Entware Pi-hole directly on the router? Yes!

[jacklul]

P.P.P.S. Some stuff works like Google Play, Youtube app, etc. Chrome does not. Nothing obvious in many places, getting these errors in pihole.log:

Aug 14 21:23:31 dnsmasq[2542279]: query[A] play-fe.googleapis.com from 192.168.1.249
Aug 14 21:23:31 dnsmasq[2542279]: config error is REFUSED (EDE: not ready)
Aug 14 21:23:31 dnsmasq[2542279]: query[A] play-fe.googleapis.com from 192.168.1.249
Aug 14 21:23:31 dnsmasq[2542279]: config error is REFUSED (EDE: not ready)

Also if you have any global DNS director rules you should exclude Pi-hole.

 

[bibikalka]

what is your upstream dns servers?

Quad9.

Also if you have any global DNS director rules you should exclude Pi-hole.

Asus Merlin DNS director works by ethernet addresses, so a nebulous virtual IP is sort of tricky to unblock since I don't see an ethernet address for it I could of course unblock another PiHole which is running on Proxmox and has its own ethernet address.

So I am running Unbound, and Diversion as well. Unbound appears to be on 127.0.0.1:53, and same for Diversion? That's kind of confusing if they both live on port 53 (@thelonelycoder).

Anyway, I plugged that same port 53 into pihole config, following PiHole unbound recommendations, and it works now! The DNS queries are routed properly through the PiHole for the devices that I directed in the DNS director to use PiHole. I can see the hits, and the blocked sites when specified. Although I am hazy as to who picks up these queries upstream of PiHole, is it Unbound or Diversion ? ...

  upstreams = [
    "127.0.0.1#53"
  ] ### CHANGED, default = []

I feel the ability for people to run PiHole as a separate instance on Asus Merlin and test it is very attractive. That could save on some additional hardware in the house for those running PiHole's. And if the router is dead, there is not much PiHole-ing anyway! So there is a missing PiHole config script that would ask for this new IP to be assigned to PiHole, and saved somewhere.

I moved blocked sites from the Proxmox PiHole to this one using Settings/Teleporter in the web interface. The advantage now is that all queries to PiHole entware instance register with the true IP addresses, while Proxmox PiHole had everything showing up as originating from the router (192.168.1.1) which of course was quite inconvenient.

###########
So to summarize, these are the changes I did to run PiHole on a virtual IP 192.168.1.20, port 53:

ip -4 addr add 192.168.1.20/24 brd + dev br0 label br0:pihole

And then also several changes to the default config pihole.toml:

# diff pihole.toml pihole.toml_o
4c4
< # Last updated on 2025-08-15 09:11:18 CDT
---
> # Last updated on 2025-08-11 16:21:40 CDT
12,14c12
<   upstreams = [
<     "127.0.0.1#53"
<   ] ### CHANGED, default = []
---
>   upstreams = []
150c148
<   interface = "br0:pihole" ### CHANGED, default = "eth0"
---
>   interface = "eth0"
192c190
<   listeningMode = "BIND" ### CHANGED, default = "LOCAL"
---
>   listeningMode = "LOCAL"
329c327
<       force4 = true ### CHANGED, default = false
---
>       force4 = false
335c333
<       IPv4 = "192.168.1.20" ### CHANGED, default = ""
---
>       IPv4 = ""
665c663
<   port = "127.0.0.1:5080,192.168.1.20:80,192.168.1.20:5443s" ### CHANGED, default = "80o,443os,[::]:80o,[::]:443os"
---
>   port = "80o,443os,[::]:80o,[::]:443os"
814c812
<     pwhash =
---
>     pwhash =
1030,1032c1028
<   dnsmasq_lines = [
<     "except-interface=lo"
<   ] ### CHANGED, default = []
---
>   dnsmasq_lines = []
1200,1201c1196,1197
< # 155 total entries out of which 147 entries are default
< # --> 8 entries are modified
---
> # 155 total entries out of which 154 entries are default
> # --> 1 entry is modified

And the running processes for "nobody", it seems it's a bunch of stuff at 12.7 MB each?

# ps wT |grep nobody
 1321 nobody    3316 S    lldpd -L /usr/sbin/lldpcli -I eth1,eth2,eth3,eth4,eth5,eth6,wds0.*.*,wds1.*.* -s RT-AC86U
 9054 nobody    3160 S    avahi-daemon: running [RT-AC86U-9989.local]
1245792 nobody    4692 S    dnsmasq -C /opt/share/diversion/.conf/alternate-bf.conf
1245854 nobody    2492 S    dnsmasq -C /opt/share/diversion/.conf/ad_blocking_excl.conf
1245908 nobody    4836 S    dnsmasq --log-async
1264884 nobody   12752 S <  pihole-FTL -- -u nobody -g nobody
1264893 nobody   12752 S <  {database} pihole-FTL -- -u nobody -g nobody
1264894 nobody   12752 S <  {housekeeper} pihole-FTL -- -u nobody -g nobody
1264895 nobody   12752 S <  {dns-client} pihole-FTL -- -u nobody -g nobody
1264896 nobody   12752 S <  {timer} pihole-FTL -- -u nobody -g nobody
1264897 nobody   12752 S N  {civetweb-timer} pihole-FTL -- -u nobody -g nobody
1264898 nobody   12752 S N  {civetweb-master} pihole-FTL -- -u nobody -g nobody
1264922 nobody   12752 S N  {civetweb-worker} pihole-FTL -- -u nobody -g nobody
1264923 nobody   12752 S N  {civetweb-worker} pihole-FTL -- -u nobody -g nobody
1291881 nobody   12752 S N  {civetweb-worker} pihole-FTL -- -u nobody -g nobody
1291882 nobody   12752 S N  {civetweb-worker} pihole-FTL -- -u nobody -g nobody
1291883 nobody   12752 S N  {civetweb-worker} pihole-FTL -- -u nobody -g nobody
1291884 nobody   12752 S N  {civetweb-worker} pihole-FTL -- -u nobody -g nobody

 

[jacklul]

You can set webserver.threads to 1 or 2 to reduce the amount of the worker threads.

