Nextcloud AIO pihole missing capabilities NET_ADMIN and CAP_SYS_TIME

The Basics

• Nextcloud Server version (e.g., 29.x.x):
  • Nextcloud Hub 10 (31.0.9) AIO
• Operating system and version (e.g., Ubuntu 24.04):
  • Debian trixie
• Web server and version (e.g, Apache 2.4.25):
  • bundled with aio
• Reverse proxy and version _(e.g. nginx 1.27.2)
  • Caddy from community container
• PHP version (e.g, 8.3):
  • bundled with aio
• Is this the first time you’ve seen this error? (Yes / No):
  • yes
• When did this problem seem to first start?
  • after enabling dhcp
• Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
  • aio
• Are you using CloudfIare, mod_security, or similar? (Yes / No)
  • no

Summary of the issue you are facing:

After i configured dhcp in pihole community container pihole-FTL does not start anymore.

Steps to replicate it (hint: details matter!):

1. Enable DHCP in pihole config from AIO-Community container

Log entries

from tail -F /var/log/pihole/FTL.log

2025-10-13 09:57:44.474 INFO PID of FTL process: 53
2025-10-13 09:57:44.478 INFO listening on 0.0.0.0 port 53
2025-10-13 09:57:44.478 INFO listening on :: port 53
2025-10-13 09:57:44.480 CRIT Error in dnsmasq configuration: process is missing required capability NET_ADMIN
2025-10-13 09:57:44.496 INFO PID of FTL process: 53
2025-10-13 09:57:44.499 INFO Database version is 21
2025-10-13 09:57:44.501 INFO Database successfully initialized
2025-10-13 09:57:46.118 INFO Imported 35710 queries from the on-disk database (it has 104987 rows)
2025-10-13 09:57:46.119 INFO Parsing queries in database
2025-10-13 09:57:46.166 INFO   10000 queries parsed...
2025-10-13 09:57:46.212 INFO   20000 queries parsed...
2025-10-13 09:57:46.265 INFO   30000 queries parsed...
2025-10-13 09:57:46.300 INFO Imported 35708 queries from the long-term database
2025-10-13 09:57:46.300 INFO  -> Total DNS queries: 35708
2025-10-13 09:57:46.300 INFO  -> Cached DNS queries: 35571
2025-10-13 09:57:46.300 INFO  -> Forwarded DNS queries: 136
2025-10-13 09:57:46.300 INFO  -> Blocked DNS queries: 0
2025-10-13 09:57:46.300 INFO  -> Unknown DNS queries: 0
2025-10-13 09:57:46.300 INFO  -> Unique domains: 78
2025-10-13 09:57:46.300 INFO  -> Unique clients: 3
2025-10-13 09:57:46.301 INFO  -> DNS cache records: 0
2025-10-13 09:57:46.301 INFO  -> Known forward destinations: 2
2025-10-13 09:57:46.402 WARNING Insufficient permissions to set system time (CAP_SYS_TIME required), NTP client not available
2025-10-13 09:57:46.403 INFO NTP server listening on :::123 (IPv6)
2025-10-13 09:57:46.404 INFO NTP server listening on 0.0.0.0:123 (IPv4)
2025-10-13 09:57:46.404 INFO FTL is running as user pihole (UID 1000)
2025-10-13 09:57:46.406 INFO Web server ports:
2025-10-13 09:57:46.406 INFO   - 0.0.0.0:8573 (HTTP, IPv4, OK)
2025-10-13 09:57:46.413 INFO Restored 0 API sessions from the database

from tail -F /var/log/pihole/pihole.log

2025-10-13 09:57:44.480 process is missing required capability NET_ADMIN
2025-10-13 09:57:44.480 FAILED to start up  

Doesn’t seem to be supported: all-in-one/community-containers/pi-hole at main · nextcloud/all-in-one · GitHub

• The DHCP functionality of Pi-hole has been disabled!

Oh… did not see this.
Maybe it’s disable, because of missing this capabilities?

Perhaps these capabilities aren’t granted for a reason, most likely security-related. Granting the NET_ADMIN capability to a container would allow it to control the host’s network stack. While I’m no expert, my instinct tells me that this probably isn’t ideal from a security standpoint, particularly if Nextcloud can be accessed from the internet.

In any case, I don’t think running a DHCP service on the same server as Nextcloud is a good idea. In my view, services like DHCP shouldn’t be running on an application server at all. I’m running DHCP on my router/firewall.