After a bit more investigation, it was found the user pihole does not have enough privileges to start FTL.
The command:
setcap CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_NET_ADMIN+eip /usr/bin/pihole-FTL
Gave an error:
Failed to set capabilities on file `/usr/bin/pihole-FTL' (Invalid argument)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
It may be because it's within a LXC container, but changing the /etc/init.d/pihole-FTL file from
su -s /bin/sh -c "/usr/bin/pihole-FTL" "$FTLUSER"
to
/usr/bin/pihole-FTL
looks to have resolved it.
Is there a fallback to using the setcap command for containers that could be setup? I know it was designed for Pi's, but many of us are running this on normal servers since it's so good.