 

[bibikalka]

You can set webserver.threads to 1 or 2 to reduce the amount of the worker threads.

Which section of pihole.toml? I don't see such a setting in the web interface ...

OK, found it.

[webserver]
threads = 2 ### CHANGED, default = 50

OK, so it reduced the number of workers:

# ps wT |grep nobody
 1321 nobody    3316 S    lldpd -L /usr/sbin/lldpcli -I eth1,eth2,eth3,eth4,eth5,eth6,wds0.*.*,wds1.*.* -s RT-AC86U
 9054 nobody    3160 S    avahi-daemon: running [RT-AC86U-9989.local]
1245792 nobody    4692 S    dnsmasq -C /opt/share/diversion/.conf/alternate-bf.conf
1245854 nobody    2492 S    dnsmasq -C /opt/share/diversion/.conf/ad_blocking_excl.conf
1245908 nobody    4836 S    dnsmasq --log-async
1430981 nobody   12032 S <  pihole-FTL -- -u nobody -g nobody
1431008 nobody   12032 S <  {database} pihole-FTL -- -u nobody -g nobody
1431009 nobody   12032 S <  {housekeeper} pihole-FTL -- -u nobody -g nobody
1431010 nobody   12032 S <  {dns-client} pihole-FTL -- -u nobody -g nobody
1431011 nobody   12032 S <  {timer} pihole-FTL -- -u nobody -g nobody
1431012 nobody   12032 S N  {civetweb-timer} pihole-FTL -- -u nobody -g nobody
1431013 nobody   12032 S N  {civetweb-master} pihole-FTL -- -u nobody -g nobody
1431014 nobody   12032 S N  {civetweb-worker} pihole-FTL -- -u nobody -g nobody
1431370 nobody   12032 S N  {civetweb-worker} pihole-FTL -- -u nobody -g nobody

 

[SomeWhereOverTheRainBow]

Quad9.

What I would recommend is temporarily using an additional upstream server to test redundancy. that error message you were getting could related to the upstream servers response to the request. It may be timing out upstream before dnsmasq has received a response.

 

[bibikalka]

@jacklul

I tried to make this PiHole instance to auto-start as you described in GitHub.

I think if it starts before NTP is synced, it wreaks havoc on everything else. I guess I gotta be checking 'nvram get ntp_ready' before starting it.

 

[jacklul]

I tried to make this PiHole instance to auto-start as you described in GitHub.

It starts with Entware, I would assume on Merlin it would be started by services-start script.

it wreaks havoc on everything else

What is happening exactly?

 

[bibikalka]

It starts with Entware, I would assume on Merlin it would be started by services-start script.
What is happening exactly?

I chased this down. I have this stock setup :

# ls -l /opt/etc/init.d/
total 48
-rw-r--r-- 1 admin root 2822 Mar 19  2021 rc.func
-rw-r--r-- 1 admin root 4068 Jul  7 17:50 rc.func.syslog-ng
-rwxr-xr-x 1 admin root  966 Mar 19  2021 rc.unslung
-rwxr-xr-x 1 admin root  250 May 22 21:55 S01syslog-ng
-rwxr-xr-x 1 admin root  217 Jan  8  2025 S02haveged
-rwxr-xr-x 1 admin root  232 May 23 04:17 S10cron
-rwxr-xr-x 1 admin root 1460 Aug 18  2023 S33vnstat
-rwxr-xr-x 1 admin root  212 Jun  1 08:03 S61unbound
-rwxrwxrwx 1 admin root  480 Jun 20 11:52 S77ntpd
-r-xr-xr-x 1 admin root 1060 Nov  1  2024 S90taildns
-rwxr-xr-x 1 admin root  726 Aug 15 11:22 S95extra-ip
-rwxr-xr-x 1 admin root  314 Jul 10  2024 S99sysstat

Basically, your suggestion was to do PiHole as S65. Because this is before the stock ntpd (S77), it'll start and somehow hijack the NTP thing so it never works. Then everything later hangs.

I put extra IP as S95, and PiHole as "S96pihole-FTL". Then they run after NTP, and it works fine. I also updated the extra IP script "S95extra-ip" so it has br0 label:

#!/bin/sh

ADDRESS=192.168.1.20/24
INTERFACE=br0
ENABLED=yes
LABEL=br0:pihole

case "$1" in
    start|restart)
        [ "$ENABLED" != "yes" ] && exit 0

        if ! ip addr show dev "$INTERFACE" | grep -q "inet $ADDRESS "; then

#            ip addr add "$ADDRESS" dev "$INTERFACE"
            ip -4 addr add "$ADDRESS" brd + dev "$INTERFACE" label "$LABEL"
            echo "Added $ADDRESS to $INTERFACE"
        fi
    ;;
    stop|kill)
        if ip addr show dev "$INTERFACE" | grep -q "inet $ADDRESS "; then
#            ip addr delete "$ADDRESS" dev "$INTERFACE"
            ip -4 addr delete "$ADDRESS" brd + dev "$INTERFACE" label "$LABEL"
            echo "Removed $ADDRESS from $INTERFACE"
        fi
    ;;
esac

But there is another issue, see next post.

 

[bibikalka]

Alright, so either starting automatically, or manually, PiHole immediately and continuously generates a large volume of kernel errors. It does not appear these errors prevent PiHole from working correctly, but something is off.

