AdGuard Home

[publicarray]

Description

Adding AdGuard Home, It requires SSH access to give capabilities to the binary to bind to the privileged port (53) for DNS

Fixes #6069

I don't expect this package to be published in the current state with the current port 53 issue.

• Option 1- use a different port, but makes the package almost useless since for most client operating systems don't allow you to choose the DNS port to query
• Option 2 - somehow make it easier to add the capabilities for package updates.
• Option 3 - I don't know, maybe Synology can be so kind to fix the Privilege Config: https://help.synology.com/developer-guide/privilege/privilege_config.html

Checklist

• Build rule all-supported completed successfully
• New installation of package completed successfully
• Package upgrade completed successfully (Manually install the package again)
• Package functionality was tested
• Any needed documentation is updated/created

Type of change

• Bug fix
• New Package
• Package update
• Includes small framework changes
• This change requires a documentation update (e.g. Wiki)

[publicarray]

@c0154936 since you opened the ticket can you try out this package? Download the test package from the actions tab at the top: https://github.com/SynoCommunity/spksrc/actions/runs/8763602582

[c0154936]

@c0154936 since you opened the ticket can you try out this package? Download the test package from the actions tab at the top: https://github.com/SynoCommunity/spksrc/actions/runs/8763602582

I have manually installed the x64 package onto my Synology DS415+

I then ran the SSH command (but had to do it as ROOT):

setcap 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' /var/packages/adguardhome/target/bin/adguardhome

and then started the ADGUARDHOME software in the synology package center.

I can access the software now using the web interface (http://192.168.0.2:6053) and it presented me with the ADGUARDHOME welcome screen wizard. HOORAY!

I have set my windows laptop device to use ADGUARDHOME (192.168.0.2) as my DNS Server and my laptop device has appeared within the ADGuardHOME web interface as a client and it is also showing me all the DNS requests my laptop is making.

Looking good!

[c0154936]

Just an update, I have setup all my local network clients to use this new ADGuardHOME DNS Server and everything seems to be working fine. Local Clients are appearing in the ADGuardHOME web interface.

[c0154936]

I have not had a chance to test this yet but I have created a scheduled task on my synology NAS to run the following command when needed in future:

setcap 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' /var/packages/adguardhome/target/bin/adguardhome

[publicarray]

Thanks for your feedback @c0154936 I thought about the scheduled tasks as well. Annoyingly this only works if you remember to run the task after an update, still better than ssh though

[c0154936]

Hi, just to keep you updated, I have updated ADGuardHOME within the web interface from v0.107.48 which you packaged to v0.107.49.

After the update took effect, the software in the package center would not start back up. The status in the package center said "manually stopped". I did try to run it a few times but it kept going back to that status message.

So I ran the schedule task I created as mentioned in one of my above posts and the software is now running normally.

Everything is now working as normal (so far).

[publicarray]

Thanks for the update @c0154936

So I ran the schedule task I created as mentioned in one of my above posts and the software is now running normally.

This is expected and unfortunate as the permissions necessary to run the app are not officially supported by Synology. This command is a workaround to apply the permissions necessary and needs to run every time the binary is updated.

[publicarray]

@mreid-tt @hgy59 @th0ma7

What do you think about packages that require root to be useful? I'm not sure if this package should be published. What do you guys think? I do think AdGuardHome is very useful on a NAS, however some users may not get that it requires higher permissions to run.

I used @c0154936 screenshots above to start a simple guide to help.

[hgy59]

@michailf @hgy59 @th0ma7

What do you think about packages that require root to be useful? I'm not sure if this package should be published. What do you guys think? I do think AdGuardHome is very useful on a NAS, however some users may not get that it requires higher permissions to run.

I used @c0154936 screenshots above to start a simple guide to help.

I use the patching of the privilege file in #6152 too.
My findings are, that after patching the privilege file, you need to "Repair" the package or start the service manually with synopkg. You can't start the package in the Package Center directly, until it has been started sucessfully once.

BTW
The privilege restrictions by Synology are boring. If you run a package as docker container you can officially run it as root...

[mreid-tt]

@mreid-tt @hgy59 @th0ma7

What do you think about packages that require root to be useful? I'm not sure if this package should be published. What do you guys think? I do think AdGuardHome is very useful on a NAS, however some users may not get that it requires higher permissions to run.

I used @c0154936 screenshots above to start a simple guide to help.

I've come to the same conclusion as @hgy59. These restrictions are forcing packages like this to be reviewed and signed by Synology for the official package repo. In the new Developer Guide there is even a section which reads:

Install Development Token (For collaborative partners only)
If you are developing a package with root privilege, you are not able to install that package unless it is signed by synology. To deal with this security restriction, we provide a development token to bypass the signing restriction.

The challenge is that this development token is only valid for that NAS and installing the token to another NAS does not make the bypass work. All in all, packages that require root must be published in the Synology Package Center.

Now I've attempted to use the form at https://www.synology.com/en-us/support/developer to query this issue since 2024-04-22 but beyond the initial Synology Inquiry Ticket: #770842 (Developer) email acknowledgement, I've never received a response. This does not bode well for the overall process.

BTW
The privilege restrictions by Synology are boring. If you run a package as docker container you can officially run it as root...

This is indeed interesting and I've even seen a section of the new guide entitled Compile Docker Package - Gitlab which goes into detail on how to compile a docker package by using a well known version control opensource - Gitlab.

What was also interesting is their brand new WIZARD_UIFILES [7.2.2] section which seems to change the whole mechanism to create wizard UI files. According to the document: This new method involves using a render function to generate the wizard UI file. The render function is a Vue.js Framework structured function. This will certainly be a fun adventure for future package creation.

[mreid-tt]

@publicarray I don't know if this would help but in the new Developer Guide there is a recently added resource worker called Systemd User Unit.

I don't know if this would solve the issue since the function may still require root privileges to be setup. As an experiment, I submitted the command that you need executed along with the updated manual through ChatGPT and it suggested the following implementation:

File: conf/systemd/pkg-adguardhome/adguardhome.service:

[Unit]
Description=AdGuard Home
After=network.target

[Service]
ExecStart=/var/packages/adguardhome/target/bin/adguardhome
Restart=on-failure
User=sc-adguardhome
Group=synocommunity
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW
NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

Much of this is beyond my current understanding but I thought I'd look into the new resource workers in DSM 7 to see if there could be a solution there.