - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
    restart: unless-stopped
networks:
  pihole_network:
    driver: macvlan
    driver_opts:
      parent: enp7s0
    ipam:
      config:
        - subnet: 192.168.50.0/24
          gateway: 192.168.50.1

Am I missing something? Thanks

Bucking_Horn · January 11, 2025, 4:20pm

The relevant part is:

CAP_NET_RAW is needed for sending ICMP pings, which happens during duplicate address detection and applies also to IPv4 addresses.

I guess that cap could be avoided if you configure pihole-FTL/dnsmasq to not ping IPs before assigning them (no-ping), but that would invite potential address conflicts with statically assigned IPs, so it's recommended to leave that on.

EDIT: I'm surprised that you have to manually set this, as the image should already ask for it.
What Docker version do you run?

Syrus_Yeung · January 11, 2025, 4:25pm

Should this get added to the docker-compose example on github, since it has entries in there for DHCP like net-admin if it's a requirement for DHCP to work?

Syrus_Yeung · January 11, 2025, 4:37pm

I'm acutally using docker compose with podman:

podman version
Client:       Podman Engine
Version:      5.2.2
API Version:  5.2.2
Go Version:   go1.22.9 (Red Hat 1.22.9-2.el9_5)
Built:        Tue Dec 17 16:26:26 2024
OS/Arch:      linux/amd64

Docker Compose version v2.32.1

Bucking_Horn · January 12, 2025, 7:36am

I don't have to specify CAP_NET_RAW with my Docker installation.

Your observation then is likely related to podman, rather than to a change of permission handling in a recent Docker release.

We don't run any podman installations or tests, yet development hinted at podman running without root privileges may result in podman being unable to grant all permissions as requested by the Pi-hole image.

system · February 2, 2025, 7:37am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.