I have those types of errors suppressed from the log via a filter in /opt/etc/syslog-ng.d/ , so I was not seeing those with the manual starts. But I disabled the filter and tried to start FTL manually, and the same errors are there. Here is a typical error stream:

Aug 15 15:55:45 RT-AC86U-9988 ovpn-client1[37312]: Initialization Sequence Completed
Aug 15 15:55:57 RT-AC86U-9988 kernel: pihole-FTL[37573]: syscall 403
Aug 15 15:55:57 RT-AC86U-9988 kernel: Code: 4620d02f f2404629 463a1393 df00461f (f1104617)
Aug 15 15:55:57 RT-AC86U-9988 kernel: CPU: 1 PID: 37573 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 15 15:55:57 RT-AC86U-9988 kernel: Hardware name: Broadcom-v8A (DT)
Aug 15 15:55:57 RT-AC86U-9988 admin: Started pihole-FTL from .
Aug 15 15:55:57 RT-AC86U-9988 kernel: task: ffffffc0173b4080 ti: ffffffc01e86c000 task.ti: ffffffc01e86c000
Aug 15 15:55:57 RT-AC86U-9988 kernel: PC is at 0x2f3520
Aug 15 15:55:57 RT-AC86U-9988 kernel: LR is at 0x2f340b
Aug 15 15:55:57 RT-AC86U-9988 kernel: pc : [<00000000002f3520>] lr : [<00000000002f340b>] pstate: 80000030
Aug 15 15:55:57 RT-AC86U-9988 kernel: sp : 00000000fff08198
Aug 15 15:55:57 RT-AC86U-9988 kernel: x12: 00000000002f33e5
Aug 15 15:55:57 RT-AC86U-9988 kernel: x11: 0000000000000000 x10: 0000000000000000
Aug 15 15:55:57 RT-AC86U-9988 kernel: x9 : 0000000000000000 x8 : 0000000000000000
Aug 15 15:55:57 RT-AC86U-9988 kernel: x7 : 0000000000000193 x6 : 000000000001015d
Aug 15 15:55:57 RT-AC86U-9988 kernel: x5 : 00000000005b6848 x4 : 0000000000000000
Aug 15 15:55:57 RT-AC86U-9988 kernel: x3 : 0000000000000193 x2 : 00000000fff081b8
Aug 15 15:55:57 RT-AC86U-9988 kernel: x1 : 00000000005b6848 x0 : 0000000000000000
Aug 15 15:55:57 RT-AC86U-9988 kernel: pihole-FTL[37573]: syscall 403
Aug 15 15:55:57 RT-AC86U-9988 kernel: Code: 4620d02f f2404629 463a1393 df00461f (f1104617)
Aug 15 15:55:57 RT-AC86U-9988 kernel: CPU: 1 PID: 37573 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 15 15:55:57 RT-AC86U-9988 kernel: Hardware name: Broadcom-v8A (DT)
Aug 15 15:55:57 RT-AC86U-9988 kernel: task: ffffffc0173b4080 ti: ffffffc01e86c000 task.ti: ffffffc01e86c000
Aug 15 15:55:57 RT-AC86U-9988 kernel: PC is at 0x2f3520
Aug 15 15:55:57 RT-AC86U-9988 kernel: LR is at 0x2f4349
Aug 15 15:55:57 RT-AC86U-9988 kernel: pc : [<00000000002f3520>] lr : [<00000000002f4349>] pstate: 60000030
Aug 15 15:55:57 RT-AC86U-9988 kernel: sp : 00000000fff07f60
Aug 15 15:55:57 RT-AC86U-9988 kernel: x12: 0000000000367bac
Aug 15 15:55:57 RT-AC86U-9988 kernel: x11: 0000000000000000 x10: 0000000000000000
Aug 15 15:55:57 RT-AC86U-9988 kernel: x9 : 0000000000302600 x8 : 0000000000000000
Aug 15 15:55:57 RT-AC86U-9988 kernel: x7 : 0000000000000193 x6 : 000000000001015d
Aug 15 15:55:57 RT-AC86U-9988 kernel: x5 : 00000000fff07f78 x4 : 0000000000000000
Aug 15 15:55:57 RT-AC86U-9988 kernel: x3 : 0000000000000193 x2 : 00000000fff07fa8
Aug 15 15:55:57 RT-AC86U-9988 kernel: x1 : 00000000fff07f78 x0 : 0000000000000000
Aug 15 15:55:57 RT-AC86U-9988 kernel: pihole-FTL[37573]: syscall 397
Aug 15 15:55:57 RT-AC86U-9988 kernel: Code: 468c4607 f446ac16 46b86200 df004677 (46014647)
Aug 15 15:55:57 RT-AC86U-9988 kernel: CPU: 1 PID: 37573 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 15 15:55:57 RT-AC86U-9988 kernel: Hardware name: Broadcom-v8A (DT)
Aug 15 15:55:57 RT-AC86U-9988 kernel: task: ffffffc0173b4080 ti: ffffffc01e86c000 task.ti: ffffffc01e86c000
Aug 15 15:55:57 RT-AC86U-9988 kernel: PC is at 0x2ebc6e
Aug 15 15:55:57 RT-AC86U-9988 kernel: LR is at 0x18d
Aug 15 15:55:57 RT-AC86U-9988 kernel: pc : [<00000000002ebc6e>] lr : [<000000000000018d>] pstate: 20000030
Aug 15 15:55:57 RT-AC86U-9988 kernel: sp : 00000000fff07ac8
Aug 15 15:55:57 RT-AC86U-9988 kernel: x12: 0000000000365db4
Aug 15 15:55:57 RT-AC86U-9988 kernel: x11: 0000000000000000 x10: 0000000000000000
Aug 15 15:55:57 RT-AC86U-9988 kernel: x9 : 0000000000302600 x8 : 0000000000000003
Aug 15 15:55:57 RT-AC86U-9988 kernel: x7 : 000000000000018d x6 : 0000000000001000
Aug 15 15:55:57 RT-AC86U-9988 kernel: x5 : 00000000fff07c80 x4 : 00000000fff07b20
Aug 15 15:55:57 RT-AC86U-9988 kernel: x3 : 00000000000007ff x2 : 0000000000001800
Aug 15 15:55:57 RT-AC86U-9988 kernel: x1 : 0000000000365db4 x0 : 0000000000000003
Aug 15 15:55:57 RT-AC86U-9988 kernel: pihole-FTL[37573]: syscall 403
Aug 15 15:55:57 RT-AC86U-9988 kernel: Code: 4620d02f f2404629 463a1393 df00461f (f1104617)
Aug 15 15:55:57 RT-AC86U-9988 kernel: CPU: 1 PID: 37573 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
...

