Pi-Hole - "missing required capability NET_ADMIN"

Hi everybody.
I’ve been running Umbrel on a RPi 4 connected to a 1 GB SSD for a while and noticed that Pi-Hole is now available in the store so I gave it a shot.

I installed it, disabled DHCP on my router, enabled it in the Pi-Hole Interface, but it’s telling me that the DNS service is not running.

The diagnosis tab shows the error “FTL failed to start due to process is missing required capability NET_ADMIN” over and over again.

I found this related Issue on Github but it seems like something that Umbrel might need to update for Pi-Hole to work out-of-the-box.

why doing it ??? enable DCHP and put your DNS1 on your LOCAL pi4 IP eg: 192.168.x.x

Because I got a crappy router from my ISP with literally zero DNS/DHCP settings except for disabling it.

Pi-Hole’s DHCP server would give me more options like also using custom upstream DNS servers and so on.

ah delete the app and install again try it

Same issue on my site. Deleting and reinstalling the app over the Umbrel App Store doesn’t help.
For me it seems that Umbrel doesn’t add net_admin capability on starting the Pihole docker container.

I already tried to manual start a Pihole container with parameters, but I messed more up… .

Any ideas how to solve this?

Got this to work a bit ago after getting the same error. Changed ~/umbrel/apps/pi-hole/docker-compose.yml to include:

cap_add:

• NET_ADMIN

Only been running for a bit now, so will need further evaluation to be sure.

Full copy of my docker-compose.yml for reference:

version: “3.7”

services:
server:
image: pihole/pihole:2021.10.1@sha256:51d4686985cab06913588970ec386457c84f3df0a79dd7856c60b263b8cb40cc
# Pi-hole doesn’t currently support running as non-root
# https://github.com/pi-hole/docker-pi-hole/issues/685
# user: “1000:1000”
restart: on-failure
ports:
- 53:53
- 53:53/udp
- ${APP_PI_HOLE_PORT}:80
cap_add:
- NET_ADMIN
volumes:
- ${APP_DATA_DIR}/data/pihole:/etc/pihole/
- ${APP_DATA_DIR}/data/dnsmasq:/etc/dnsmasq.d/
environment:
- VIRTUAL_HOST=${APP_DOMAIN}
- WEBPASSWORD=${APP_PASSWORD}
networks:
default:
ipv4_address: $APP_PI_HOLE_IP

Edit: Excuse the incorrect space formatting, but you get the gist. cap_add is in line with ports and - N is next over.

Just a follow up that DHCP doesn’t appear to work but DNS still works (and it worked before I modified docker-compose.yml ). Will continue to look further into why DHCP doesn’t work (I suspect somethigng BOOTP related.

Also saw that BB Code works here. Going to try to post the file to get right format below.

version: "3.7"

services:
  server:
    image: pihole/pihole:2021.10.1@sha256:51d4686985cab06913588970ec386457c84f3df0a79dd7856c60b263b8cb40cc
    # Pi-hole doesn't currently support running as non-root
    # https://github.com/pi-hole/docker-pi-hole/issues/685
    # user: "1000:1000"
    restart: on-failure
    ports:
      - 53:53
      - 53:53/udp
      - ${APP_PI_HOLE_PORT}:80
    cap_add:
      - NET_ADMIN
    volumes:
      - ${APP_DATA_DIR}/data/pihole:/etc/pihole/
      - ${APP_DATA_DIR}/data/dnsmasq:/etc/dnsmasq.d/
    environment:
      - VIRTUAL_HOST=${APP_DOMAIN}
      - WEBPASSWORD=${APP_PASSWORD}
    networks:
      default:
        ipv4_address: $APP_PI_HOLE_IP

Possibly unrelated but I had to add umbrel ip to my pihole docker compose to resolve an issue.

192.168.x.x:53:53
      - 192.168.x.x:53:53/udp

Also have you played with the “Interface listening behavior” in the dns section?

Thanks for the heads up. I’ll probably end up needing to do that. I figured out that DHCP isn’t working because it’s still in the docker “internal network” container. I believe I’ll need to run network_mode: host and then redirect a bunch of ports since it’ll be use the Umbrel IP. Basically this:

http://community.umbrel.com/t/running-other-docker-apps-in-umbrel/1426

Not familiar with Interface listening behavior, but will look soon. I’m literally just running pi-hole now. Want to do DHCP and install unbound also.

I am facing the same issue, I need to use pi-hole dchp but it is impossible to make it works, any hints?

You have to set it up to run a different docker network and assign it an IP. The reason being that there’s no way to forward broadcasts to the internal docker network.

Here’s my docker-compose.yml .

version: "3.7"

services:
  server:
    image: pihole/pihole
    # Pi-hole doesn't currently support running as non-root
    # https://github.com/pi-hole/docker-pi-hole/issues/685
    # user: "1000:1000"
    restart: on-failure
    cap_add:
      - NET_ADMIN
    volumes:
      - ${APP_DATA_DIR}/data/pihole:/etc/pihole/
      - ${APP_DATA_DIR}/data/dnsmasq:/etc/dnsmasq.d/
    environment:
      - VIRTUAL_HOST=${APP_DOMAIN}
      - WEBPASSWORD=${APP_PASSWORD}
    networks:
      default:
        ipv4_address: 192.168.1.253 #available IP to assign statically to Pi-Hole. Note, this isn't actually assigned to an interface. Just an IP for the docker container really

networks:
  default:
    driver: macvlan
    driver_opts:
      parent: eth0
    ipam:
      config:
        - subnet: 192.168.1.0/24
          gateway: 192.168.1.1
          ip_range: 192.168.1.248/29 #network address of range

Basically the macvlan network will be assigned the .253 IP address and a virtual MAC to receive BOOTP broadcasts. Also note, since it has an ‘external’ IP, no need for port forwarding anymore.

I have the same problem, has anyone resolve this issue?