Skip to content

Caps #1814

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: development
Choose a base branch
from
Open

Caps #1814

wants to merge 4 commits into from
+15 −12

Conversation

yubiuser
Copy link
Member

Improves the capability check. Inspired by #1085 (comment)

It does three things

  1. Warn about missing NET_ADMIN even when this would be the only cap that would be checked and could not be granted.
  2. Allow to start even if CAP_STR is empty. See the linked comment above. The error was wrong in the first place, as it did not check if we failed to grant the caps but if CAP_STR is empty. And it is empty if the caps are not available to the container.
  3. Split the check for the return code of setting the caps of pihole-FTL from checking the user. This should be a two-step process.

@yubiuser yubiuser mentioned this pull request Apr 20, 2025
Closed
6 tasks
@yubiuser yubiuser requested a review from PromoFaux April 20, 2025 16:06
PromoFaux
PromoFaux reviewed Apr 21, 2025
View reviewed changes
@yubiuser yubiuser requested a review from PromoFaux April 21, 2025 14:38
@PromoFaux
Copy link
Member

@ngrigoriev - could you give this branch a go and see if it solves the issues you mentioned in #1085?

To test, please clone the repository locally, and run the following from within the directory

git checkout caps
./build.sh

https://docs.pi-hole.net/docker/build-image/#using-the-built-image

@dschaper dschaper self-assigned this Jun 6, 2025
@yubiuser
Copy link
Member Author

yubiuser commented Jul 1, 2025

@dschaper any review news?

yubiuser and others added 4 commits July 2, 2025 22:42
@yubiuser
Inform about missing NET_ADMIN even if CAP_NET_ADMIN is the only requ…
c022297 
…ested capability

Signed-off-by: yubiuser <github@yubiuser.dev>
@yubiuser
Don't exit if no caps are available
46948eb 
Signed-off-by: yubiuser <github@yubiuser.dev>
@yubiuser
Split check for return code and user
bff5de6 
Signed-off-by: yubiuser <github@yubiuser.dev>
@yubiuser @PromoFaux
Apply reviewer's suggestions
6c3c0a1 
Co-authored-by: Adam Warner <me@adamwarner.co.uk>
Signed-off-by: yubiuser <github@yubiuser.dev>
@yubiuser yubiuser requested a review from a team as a code owner July 2, 2025 20:42
@PromoFaux
Copy link
Member

The only way to trigger this is to set the user: element in the compose file (i.e user: pihole)

However, that causes a lot more problems than just being unable to set the caps...

pihole  |   [i] Setting up user & group for the pihole user
pihole  |   [i] PIHOLE_UID not set in environment, using default (1000)
pihole  |   [i] PIHOLE_GID not set in environment, using default (1000)
pihole  | 
pihole  |   [i] Starting FTL configuration
pihole  | chown: changing ownership of '/macvendor.db': Operation not permitted
pihole  |   [i] Assigning password defined by Environment Variable
pihole  |   [i] Starting crond for scheduled scripts. Randomizing times for gravity and update checker
pihole  | sed: can't create temp file '/crontab.txtXXXXXX': Permission denied
pihole  | sed: can't create temp file '/crontab.txtXXXXXX': Permission denied
pihole  | crontab: must be suid to work properly
pihole  | 
pihole  |   [i] Ensuring logrotate script exists in /etc/pihole
pihole  | 
pihole  |   [i] Gravity migration checks
pihole  |   [i] Existing gravity database found - schema will be upgraded if necessary
pihole  |      
pihole  | 
pihole  |   [i] pihole-FTL pre-start checks
pihole  |   [i] Setting capabilities on pihole-FTL where possible
pihole  |   [!] WARNING: No capabilities for pihole-FTL available.
pihole  |            Pi-hole functions may not work as expected.
pihole  |             Please ensure that the container has the required capabilities.
pihole  | 
pihole  | chown: changing ownership of '/var/log/pihole/FTL.log': Operation not permitted
pihole  | chown: changing ownership of '/var/log/pihole/': Operation not permitted
pihole  | chmod: changing permissions of '/var/log/pihole/': Operation not permitted
pihole  | chmod: changing permissions of '/var/log/pihole/FTL.log': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/logrotate': Operation not permitted
pihole  | install: cannot create regular file '/run/pihole-FTL.pid': Permission denied
pihole  | install: cannot create regular file '/var/log/pihole/pihole.log': Permission denied
pihole  | install: cannot create regular file '/var/log/pihole/webserver.log': Permission denied
pihole  |   [i] Starting pihole-FTL (no-daemon) as pihole
pihole  | 
pihole  | Unable to set group list for user: Operation not permitted