And grepping it:

# grep 'pihole-FTL' /opt/var/log/messages
...
Aug 15 15:55:57 RT-AC86U-9988 kernel: pihole-FTL[37573]: syscall 403
Aug 15 15:55:57 RT-AC86U-9988 kernel: CPU: 1 PID: 37573 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 15 15:55:57 RT-AC86U-9988 admin: Started pihole-FTL from .
Aug 15 15:55:57 RT-AC86U-9988 kernel: pihole-FTL[37573]: syscall 403
Aug 15 15:55:57 RT-AC86U-9988 kernel: CPU: 1 PID: 37573 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 15 15:55:57 RT-AC86U-9988 kernel: pihole-FTL[37573]: syscall 397
Aug 15 15:55:57 RT-AC86U-9988 kernel: CPU: 1 PID: 37573 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 15 15:55:57 RT-AC86U-9988 kernel: pihole-FTL[37573]: syscall 403
Aug 15 15:55:57 RT-AC86U-9988 kernel: CPU: 1 PID: 37573 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 15 15:55:57 RT-AC86U-9988 kernel: pihole-FTL[37573]: syscall 403
Aug 15 15:55:57 RT-AC86U-9988 kernel: CPU: 1 PID: 37573 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 15 15:55:57 RT-AC86U-9988 kernel: pihole-FTL[37573]: syscall 403
Aug 15 15:55:57 RT-AC86U-9988 kernel: CPU: 1 PID: 37573 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 15 15:55:57 RT-AC86U-9988 kernel: pihole-FTL[37573]: syscall 403
Aug 15 15:55:57 RT-AC86U-9988 kernel: CPU: 1 PID: 37573 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 15 15:55:57 RT-AC86U-9988 kernel: pihole-FTL[37573]: syscall 403
Aug 15 15:55:57 RT-AC86U-9988 kernel: CPU: 1 PID: 37573 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 15 15:55:57 RT-AC86U-9988 kernel: pihole-FTL[37573]: syscall 403
Aug 15 15:55:57 RT-AC86U-9988 kernel: CPU: 1 PID: 37573 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 15 15:55:57 RT-AC86U-9988 kernel: pihole-FTL[37573]: syscall 403
Aug 15 15:55:57 RT-AC86U-9988 kernel: CPU: 1 PID: 37573 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 15 15:56:28 RT-AC86U-9988 kernel: pihole-FTL[37591]: syscall 403
Aug 15 15:56:28 RT-AC86U-9988 kernel: CPU: 1 PID: 37591 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 15 15:56:28 RT-AC86U-9988 kernel: pihole-FTL[37591]: syscall 403
Aug 15 15:56:28 RT-AC86U-9988 kernel: CPU: 0 PID: 37591 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 15 15:56:28 RT-AC86U-9988 kernel: pihole-FTL[37591]: syscall 403
Aug 15 15:56:28 RT-AC86U-9988 kernel: CPU: 0 PID: 37591 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 15 15:56:28 RT-AC86U-9988 kernel: pihole-FTL[37591]: syscall 403
Aug 15 15:56:28 RT-AC86U-9988 kernel: CPU: 0 PID: 37591 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 15 15:56:28 RT-AC86U-9988 kernel: pihole-FTL[37591]: syscall 403
Aug 15 15:56:28 RT-AC86U-9988 kernel: CPU: 0 PID: 37591 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 15 15:56:28 RT-AC86U-9988 kernel: pihole-FTL[37591]: syscall 403
Aug 15 15:56:28 RT-AC86U-9988 kernel: CPU: 0 PID: 37591 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
...

 

[SomeWhereOverTheRainBow]

I chased this down. I have this stock setup :

# ls -l /opt/etc/init.d/
total 48
-rw-r--r-- 1 admin root 2822 Mar 19  2021 rc.func
-rw-r--r-- 1 admin root 4068 Jul  7 17:50 rc.func.syslog-ng
-rwxr-xr-x 1 admin root  966 Mar 19  2021 rc.unslung
-rwxr-xr-x 1 admin root  250 May 22 21:55 S01syslog-ng
-rwxr-xr-x 1 admin root  217 Jan  8  2025 S02haveged
-rwxr-xr-x 1 admin root  232 May 23 04:17 S10cron
-rwxr-xr-x 1 admin root 1460 Aug 18  2023 S33vnstat
-rwxr-xr-x 1 admin root  212 Jun  1 08:03 S61unbound
-rwxrwxrwx 1 admin root  480 Jun 20 11:52 S77ntpd
-r-xr-xr-x 1 admin root 1060 Nov  1  2024 S90taildns
-rwxr-xr-x 1 admin root  726 Aug 15 11:22 S95extra-ip
-rwxr-xr-x 1 admin root  314 Jul 10  2024 S99sysstat

Basically, your suggestion was to do PiHole as S65. Because this is before the stock ntpd (S77), it'll start and somehow hijack the NTP thing so it never works. Then everything later hangs.

