Caps

[yubiuser]

Improves the capability check. Inspired by #1085 (comment)

It does three things

1. Warn about missing NET_ADMIN even when this would be the only cap that would be checked and could not be granted.
2. Allow to start even if CAP_STR is empty. See the linked comment above. The error was wrong in the first place, as it did not check if we failed to grant the caps but if CAP_STR is empty. And it is empty if the caps are not available to the container.
3. Split the check for the return code of setting the caps of pihole-FTL from checking the user. This should be a two-step process.

[PromoFaux]

@ngrigoriev - could you give this branch a go and see if it solves the issues you mentioned in #1085?

To test, please clone the repository locally, and run the following from within the directory

git checkout caps
./build.sh

https://docs.pi-hole.net/docker/build-image/#using-the-built-image

[yubiuser]

@dschaper any review news?

[PromoFaux]

The only way to trigger this is to set the user: element in the compose file (i.e user: pihole)

However, that causes a lot more problems than just being unable to set the caps...

pihole  |   [i] Setting up user & group for the pihole user
pihole  |   [i] PIHOLE_UID not set in environment, using default (1000)
pihole  |   [i] PIHOLE_GID not set in environment, using default (1000)
pihole  | 
pihole  |   [i] Starting FTL configuration
pihole  | chown: changing ownership of '/macvendor.db': Operation not permitted
pihole  |   [i] Assigning password defined by Environment Variable
pihole  |   [i] Starting crond for scheduled scripts. Randomizing times for gravity and update checker
pihole  | sed: can't create temp file '/crontab.txtXXXXXX': Permission denied
pihole  | sed: can't create temp file '/crontab.txtXXXXXX': Permission denied
pihole  | crontab: must be suid to work properly
pihole  | 
pihole  |   [i] Ensuring logrotate script exists in /etc/pihole
pihole  | 
pihole  |   [i] Gravity migration checks
pihole  |   [i] Existing gravity database found - schema will be upgraded if necessary
pihole  |      
pihole  | 
pihole  |   [i] pihole-FTL pre-start checks
pihole  |   [i] Setting capabilities on pihole-FTL where possible
pihole  |   [!] WARNING: No capabilities for pihole-FTL available.
pihole  |            Pi-hole functions may not work as expected.
pihole  |             Please ensure that the container has the required capabilities.
pihole  | 
pihole  | chown: changing ownership of '/var/log/pihole/FTL.log': Operation not permitted
pihole  | chown: changing ownership of '/var/log/pihole/': Operation not permitted
pihole  | chmod: changing permissions of '/var/log/pihole/': Operation not permitted
pihole  | chmod: changing permissions of '/var/log/pihole/FTL.log': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/logrotate': Operation not permitted
pihole  | install: cannot create regular file '/run/pihole-FTL.pid': Permission denied
pihole  | install: cannot create regular file '/var/log/pihole/pihole.log': Permission denied
pihole  | install: cannot create regular file '/var/log/pihole/webserver.log': Permission denied
pihole  |   [i] Starting pihole-FTL (no-daemon) as pihole
pihole  | 
pihole  | Unable to set group list for user: Operation not permitted

[yubiuser]

The only way to trigger this is to set the user: element in the compose file (i.e user: pihole)

You can simulate it by setting

    cap_drop:
      - CAP_CHOWN
      - NET_BIND_SERVICE
      - NET_ADMIN
      - NET_RAW
      - SYS_NICE
      - SYS_TIME

In your compose file. It will give some errors, but FTL will start.