@yubiuser
Copy link
Member Author

yubiuser commented Sep 2, 2025

The only way to trigger this is to set the user: element in the compose file (i.e user: pihole)

You can simulate it by setting

    cap_drop:
      - CAP_CHOWN
      - NET_BIND_SERVICE
      - NET_ADMIN
      - NET_RAW
      - SYS_NICE
      - SYS_TIME

In your compose file. It will give some errors, but FTL will start.

pihole  |   [i] Setting up user & group for the pihole user
pihole  |   [i] PIHOLE_UID not set in environment, using default (1000)
pihole  |   [i] PIHOLE_GID not set in environment, using default (1000)
pihole  | 
pihole  |   [i] Starting FTL configuration
pihole  | chown: changing ownership of '/macvendor.db': Operation not permitted
pihole  |   [i] Setting FTLCONF_webserver_api_password from file
pihole  |   [i] Assigning password defined by Environment Variable
pihole  |   [i] Starting crond for scheduled scripts. Randomizing times for gravity and update checker
pihole  | 
pihole  |   [i] Ensuring logrotate script exists in /etc/pihole
pihole  | 
pihole  |   [i] Gravity migration checks
pihole  |   [i] Existing gravity database found - schema will be upgraded if necessary
pihole  |      
pihole  | 
pihole  |   [i] pihole-FTL pre-start checks
pihole  |   [i] Setting capabilities on pihole-FTL where possible
pihole  |   [!] WARNING: No capabilities for pihole-FTL available.
pihole  |            Pi-hole functions may not work as expected.
pihole  |             Please ensure that the container has the required capabilities.
pihole  | 
pihole  | chown: changing ownership of '/etc/pihole/tls_ca.crt': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/tls.pem': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/listsCache/list.1.raw.githubusercontent.com.domains.sha1': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/listsCache/list.1.raw.githubusercontent.com.domains': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/listsCache/list.1.raw.githubusercontent.com.domains.etag': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/listsCache': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/versions': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/migration_backup/adlists.list': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/migration_backup': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/pihole.toml': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/config_backups/pihole.toml.4': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/config_backups/pihole.toml.7': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/config_backups/pihole.toml.6': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/config_backups/pihole.toml.10': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/config_backups/pihole.toml.5': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/config_backups/pihole.toml.9': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/config_backups/pihole.toml.8': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/config_backups/pihole.toml.2': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/config_backups': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/logrotate': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/pihole-FTL.db': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/gravity_backups/gravity.db.1': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/gravity_backups': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/adlists.list': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/gravity_old.db': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/dnsmasq.conf': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/hosts/custom.list': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/hosts': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/gravity.db': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/tls.crt': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/dhcp.leases': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/': Operation not permitted
pihole  | chown: changing ownership of '/var/log/pihole/FTL.log': Operation not permitted
pihole  | chown: changing ownership of '/var/log/pihole/': Operation not permitted
pihole  | install: cannot change ownership of '/run/pihole-FTL.pid': Operation not permitted
pihole  | install: cannot change ownership of '/var/log/pihole/pihole.log': Operation not permitted
pihole  | install: cannot change ownership of '/var/log/pihole/webserver.log': Operation not permitted
pihole  |   [i] Starting pihole-FTL (no-daemon) as pihole
pihole  | 
pihole  | 
pihole  | dnsmasq: cannot open log /var/log/pihole/pihole.log: Permission denied

Using the current :latest image, it will refuse to start. (Also the error message is wrong: no caps were allowed to the container - it did not even try to set them. )

pihole  |   [i] Setting capabilities on pihole-FTL where possible
pihole  |   [!] ERROR: Unable to set capabilities for pihole-FTL.
pihole  |             Please ensure that the container has the required capabilities.

I'm not saying it is a good idea to start FTL without the caps, but some users might have reasons to do so (see here)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PromoFaux PromoFaux Awaiting requested review from PromoFaux

At least 1 approving review is required to merge this pull request.

Assignees

@dschaper dschaper

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yubiuser @PromoFaux @dschaper