I put extra IP as S95, and PiHole as "S96pihole-FTL". Then they run after NTP, and it works fine. I also updated the extra IP script "S95extra-ip" so it has br0 label:

#!/bin/sh

ADDRESS=192.168.1.20/24
INTERFACE=br0
ENABLED=yes
LABEL=br0:pihole

case "$1" in
    start|restart)
        [ "$ENABLED" != "yes" ] && exit 0

        if ! ip addr show dev "$INTERFACE" | grep -q "inet $ADDRESS "; then

#            ip addr add "$ADDRESS" dev "$INTERFACE"
            ip -4 addr add "$ADDRESS" brd + dev "$INTERFACE" label "$LABEL"
            echo "Added $ADDRESS to $INTERFACE"
        fi
    ;;
    stop|kill)
        if ip addr show dev "$INTERFACE" | grep -q "inet $ADDRESS "; then
#            ip addr delete "$ADDRESS" dev "$INTERFACE"
            ip -4 addr delete "$ADDRESS" brd + dev "$INTERFACE" label "$LABEL"
            echo "Removed $ADDRESS from $INTERFACE"
        fi
    ;;
esac

But there is another issue, see next post.

You could do a netwait script. create it inside /opt/etc/init.d/ it will be called /opt/etc/init.d/S00netwait it's content would include:

#!/bin/sh

# Copyright (C) 2013-2016 Jeremy Chadwick. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.

# Waits for ntpc/ntpdate to properly sync time before starting up any
# daemons past this point.  The way it works is by repeatedly calling
# /bin/date +%Y and seeing if the year returned is later than 1970.
# Most routers do not have battery-backed RTCs, so their clocks always
# start from the epoch (December 31st 1969).  A year later than 1970
# (i.e. 1971 or later) would indicate ntpc has finished.
#
# This is helpful for daemons which are time-sensitive, such as
# BIND/named, where a clock that is extremely skewed can cause errors
# like: checkhints: unable to get root NS rrset from cache: not found
#
# TODO: Implement stop/start/restart/reconfigure/check/kill argument
# support, per rc.unslung.  Right now this just runs blindly every
# time.  stop/reconfigure/check/kill should be no-ops, start/restart
# should actually do something.
#
NAME="netwait[$$]"
INTERVAL=7
MAXCOUNT=13

checkdate() {
  local year=$(/bin/date +%Y)
  if [ $year -gt 1970 ]
  then
    return 0
  fi
  return 1
}

# First thing we do is check the current date.  If the year is
# already compliant, then don't call logger or anything else; just
# exit cleanly immediately.

if checkdate; then
  exit 0
fi

# Otherwise use a loop to check things repeatedly and bail out if
# things look good -- or bail out at the very end with a nastygram
# indicating we're not responsible if daemons misbehave past this
# point.  :-)

i=1
while [ $i -le $MAXCOUNT ]
do
  logger -t $NAME "Waiting for ntpc (attempt ${i}/${MAXCOUNT})"
  sleep $INTERVAL

  if checkdate; then
    logger -t $NAME "Clock synced; good to go!"
    exit 0
  fi
  i=$((i+1))
done

logger -t $NAME "Clock remains unsynced; continuing anyway"
exit 1

All this script does is cause entware to sleep longer until resuming to the rest of the entware packages that rely on entwares init.d to start. It provides a brief pause or a delay which would probably be effective enough for your time to sync before pihole starts, inevitably pihole will start after the delay even if the time hasn't synced.

make sure you make it executable by performing chmod 755 /opt/etc/init.d/S00netwait in command line.

 

[bibikalka]

You could do a netwait script. create it inside /opt/etc/init.d/ it will be called /opt/etc/init.d/S00netwait it's content would include:
...
All this script does is cause entware to sleep longer until resuming to the rest of the entware packages that rely on entwares init.d to start. It provides a brief pause or a delay which would probably be effective enough for your time to sync before pihole starts, inevitably pihole will start after the delay even if the time hasn't synced.

make sure you make it executable by performing chmod 755 /opt/etc/init.d/S00netwait in command line.

Thanks! I actually don't see many NTP issues in the log, just when PiHole goes first. Since PiHole is a service, it's tough to wait within PiHole script because every restart will be impacted. Some scripts read "$(nvram get ntp_ready)" such as scmerlin, and wait for a bit before proceeding.

I guess this variable will be 0 only early in the 1st reboot, so it'd be relatively safe to put this check into the PiHole script somewhere and have this script not hold the rest of the boot process. Here is the PiHole service script for reference:

#!/bin/sh
# https://github.com/jacklul/entware-pi-hole/
#shellcheck disable=SC2034,SC1091

ENABLED=yes
PROCS=pihole-FTL
ARGS=""
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/share/pihole/rc.sh
. /opt/etc/init.d/rc.func

 

[jacklul]

Pi-hole should not hijack ntp ports after setting these:

[ntp.ipv4]
  active = false
[ntp.ipv6]
  active = false
[ntp.sync]
  active = false

It's a bit unfortunate that even unbound is before ntpd, unbound + DNSSEC without synced clock will most likely not work properly.

It does not appear these errors prevent PiHole from working correctly, but something is off.

Seems like one of the threads is crashing in a loop, looking at the ps or htop and comparing it with earlier post might give some insight as to which named thread is doing this.

 

[bibikalka]

Pi-hole should not hijack ntp ports after setting these:
...
It's a bit unfortunate that even unbound is before ntpd, unbound + DNSSEC without synced clock will most likely not work properly.

Seems like one of the threads is crashing in a loop, looking at the ps or htop and comparing it with earlier post might give some insight as to which named thread is doing this.

