diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 817ea4e5..551b3593 100755 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -45,8 +45,8 @@ RUN apk add --no-cache \ && python -m venv /opt/venv # Upgrade pip/wheel/setuptools and install Python packages -# hadolint ignore=DL3013 -RUN python -m pip install --no-cache-dir --upgrade pip setuptools wheel && \ +# hadolint ignore=DL3013, DL3042 +RUN python -m pip install --upgrade pip setuptools wheel && \ pip install --prefer-binary --no-cache-dir -r /tmp/requirements.txt && \ chmod -R u-rwx,g-rwx /opt @@ -133,8 +133,8 @@ ENV READ_ONLY_USER=readonly READ_ONLY_GROUP=readonly ENV NETALERTX_USER=netalertx NETALERTX_GROUP=netalertx ENV LANG=C.UTF-8 -# hadolint ignore=DL3018 -RUN apk add --no-cache bash mtr libbsd zip lsblk tzdata curl arp-scan iproute2 iproute2-ss nmap \ + +RUN apk add --no-cache bash mtr libbsd zip lsblk tzdata curl arp-scan iproute2 iproute2-ss nmap fping \ nmap-scripts traceroute nbtscan net-tools net-snmp-tools bind-tools awake ca-certificates \ sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 envsubst \ nginx supercronic shadow su-exec && \ diff --git a/Dockerfile b/Dockerfile index c0bfb500..9dad6062 100755 --- a/Dockerfile +++ b/Dockerfile @@ -42,7 +42,7 @@ RUN apk add --no-cache \ && python -m venv /opt/venv # Upgrade pip/wheel/setuptools and install Python packages -# hadolint ignore=DL3013 +# hadolint ignore=DL3013, DL3042 RUN python -m pip install --upgrade pip setuptools wheel && \ pip install --prefer-binary --no-cache-dir -r /tmp/requirements.txt && \ chmod -R u-rwx,g-rwx /opt diff --git a/docker-compose.yml b/docker-compose.yml index d7e1e21b..3067ca8b 100755 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -68,7 +68,6 @@ services: cpu_shares: 512 # Relative CPU weight for CPU contention scenarios pids_limit: 512 # Limit the number of processes/threads to prevent fork bombs logging: - driver: "json-file" # Use JSON file logging driver options: max-size: "10m" # Rotate log files after they reach 10MB max-file: "3" # Keep a maximum of 3 log files diff --git a/install/production-filesystem/entrypoint.d/10-capabilities-audit.sh b/install/production-filesystem/entrypoint.d/10-capabilities-audit.sh index aa0f6988..e78b4b76 100755 --- a/install/production-filesystem/entrypoint.d/10-capabilities-audit.sh +++ b/install/production-filesystem/entrypoint.d/10-capabilities-audit.sh @@ -3,6 +3,9 @@ # # This script runs early to detect missing capabilities that would cause later # scripts (like Python-based checks) to fail with "Operation not permitted". +# This is not for checking excessive capabilities, which is handled in another +# startup script. + RED=$(printf '\033[1;31m') YELLOW=$(printf '\033[1;33m') diff --git a/install/production-filesystem/entrypoint.d/20-first-run-config.sh b/install/production-filesystem/entrypoint.d/20-first-run-config.sh index 5c22044f..8e37f2d6 100755 --- a/install/production-filesystem/entrypoint.d/20-first-run-config.sh +++ b/install/production-filesystem/entrypoint.d/20-first-run-config.sh @@ -1,6 +1,11 @@ #!/bin/sh # first-run-check.sh - Checks and initializes configuration files on first run +# Fix permissions if config directory exists but is unreadable +if [ -d "${NETALERTX_CONFIG}" ]; then + chmod u+rwX "${NETALERTX_CONFIG}" 2>/dev/null || true +fi +chmod u+rw "${NETALERTX_CONFIG}/app.conf" 2>/dev/null || true # Check for app.conf and deploy if required if [ ! -f "${NETALERTX_CONFIG}/app.conf" ]; then mkdir -p "${NETALERTX_CONFIG}" || { diff --git a/install/production-filesystem/entrypoint.d/25-first-run-db.sh b/install/production-filesystem/entrypoint.d/25-first-run-db.sh index 7767964c..7c65425a 100755 --- a/install/production-filesystem/entrypoint.d/25-first-run-db.sh +++ b/install/production-filesystem/entrypoint.d/25-first-run-db.sh @@ -2,6 +2,12 @@ # Ensures the database exists, or creates a new one on first run. # Intended to run only at initial startup. +# Fix permissions if DB directory exists but is unreadable +if [ -d "${NETALERTX_DB}" ]; then + chmod u+rwX "${NETALERTX_DB}" 2>/dev/null || true +fi +chmod u+rw "${NETALERTX_DB_FILE}" 2>/dev/null || true + set -eu CYAN=$(printf '\033[1;36m') diff --git a/install/production-filesystem/entrypoint.d/30-mandatory-folders.sh b/install/production-filesystem/entrypoint.d/30-mandatory-folders.sh index cc5204ca..9e6accc4 100755 --- a/install/production-filesystem/entrypoint.d/30-mandatory-folders.sh +++ b/install/production-filesystem/entrypoint.d/30-mandatory-folders.sh @@ -20,6 +20,12 @@ ensure_dir() { # When creating as the user running the services, we ensure correct ownership and access path="$1" label="$2" + # Fix permissions if directory exists but is unreadable/unwritable + # It's expected chown is done as root during root-entrypoint, and now we own the files + # here we will set correct access. + if [ -d "${path}" ]; then + chmod u+rwX "${path}" 2>/dev/null || true + fi if ! mkdir -p "${path}" 2>/dev/null; then if is_tmp_path "${path}"; then warn_tmp_skip "${path}" "${label}" diff --git a/install/production-filesystem/entrypoint.d/90-excessive-capabilities.sh b/install/production-filesystem/entrypoint.d/90-excessive-capabilities.sh index 4aae3c3f..b4dfba58 100755 --- a/install/production-filesystem/entrypoint.d/90-excessive-capabilities.sh +++ b/install/production-filesystem/entrypoint.d/90-excessive-capabilities.sh @@ -1,7 +1,7 @@ #!/bin/sh # POSIX-compliant shell script for capability checking. # excessive-capabilities.sh checks that no more than the necessary -# NET_ADMIN NET_BIND_SERVICE and NET_RAW capabilities are present. +# CHOWN SETGID SETUID NET_ADMIN NET_BIND_SERVICE and NET_RAW capabilities are present. # if we are running in devcontainer then we should exit immediately without checking @@ -21,8 +21,8 @@ fi #POSIX compliant base16 on permissions BND_DEC=$(awk 'BEGIN { h = "0x'"$BND_HEX"'"; if (h ~ /^0x[0-9A-Fa-f]+$/) { printf "%d", h; exit 0 } else { exit 1 } }') || exit 0 -# Allowed capabilities: NET_BIND_SERVICE (10), NET_ADMIN (12), NET_RAW (13) -ALLOWED_DEC=$(( ( 1 << 10 ) | ( 1 << 12 ) | ( 1 << 13 ) )) +# Allowed capabilities: CHOWN (0), SETGID (6), SETUID (7), NET_BIND_SERVICE (10), NET_ADMIN (12), NET_RAW (13) +ALLOWED_DEC=$(( ( 1 << 0 ) | ( 1 << 6 ) | ( 1 << 7 ) | ( 1 << 10 ) | ( 1 << 12 ) | ( 1 << 13 ) )) # Check for excessive capabilities (any bits set outside allowed) EXTRA=$(( BND_DEC & ~ALLOWED_DEC )) @@ -32,8 +32,8 @@ if [ "$EXTRA" -ne 0 ]; then ══════════════════════════════════════════════════════════════════════════════ ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x$BND_HEX). - Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. - Please remove unnecessary capabilities. + Only CHOWN, SETGID, SETUID, NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are + required in this container. Please remove unnecessary capabilities. https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md ══════════════════════════════════════════════════════════════════════════════ diff --git a/install/production-filesystem/root-entrypoint.sh b/install/production-filesystem/root-entrypoint.sh index 3896f0a0..fbd29611 100755 --- a/install/production-filesystem/root-entrypoint.sh +++ b/install/production-filesystem/root-entrypoint.sh @@ -1,14 +1,14 @@ #!