pihole  |   [i] Setting up user & group for the pihole user
pihole  |   [i] PIHOLE_UID not set in environment, using default (1000)
pihole  |   [i] PIHOLE_GID not set in environment, using default (1000)
pihole  | 
pihole  |   [i] Starting FTL configuration
pihole  | chown: changing ownership of '/macvendor.db': Operation not permitted
pihole  |   [i] Setting FTLCONF_webserver_api_password from file
pihole  |   [i] Assigning password defined by Environment Variable
pihole  |   [i] Starting crond for scheduled scripts. Randomizing times for gravity and update checker
pihole  | 
pihole  |   [i] Ensuring logrotate script exists in /etc/pihole
pihole  | 
pihole  |   [i] Gravity migration checks
pihole  |   [i] Existing gravity database found - schema will be upgraded if necessary
pihole  |      
pihole  | 
pihole  |   [i] pihole-FTL pre-start checks
pihole  |   [i] Setting capabilities on pihole-FTL where possible
pihole  |   [!] WARNING: No capabilities for pihole-FTL available.
pihole  |            Pi-hole functions may not work as expected.
pihole  |             Please ensure that the container has the required capabilities.
pihole  | 
pihole  | chown: changing ownership of '/etc/pihole/tls_ca.crt': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/tls.pem': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/listsCache/list.1.raw.githubusercontent.com.domains.sha1': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/listsCache/list.1.raw.githubusercontent.com.domains': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/listsCache/list.1.raw.githubusercontent.com.domains.etag': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/listsCache': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/versions': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/migration_backup/adlists.list': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/migration_backup': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/pihole.toml': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/config_backups/pihole.toml.4': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/config_backups/pihole.toml.7': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/config_backups/pihole.toml.6': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/config_backups/pihole.toml.10': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/config_backups/pihole.toml.5': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/config_backups/pihole.toml.9': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/config_backups/pihole.toml.8': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/config_backups/pihole.toml.2': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/config_backups': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/logrotate': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/pihole-FTL.db': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/gravity_backups/gravity.db.1': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/gravity_backups': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/adlists.list': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/gravity_old.db': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/dnsmasq.conf': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/hosts/custom.list': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/hosts': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/gravity.db': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/tls.crt': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/dhcp.leases': Operation not permitted
pihole  | chown: changing ownership of '/etc/pihole/': Operation not permitted
pihole  | chown: changing ownership of '/var/log/pihole/FTL.log': Operation not permitted
pihole  | chown: changing ownership of '/var/log/pihole/': Operation not permitted
pihole  | install: cannot change ownership of '/run/pihole-FTL.pid': Operation not permitted
pihole  | install: cannot change ownership of '/var/log/pihole/pihole.log': Operation not permitted
pihole  | install: cannot change ownership of '/var/log/pihole/webserver.log': Operation not permitted
pihole  |   [i] Starting pihole-FTL (no-daemon) as pihole
pihole  | 
pihole  | 
pihole  | dnsmasq: cannot open log /var/log/pihole/pihole.log: Permission denied

Using the current :latest image, it will refuse to start. (Also the error message is wrong: no caps were allowed to the container - it did not even try to set them. )

pihole  |   [i] Setting capabilities on pihole-FTL where possible
pihole  |   [!] ERROR: Unable to set capabilities for pihole-FTL.
pihole  |             Please ensure that the container has the required capabilities.

---

I'm not saying it is a good idea to start FTL without the caps, but some users might have reasons to do so (see here)

[PromoFaux]

I'm still not really sure how to test this. Rebasing on latest development changes and following the cap_drop suggestion we get the following:

pihole  | install: cannot change ownership of '/var/log/pihole/webserver.log': Operation not permitted
pihole  |   [i] Starting pihole-FTL (no-daemon) as pihole
pihole  |
pihole  |
pihole  | dnsmasq: cannot open log /var/log/pihole/pihole.log: Permission denied
pihole  |   [!] ERROR: Did not find 'FTL started' message in /var/log/pihole/FTL.log in 30 seconds, stopping container
pihole exited with code 1

[rdwebdesign]

Do we need so many spaces here?

I suggest to use 8 spaces for indentation:

Suggested change

	echo " Cannot run as non-root."
	echo " If you are seeing this error, please set the environment variable 'DNSMASQ_USER' to the value 'root'"
	echo " Cannot run as non-root."
	echo " If you are seeing this error, please set the environment variable 'DNSMASQ_USER' to the value 'root'"

[rdwebdesign]

Same here.
Use 8 spaces for indentation:

Suggested change

	echo " [!] WARNING: No capabilities for pihole-FTL available."
	echo " Pi-hole functions may not work as expected."
	echo " Please ensure that the container has the required capabilities."
	echo " [!] WARNING: No capabilities for pihole-FTL available."
	echo " Pi-hole functions may not work as expected."
	echo " Please ensure that the container has the required capabilities."