So I disabled all Trend Micro stuff, and rebooted. Usually Trend Micro would cause such crashes, but here they still occur even when Trend Micro is not running. It looks like all types of processes are crashing:

# grep -a syscall /opt/var/log/messages
...
Aug 15 15:56:28 RT-AC86U-9988 kernel: pihole-FTL[37591]: syscall 403
Aug 16 09:37:00 RT-AC86U-9988 kernel: do_ni_syscall: 78 callbacks suppressed
Aug 16 09:37:00 RT-AC86U-9988 kernel: pihole-FTL[953694]: syscall 403
Aug 16 09:37:01 RT-AC86U-9988 kernel: pihole-FTL[953694]: syscall 403
Aug 16 09:37:01 RT-AC86U-9988 kernel: pihole-FTL[953694]: syscall 397
Aug 16 09:37:01 RT-AC86U-9988 kernel: pihole-FTL[953694]: syscall 403
Aug 16 09:37:01 RT-AC86U-9988 kernel: pihole-FTL[953694]: syscall 403
Aug 16 09:37:01 RT-AC86U-9988 kernel: pihole-FTL[953694]: syscall 403
Aug 16 09:37:01 RT-AC86U-9988 kernel: pihole-FTL[953694]: syscall 403
Aug 16 09:37:01 RT-AC86U-9988 kernel: pihole-FTL[953694]: syscall 403
Aug 16 09:37:01 RT-AC86U-9988 kernel: pihole-FTL[953694]: syscall 403
Aug 16 09:37:01 RT-AC86U-9988 kernel: pihole-FTL[953694]: syscall 403
Aug 16 09:37:06 RT-AC86U-9988 kernel: do_ni_syscall: 750 callbacks suppressed
Aug 16 09:37:06 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:06 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:06 RT-AC86U-9988 kernel: housekeeper[953730]: syscall 403
Aug 16 09:37:06 RT-AC86U-9988 kernel: housekeeper[953730]: syscall 403
Aug 16 09:37:06 RT-AC86U-9988 kernel: housekeeper[953730]: syscall 403
Aug 16 09:37:06 RT-AC86U-9988 kernel: civetweb-timer[953733]: syscall 403
Aug 16 09:37:06 RT-AC86U-9988 kernel: dns-client[953731]: syscall 403
Aug 16 09:37:06 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:06 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:07 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:11 RT-AC86U-9988 kernel: do_ni_syscall: 190 callbacks suppressed
Aug 16 09:37:11 RT-AC86U-9988 kernel: housekeeper[953730]: syscall 403
Aug 16 09:37:11 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:11 RT-AC86U-9988 kernel: dns-client[953731]: syscall 403
Aug 16 09:37:11 RT-AC86U-9988 kernel: civetweb-timer[953733]: syscall 403
Aug 16 09:37:11 RT-AC86U-9988 kernel: housekeeper[953730]: syscall 403
Aug 16 09:37:11 RT-AC86U-9988 kernel: housekeeper[953730]: syscall 403
Aug 16 09:37:11 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:12 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:12 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:12 RT-AC86U-9988 kernel: database[953729]: syscall 397
Aug 16 09:37:16 RT-AC86U-9988 kernel: do_ni_syscall: 189 callbacks suppressed
Aug 16 09:37:16 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:16 RT-AC86U-9988 kernel: civetweb-timer[953733]: syscall 403
Aug 16 09:37:16 RT-AC86U-9988 kernel: housekeeper[953730]: syscall 403
Aug 16 09:37:16 RT-AC86U-9988 kernel: housekeeper[953730]: syscall 403
Aug 16 09:37:16 RT-AC86U-9988 kernel: housekeeper[953730]: syscall 403
Aug 16 09:37:16 RT-AC86U-9988 kernel: dns-client[953731]: syscall 403
Aug 16 09:37:16 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:17 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:17 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:17 RT-AC86U-9988 kernel: database[953729]: syscall 397
Aug 16 09:37:21 RT-AC86U-9988 kernel: do_ni_syscall: 189 callbacks suppressed
Aug 16 09:37:21 RT-AC86U-9988 kernel: civetweb-timer[953733]: syscall 403
Aug 16 09:37:21 RT-AC86U-9988 kernel: housekeeper[953730]: syscall 403
Aug 16 09:37:21 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:21 RT-AC86U-9988 kernel: dns-client[953731]: syscall 403
Aug 16 09:37:21 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:21 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:21 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:21 RT-AC86U-9988 kernel: housekeeper[953730]: syscall 403
Aug 16 09:37:22 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:22 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:26 RT-AC86U-9988 kernel: do_ni_syscall: 3745 callbacks suppressed
Aug 16 09:37:26 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:26 RT-AC86U-9988 kernel: dns-client[953731]: syscall 403
Aug 16 09:37:26 RT-AC86U-9988 kernel: civetweb-timer[953733]: syscall 403
Aug 16 09:37:26 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:26 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:27 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:27 RT-AC86U-9988 kernel: database[953729]: syscall 397
Aug 16 09:37:27 RT-AC86U-9988 kernel: database[953729]: syscall 397
Aug 16 09:37:27 RT-AC86U-9988 kernel: database[953729]: syscall 397
Aug 16 09:37:27 RT-AC86U-9988 kernel: housekeeper[953730]: syscall 403
Aug 16 09:37:31 RT-AC86U-9988 kernel: do_ni_syscall: 263 callbacks suppressed
Aug 16 09:37:31 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:31 RT-AC86U-9988 kernel: civetweb-timer[953733]: syscall 403
Aug 16 09:37:31 RT-AC86U-9988 kernel: dns-client[953731]: syscall 403
Aug 16 09:37:31 RT-AC86U-9988 kernel: civetweb-worker[954338]: syscall 403
Aug 16 09:37:31 RT-AC86U-9988 kernel: civetweb-worker[954338]: syscall 403
Aug 16 09:37:31 RT-AC86U-9988 kernel: civetweb-worker[954338]: syscall 397
Aug 16 09:37:31 RT-AC86U-9988 kernel: civetweb-worker[954338]: syscall 403
Aug 16 09:37:31 RT-AC86U-9988 kernel: civetweb-worker[954338]: syscall 403
Aug 16 09:37:31 RT-AC86U-9988 kernel: civetweb-worker[954338]: syscall 403
Aug 16 09:37:31 RT-AC86U-9988 kernel: civetweb-worker[954338]: syscall 403
Aug 16 09:37:36 RT-AC86U-9988 kernel: do_ni_syscall: 979 callbacks suppressed
Aug 16 09:37:36 RT-AC86U-9988 kernel: civetweb-timer[953733]: syscall 403
Aug 16 09:37:36 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:36 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:37 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:37 RT-AC86U-9988 kernel: database[953729]: syscall 403
Aug 16 09:37:37 RT-AC86U-9988 kernel: database[953729]: syscall 397
Aug 16 09:37:37 RT-AC86U-9988 kernel: database[953729]: syscall 397
Aug 16 09:37:37 RT-AC86U-9988 kernel: database[953729]: syscall 397
Aug 16 09:37:37 RT-AC86U-9988 kernel: housekeeper[953730]: syscall 403
Aug 16 09:37:37 RT-AC86U-9988 kernel: housekeeper[953730]: syscall 403
...

