Skip to content

Running using Docker or Docker Compose requires privileged flag set to true #968

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
5 of 6 tasks
jjs105 opened this issue Jan 5, 2022 · 2 comments
Closed
5 of 6 tasks

Running using Docker or Docker Compose requires privileged flag set to true #968

jjs105 opened this issue Jan 5, 2022 · 2 comments
Labels
duplicate

Comments

@jjs105
Copy link

jjs105 commented Jan 5, 2022

This is a: Run Issue

Details

After trying, and apparently succeeding, to install Pi-hole as a Docker container (using both run and compose examples in the official documentation) I noticed that although everything seemed to be working the indicator in the top-left of the admin site was showing the the DNS service wasn't running.

image

This lead me down a rabbit hole which finally lead me to the conclusion that the container user didn't have high enough required permissions to run the main pihole script (which utilises sudo). This based on the fact that the command lsof -Pi:53 when ran on the container was returning no content.

At this point it is worth noting that the NET_ADMIN capacity was specified but the privileged flag was not. Setting --privileged=true solved the issue affecting the status indicator, and presumable any other possible issues that I had not noticed.

So my issue/question is

  1. should the NET_ADMIN capability be enough and something else is going on?
  2. is the privileged flag actually required when using docker/docker compose, and therefore should be added to the official documentation and docker examples?
  3. am I missing something obvious? (perfectly possible)

Related Issues

  • I have searched this repository/Pi-hole forums for existing issues and pull requests that look similar

#639 (comment) #639 (comment) indicate the privileged should not be needed unless debugging.

#397 #355 are similar issues, but in my case Pi-hole is running (although as indicated it may not be running fully correctly).

#278 #491 (comment) #684 use the privileged flag in their run commands/compose files but are not specifically about their use.

#814 mentions adding the privileged flag to fix the error, followed by another comment indicating that --cap-add=NET_ADMIN should do the same (which for some reason it doesn't)

#593 similar issue related to lighttpd.

How to reproduce the issue

  1. Environment data
  • Operating System: Ubuntu
  • Hardware: Intel NUC
  • Kernel Architecture: x86
  • Docker Install Info and version:
    • Software source: official docker-ce (20.10.12) and docker-compose (1.25.0)
    • Supplimentary Software: portainer (2.11.0)
  • Hardware architecture: x86
  1. docker-compose.yml contents, docker run shell command, or paste a screenshot of any UI based configuration of containers here

Please note, the file below is my latest iteration, the same results were found with the docker run and compose examples in the official documentation.

# Version 3.5+ to allow use of secrets.
version: "3.5"

# Persist the Pi-hole/DNS configuration data in named volumes.
volumes:
  pihole-config:
  dnsmasq-config:

services:

  # The Pi-hole DNS/DHCP service.
  pi-hole:

    # Image and container setup.
    image: pihole/pihole:latest
    container_name: pihole
    hostname: pihole
    restart: unless-stopped

    # The main Pi-hole script requires root privileges.
    ####### Uncomment to 'fix' the issue.**
    #privileged: true

    # Pi-hole requires network admin privileges for DHCP.
    cap_add:
      - NET_ADMIN

    # DNS settings - prioritise Pi-hole then Google.
    dns:
      - 127.0.0.1
      - 8.8.8.8

    # File system setup.
    volumes:
      - pihole-config:/etc/pihole
      - dnsmasq-config:/etc/dnsmasq.d

    # Ports setup.
    ports:
      - "67:67/udp"
      - "53:53/tcp"
      - "53:53/udp"
      - "8080:80/tcp"

    # Common and service environment files and values.
    environment:
      VIRTUAL_HOST: pihole
      PIHOLE_DNS_: 8.8.8.8;8.8.4.4
  1. any additional info to help reproduce

These common fixes didn't work for my issue

  • I have tried removing/destroying my container, and re-creating a new container
  • I have tried fresh volume data by backing up and moving/removing the old volume data
  • I have tried running the stock docker run example(s) in the readme (removing any customizations I added)
  • I have tried a newer or older version of Docker Pi-hole (depending what version the issue started in for me)
  • I have tried running without my volume data mounts to eliminate volumes as the cause

If the above debugging / fixes revealed any new information note it here.
Add any other debugging steps you've taken or theories on root cause that may help.
@PromoFaux
Copy link
Member

See #734, privileged flag not necessary. There is a workaround in that thread, however if you hold back for a bit, we're just gearing up to release a fix

@PromoFaux
Copy link
Member

But for future ref on caps that may be required:

https://github.com/pi-hole/docker-pi-hole#note-on-capabilities

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@PromoFaux @jjs105