Hi,

Im trying so run the Adguard home container as a non root user, but somehow I cannot get DHCP to work this way. log always shows
starting dhcp server err="dhcpv4: creating raw udp connection: listen packet 50:eb:f6:24:bc:6f: socket: operation not permitted"

this is my compose:

services:
  adguardhome:
    container_name: adguardhome
    image: adguard/adguardhome:latest
    restart: unless-stopped
    volumes:
      - xx:/opt/adguardhome/work
      - xx:/opt/adguardhome/conf
    network_mode: host
    #user: "108:115" # somehow leads to DHCP failure`
    cap_add:
      - NET_RAW
      - NET_BIND_SERVICE
      - NET_ADMIN

has anyone got a working similiar setup?

Not sure, but ports below 1024 are usually considered privileged. Despite the capabilities set, the user might still need according permissions on host.

hmm is there a way I can set the permissions for a port on the host to try this?

Can you try if this works?

services:
  adguardhome:
    container_name: adguardhome
    image: adguard/adguardhome:latest
    restart: unless-stopped
    volumes:
      - xx:/opt/adguardhome/work
      - xx:/opt/adguardhome/conf
    network_mode: host
    user: "108:115" # somehow leads to DHCP failure`
    cap_add:
      - NET_RAW
      - NET_BIND_SERVICE
      - NET_ADMIN
    sysctls:
      net.ipv4.ip_unprivileged_port_start: 1

It might be necessary to modify the image to make it work:

Once you know it could work like this, you could raise an issue in the adguardhome GitHub repo and ask them to implement it:

Update: the image already does what the first link showed:
https://github.com/AdguardTeam/AdGuardHome/blob/master/docker/build.Dockerfile#L39

That user line looks like trouble:

user: "108:115" # somehow leads to DHCP ```

That’s user 108 and group 115, which may be your dhcp user and group on some system, but I guarantee not on all

the user is created by me, its a special user I created for adguard.. should I try with dhcp user?
I tried setting the unprivileged port start to 1 on the host, when using the sysctl line it complained thats not possible for network mode host. It did not work this way.

could it be that something goes wrong when setting the capabilities?

hmm, good point. The (non isolated) network namespace is owned by the host itself, so it makes sense a container that does not use network namespace isolation is not allowed to change the kernel parameters.

Unfortunately, I have no container runtime in a network without an active dhcp server, so it would take effort to test your compose file. In theory the sysctl line shouldn’t be necessary due to the NET_BIND_SERVICE capability. Are you running your docker host in a LXC container?

no, Host runs on bare metal.
If you wanted, you could try this by just using the same compose, enabling dhcp and killing the server as soon as it started, the error line gets printed right on startup and I dont think it will mess up your lan too much. could set the lease to 1 second to be sure..

I get the same error message.

Adguard always complained that it wants static ip addresses. While the hosts ipv4 address is static, its ipv6 addresses are dynamic. I have dynamic prefixes, so I am not going to add static ipv6 addresses. I had to start the container as admin first and create a base config using the web-ui, good that I used a different lab subnet to test it, otherwise my laptop would have had a hard time to pick which dhcp server to follow.

I can only suggest raising an issue in the AdGuardHome GItHub repository. Judging by the capabilities and the use of setcap 'cap_net_bind_service=+eip' /opt/adguardhome/AdGuardHome in the image, looks like things should be working.