And same processes with "Tainted"

# grep -a Tainted /opt/var/log/messages
Aug 15 15:56:28 RT-AC86U-9988 kernel: CPU: 0 PID: 37591 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 16 09:37:00 RT-AC86U-9988 kernel: CPU: 0 PID: 953694 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 16 09:37:01 RT-AC86U-9988 kernel: CPU: 1 PID: 953694 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 16 09:37:01 RT-AC86U-9988 kernel: CPU: 1 PID: 953694 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 16 09:37:01 RT-AC86U-9988 kernel: CPU: 1 PID: 953694 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 16 09:37:01 RT-AC86U-9988 kernel: CPU: 1 PID: 953694 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 16 09:37:01 RT-AC86U-9988 kernel: CPU: 1 PID: 953694 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 16 09:37:01 RT-AC86U-9988 kernel: CPU: 1 PID: 953694 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 16 09:37:01 RT-AC86U-9988 kernel: CPU: 1 PID: 953694 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 16 09:37:01 RT-AC86U-9988 kernel: CPU: 1 PID: 953694 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 16 09:37:01 RT-AC86U-9988 kernel: CPU: 1 PID: 953694 Comm: pihole-FTL Tainted: P           O    4.1.27 #2
Aug 16 09:37:06 RT-AC86U-9988 kernel: CPU: 1 PID: 953729 Comm: database Tainted: P           O    4.1.27 #2
Aug 16 09:37:06 RT-AC86U-9988 kernel: CPU: 1 PID: 953729 Comm: database Tainted: P           O    4.1.27 #2
Aug 16 09:37:06 RT-AC86U-9988 kernel: CPU: 0 PID: 953730 Comm: housekeeper Tainted: P           O    4.1.27 #2
Aug 16 09:37:06 RT-AC86U-9988 kernel: CPU: 0 PID: 953730 Comm: housekeeper Tainted: P           O    4.1.27 #2
Aug 16 09:37:06 RT-AC86U-9988 kernel: CPU: 0 PID: 953730 Comm: housekeeper Tainted: P           O    4.1.27 #2
Aug 16 09:37:06 RT-AC86U-9988 kernel: CPU: 0 PID: 953733 Comm: civetweb-timer Tainted: P           O    4.1.27 #2
Aug 16 09:37:06 RT-AC86U-9988 kernel: CPU: 0 PID: 953731 Comm: dns-client Tainted: P           O    4.1.27 #2
Aug 16 09:37:06 RT-AC86U-9988 kernel: CPU: 1 PID: 953729 Comm: database Tainted: P           O    4.1.27 #2
Aug 16 09:37:06 RT-AC86U-9988 kernel: CPU: 1 PID: 953729 Comm: database Tainted: P           O    4.1.27 #2
Aug 16 09:37:07 RT-AC86U-9988 kernel: CPU: 1 PID: 953729 Comm: database Tainted: P           O    4.1.27 #2
Aug 16 09:37:11 RT-AC86U-9988 kernel: CPU: 0 PID: 953730 Comm: housekeeper Tainted: P           O    4.1.27 #2
Aug 16 09:37:11 RT-AC86U-9988 kernel: CPU: 0 PID: 953729 Comm: database Tainted: P           O    4.1.27 #2
Aug 16 09:37:11 RT-AC86U-9988 kernel: CPU: 1 PID: 953731 Comm: dns-client Tainted: P           O    4.1.27 #2
Aug 16 09:37:11 RT-AC86U-9988 kernel: CPU: 1 PID: 953733 Comm: civetweb-timer Tainted: P           O    4.1.27 #2

 

[bibikalka]

@jacklul @RMerlin

So with proprietary Trend Micro and Asus code not running, it seems that the above crashes are between Asus Merlin and PiHole binaries, which are both more or less open source.

Also, while PiHole is running as "nobody", it's the kernel that's throwing all these errors. I can easily suppress these with log filtering, but it's probably impacting performance quite a bit given that the errors eat up the resources.

Thoughts?

 

[SomeWhereOverTheRainBow]

@jacklul @RMerlin

So with proprietary Trend Micro and Asus code not running, it seems that the above crashes are between Asus Merlin and PiHole binaries, which are both more or less open source.

Also, while PiHole is running as "nobody", it's the kernel that's throwing all these errors. I can easily suppress these with log filtering, but it's probably impacting performance quite a bit given that the errors eat up the resources.

Thoughts?

You have to be careful here because the entire processes are getting marked as tainted. This changes how kernel, and OS treat that process when it comes to available resources. This is what my Pihole process looks like on an RPI

 

[jacklul]

syscall 403 is clock_gettime64
syscall 397 is shmat, some kind of shared memory operation, potentially related to /dev/shm which Pi-hole uses

I've peeked into the source code and it seems like gettime64 (gettimeofday() actually) is called in multiple places, this explains why most of the threads are crashing.

