Pihole update causing container restart

Currently reading
Pihole update causing container restart

295
32
NAS
DS1019+ DSM6
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
update my pihole container this morning via the method i always

pull down the latest image from the registry
stop the container
reset the container
start the container

the container is now stuck in a resart loop

in the logs i see this

Code:
13/04/2022 10:15    stdout     ::: Starting docker specific checks & setup for docker pihole/pihole
13/04/2022 10:15    stdout    [cont-init.d] 20-start.sh: executing...
13/04/2022 10:15    stdout    [cont-init.d] 05-changer-uid-gid.sh: exited 0.
13/04/2022 10:15    stdout    [cont-init.d] 05-changer-uid-gid.sh: executing...
13/04/2022 10:15    stdout    [cont-init.d] executing container initialization scripts...
13/04/2022 10:15    stdout    [fix-attrs.d] done.
13/04/2022 10:15    stdout    [fix-attrs.d] 01-resolver-resolv: exited 0.
13/04/2022 10:15    stdout    [fix-attrs.d] 01-resolver-resolv: applying...
13/04/2022 10:15    stdout    [fix-attrs.d] applying ownership & permissions fixes...
13/04/2022 10:15    stdout    [s6-init] ensuring user provided files have correct perms...exited 0.
13/04/2022 10:15    stdout    [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
13/04/2022 10:15    stdout    [s6-finish] sending all processes the KILL signal and exiting.
13/04/2022 10:15    stdout    [s6-finish] waiting for services.
13/04/2022 10:15    stdout    [cont-finish.d] done.
13/04/2022 10:15    stdout    [cont-finish.d] executing container finish scripts...
13/04/2022 10:15    stdout    [cont-init.d] 20-start.sh: exited 1.
13/04/2022 10:15    stdout             Please ensure that the container has the required capabilities.
13/04/2022 10:15    stdout    WARNING: Unable to set capabilities for pihole-FTL.
13/04/2022 10:15    stdout     ::: Starting docker specific checks & setup for docker pihole/pihole
13/04/2022 10:15    stdout    [cont-init.d] 20-start.sh: executing...
13/04/2022 10:15    stdout    [cont-init.d] 05-changer-uid-gid.sh: exited 0.
13/04/2022 10:15    stdout    [cont-init.d] 05-changer-uid-gid.sh: executing...
13/04/2022 10:15    stdout    [cont-init.d] executing container initialization scripts...
13/04/2022 10:15    stdout    [fix-attrs.d] done.
13/04/2022 10:15    stdout    [fix-attrs.d] 01-resolver-resolv: exited 0.
13/04/2022 10:15    stdout    [fix-attrs.d] 01-resolver-resolv: applying...
13/04/2022 10:15    stdout    [fix-attrs.d] applying ownership & permissions fixes...
13/04/2022 10:15    stdout    [s6-init] ensuring user provided files have correct perms...exited 0.
13/04/2022 10:15    stdout    [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
13/04/2022 10:15    stdout    [s6-finish] sending all processes the TERM signal.
13/04/2022 10:15    stdout    [s6-finish] sending all processes the KILL signal and exiting.

any ideas what's went wrong and how to resolve?
 
Someone in the german syno forum had the same problem. According the user, it worked after unchecking the "Execute container using high privilige" box. Honestly: I can't believe this was the solution (according him)... as if Pihole would stop working because of too much capabitilites - seems esoteric to me, but you never know.

Additionaly a couple of Environment variables changed:
1649847954016.png


This is a screenshot I made and posted in the german syno forum, indicating changes from version 5.8.1 (left) to the current image (right). If unchecking priviliged execution didn't help, try modifiying your environments.
 
According the user, it worked after unchecking the "Execute container using high privilige" box. Honestly: I can't believe this was the solution (according him)... as if Pihole would stop working because of too much capabitilites - seems esoteric to me, but you never know.

yes this has fixed the issue.
how strange!

i have had
Code:
DNSMASQ_USER = root
for quite some time
 
This hurts my mind and kind of confuses me.. How on earth is it possible that reducing the set of capabilites can be the solution?! Except if pihole indeed implemented a check to prevent people from exposing more capabilities than required.
 
This hurts my mind and kind of confuses me.. How on earth is it possible that reducing the set of capabilites can be the solution?! Except if pihole indeed implemented a check to prevent people from exposing more capabilities than required.
Maybe a DSM7 hardening that doesn't play well with --privileged container is now "compliant" with the more restricted behavior.
 
docker and portainer/docker are working normally for me. I'm on both DSM 7.x on my production NAS and 7.1 Beta on by backup. Only hiccup I have experienced lately with Pi-hole containers is container recreation intermittently failing via Portainer.
 
This is likely the issue... DSM7 broke many “privileged” containers. The workaround has been to enable NET_ADMIN.

as i mentioned though, i'm not using DSM7.

however, over in the pi-hole github this is the reason for the change (see quote below).
i mentioned to them it would have been nice to get a heads up that a setting that was required originally would now cause a restart loop.

"High Privilege" is Synology's way of saying to run the docker image as privileged. Docker Privileged: Should You Run Privileged Docker Containers?

This mode does not include all of the linux system capabilities that are required for running Pi-hole in certain configurations. That mode also ignores any cap-add capabilities included on the command line.

Bottom line is that Pi-hole can now run in a non-root container and be in line with the new Docker security standards.
 
This indeed is a breaking change. The whole function fix_capabilities() is responsible for the behavior, as it specifly checks for capabilites and adds additional capabilites.

They check for capabilites in "Current:", which looks like this for an unpriviliged container:
Code:
me@dsm:~$ docker run -ti --rm --entrypoint bash pihole/pihole -c 'capsh --print | grep Current:'
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=eip
and like this for a priviliged container:
Code:
me@dsm:~$ docker run -ti --rm --entrypoint bash --privileged pihole/pihole -c 'capsh --print | grep Current:'
Current: =eip

Now the fun part: if run with privilged the bound privileges are way more than "Current" shows. If they would have used "Bounding set" instead, it would have detected all the capabities it is looking for and a capadd would probably have been irrelvant as all capabilities already are available....

unprivileged:
Code:
me@dsm:~$  docker run -ti --rm --entrypoint bash pihole/pihole -c 'capsh --print | grep "Bounding set"'
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
vs. privileged.
Code:
me@dsm:~$ docker run -ti --rm --entrypoint bash --privileged pihole/pihole -c 'capsh --print | grep "Bounding set"'
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read

Sidenote: containers usualy do not come with capsh preinstalled.

Though, I realy, realy, realy like that they force people to not use privilged containers - which by design run with the host's capabilities and allows to break out of the container easily.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I've been running pihole in Docker on my DS920. The only issue I've had is with doing updates. I dl the...
Replies
0
Views
1,738
Sorry for not replying sooner as I am not getting notification. However, I did manage getting pihole up...
Replies
9
Views
1,697
I'm using adguard/adguardhome and crazymax/unbound. Point Adguard at the unbound box as the upbound server...
Replies
1
Views
2,204
Not sure what's happening but I went drastic. I shut down the PC and did a hard reset of the modem, "enter...
Replies
9
Views
1,961
Finally got it dl'd and installed. Had to reconfigure the router.
Replies
4
Views
2,286
sorry, was away for a few days. yes, I was talking about the logs that you find in synology. but...
Replies
4
Views
3,896

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top