Spoiler

Database thread throwing issues with shared memory is troublesome as Pi-hole requires it:

Spoiler

admin@RT-AX58U:/opt/root# la /dev/shm
total 4.5M
drwxrwxrwt 2 admin  root    360 Aug 16 11:55 .
drwxr-xr-x 5 admin  root   3.5K Jan  1  2024 ..
-rw------- 1 nobody nobody 332K Aug 16 11:55 FTL-1412-clients
-rw------- 1 nobody nobody 4.0K Aug 16 11:55 FTL-1412-clients-lookup
-rw------- 1 nobody nobody  328 Aug 16 11:55 FTL-1412-counters
-rw------- 1 nobody nobody  96K Aug 16 18:53 FTL-1412-dns-cache
-rw------- 1 nobody nobody  16K Aug 16 15:21 FTL-1412-dns-cache-lookup
-rw------- 1 nobody nobody  76K Aug 16 18:53 FTL-1412-domains
-rw------- 1 nobody nobody  16K Aug 16 11:55 FTL-1412-domains-lookup
-rw------- 1 nobody nobody 548K Aug 16 11:57 FTL-1412-fifo-log
-rw------- 1 nobody nobody   56 Aug 16 11:55 FTL-1412-lock
-rw------- 1 nobody nobody 8.0K Aug 16 11:55 FTL-1412-overTime
-rw------- 1 nobody nobody 4.0K Aug 16 11:55 FTL-1412-per-client-regex
-rw------- 1 nobody nobody 2.6M Aug 16 19:09 FTL-1412-queries
-rw------- 1 nobody nobody 768K Aug 16 11:55 FTL-1412-recycler
-rw------- 1 nobody nobody  136 Aug 16 11:55 FTL-1412-settings
-rw------- 1 nobody nobody 120K Aug 16 16:55 FTL-1412-strings
-rw------- 1 nobody nobody  12K Aug 16 11:55 FTL-1412-upstreams

Also, while PiHole is running as "nobody", it's the kernel that's throwing all these errors. I can easily suppress these with log filtering, but it's probably impacting performance quite a bit given that the errors eat up the resources.

Thoughts?

You should not just ignore this error and let it continue.
It is running as nobody but has few extra privileges granted via setcap, see here.

When you get those syscall 397 errors - what are the permissions of /dev/shm? They should be 1777 as set in here.

As far as I remember Pi-hole always required clock to be synced, I had a blocking systemd service set on my Raspberry Pi to prevent issues.
Perhaps delaying startup of all the Entware init scripts would solve it.
Alternative to code posted in post #70 would be this simple Entware service (using ntp_ready nvram variable):

Spoiler

#!/bin/sh
# /opt/etc/init.d/S05wait-for-time-sync
# or perhaps even S50 would be sufficient
case "$1" in
    start)
        timeout=300 # wait maximum of 5 minutes
        while [ "$(nvram get ntp_ready)" = "0" ] && [ "$timeout" -ge 0 ]; do
            timeout=$((timeout-1))
            sleep 1
        done
    ;;
esac

 

[bibikalka]

syscall 403 is clock_gettime64
syscall 397 is shmat, some kind of shared memory operation, potentially related to /dev/shm which Pi-hole uses


When you get those syscall 397 errors - what are the permissions of /dev/shm? They should be 1777 as set in here.

As far as I remember Pi-hole always required clock to be synced, I had a blocking systemd service set on my Raspberry Pi to prevent issues.
Perhaps delaying startup of all the Entware init scripts would solve it.

Well, I am getting these errors when I start PiHole manually hours after the router rebooted. So waiting won't help. It seems enough to put PiHole service after nptd start, that pretty much fixes the situation.

For /dev/shm, it's a directory and I am getting this:

# ls -lta /dev |grep shm
drwxrwxrwt  2 admin root        40 Aug 16 09:39 shm
# ls -lta /dev/shm
total 0
drwxr-xr-x 6 admin root 3440 Aug 16 12:09 ..
drwxrwxrwt 2 admin root   40 Aug 16 09:39 .

Here is what this looks like on a virgin AiMesh node:

admin@RT-AC68U-FF68:/tmp/home/root# ls -lta /dev |grep shm
drwxr-xr-x    2 admin    root            40 Dec 31  1969 shm
admin@RT-AC68U-FF68:/tmp/home/root# ls -lta /dev/shm/
drwxr-xr-x    5 admin    root          1500 Aug 16 04:05 ..
drwxr-xr-x    2 admin    root            40 Dec 31  1969 .

I wonder if there is a way to put some sort of wrappers around these calls to kernel functions? Is there any possible fix at all?

 

[bibikalka]

Here is the kernel version:

Linux RT-AC86U-9988 4.1.27 #2 SMP PREEMPT Sun Nov 17 14:59:02 EST 2024 aarch64 ASUSWRT-Merlin

 

[RMerlin]

You have to be careful here because the entire processes are getting marked as tainted.

The kernel is tainted, not the process. The two flags next to the Tainted: label indicate what's the taint:

P = Proprietary modules (TrendMicro, Broadcom, Tuxera, Realtek, and possibly a few more)
O = Out-of-tree modules

 

[bibikalka]

The kernel is tainted, not the process. The two flags next to the Tainted: label indicate what's the taint:

P = Proprietary modules (TrendMicro, Broadcom, Tuxera, Realtek, and possibly a few more)
O = Out-of-tree modules

It seems if the taint happens once, then the kernel knows it's tainted. At least that's what is out there in other explanations. But why does this kernel have to announce the taint at every turn spamming the log with all those messages?

syscall 403 is clock_gettime64
syscall 397 is shmat, some kind of shared memory operation, potentially related to /dev/shm which Pi-hole uses

It's puzzling that PiHole cannot invoke these kernel functions from the regular kernel code, and needs something that comes from a proprietary module somewhere. I would understand if this was some fancy functionality, but the regular shared memory stuff?