/bin/bash # NetAlertX Root-Priming Entrypoint — best-effort permission priming 🔧 # -# Purpose: +# Responsibilities: # - Provide a runtime, best-effort remedy for host volume ownership/mode issues # (common on appliances like Synology where Docker volume copy‑up is limited). -# - Ensure writable paths exist, attempt to `chown`/`chmod` to a runtime `PUID`/`PGID` +# - Ensure writable paths exist, attempt to `chown` to a runtime `PUID`/`PGID` # (defaults to 20211), then drop privileges via `su-exec` if possible. # # Design & behavior notes: -# - This script is intentionally *non-fatal* for chown/chmod failures; operations are +# - This script is intentionally *non-fatal* for chown failures; operations are # best-effort so we avoid blocking container startup on imperfect hosts. # - Runtime defaults are used so the image works without requiring build-time args. # - If the container is started as non-root (`user:`), priming is skipped and it's the @@ -16,42 +16,60 @@ # - If `su-exec` cannot drop privileges, we log a note and continue as the current user # rather than aborting (keeps first-run resilient). # -# Operational recommendation: -# - For deterministic ownership, explicitly set `PUID`/`PGID` (or pre-chown host volumes), -# and when hardening capabilities add `cap_add: [CHOWN]` so priming can succeed. +# Behavioral conditions: +# 1. RUNTIME: NON-ROOT (Container started as user: 1000) +# - PUID/PGID env vars are ignored (cannot switch users). +# - Write permissions check performed on /data and /tmp. +# - EXEC: Direct entrypoint execution as current user. +# +# 2. RUNTIME: ROOT (Container started as user: 0) +# A. TARGET: PUID=0 (User requested root) +# - Permissions priming skipped (already root). +# - EXEC: Direct entrypoint execution as root (with security warning). +# +# B. TARGET: PUID > 0 (User requested privilege drop) +# - PRIMING: Attempt chown on /data & /tmp to PUID:PGID. +# (Failures logged but non-fatal to support NFS/ReadOnly mounts). +# - EXEC: Attempt `su-exec PUID:PGID`. +# - Success: Process runs as PUID. +# - Failure (Missing CAPS): Fallback to running as root to prevent crash. +# - If PUID=0, log a warning and run directly. +# - Otherwise, attempt to prime paths and `su-exec` to PUID:PG + PUID="${PUID:-${NETALERTX_UID:-20211}}" PGID="${PGID:-${NETALERTX_GID:-20211}}" -# Pretty terminal colors used for fatal messages (kept minimal + POSIX printf) RED=$(printf '\033[1;31m') RESET=$(printf '\033[0m') +_error_msg() { + title="$1" + body="$2" + >&2 printf "%s" "${RED}" + >&2 cat <&2 printf "%s" "${RESET}" + +} _validate_id() { value="$1" name="$2" - if ! printf '%s' "${value}" | grep -qxE '[0-9]+'; then - >&2 printf "%s" "${RED}" - >&2 cat <&2 printf "%s" "${RESET}" - exit 1 + Action: set a numeric ${name} (for example: ${name}=1000) in your environment + or docker-compose file. Default: 20211." + exit 1 fi } @@ -61,25 +79,29 @@ _validate_id "${PGID}" "PGID" _cap_bits_warn_missing_setid() { cap_hex=$(awk '/CapEff/ {print $2}' /proc/self/status 2>/dev/null || echo "") [ -n "${cap_hex}" ] || return + cap_dec=$((0x${cap_hex})) + + has_setgid=0; has_setuid=0; has_net_caps=0 - # POSIX compliant base16 on permissions - cap_dec=$(awk 'BEGIN { h = "0x'"${cap_hex}"'"; if (h ~ /^0x[0-9A-Fa-f]+$/) { printf "%d", h } else { print 0 } }') + # Bit masks (use numeric constants to avoid editor/HL issues and improve clarity) + # 1 << 6 = 64 + # 1 << 7 = 128 + # (1<<10)|(1<<12)|(1<<13) = 1024 + 4096 + 8192 = 13312 + SETGID_MASK=64 + SETUID_MASK=128 + NET_MASK=13312 - has_setgid=0 - has_setuid=0 - has_net_caps=0 - - if [ $((cap_dec & (1 << 6))) -ne 0 ]; then + if (( cap_dec & SETGID_MASK )); then has_setgid=1 fi - if [ $((cap_dec & (1 << 7))) -ne 0 ]; then + if (( cap_dec & SETUID_MASK )); then has_setuid=1 fi - if [ $((cap_dec & (1 << 10))) -ne 0 ] || [ $((cap_dec & (1 << 12))) -ne 0 ] || [ $((cap_dec & (1 << 13))) -ne 0 ]; then + if (( cap_dec & NET_MASK )); then has_net_caps=1 fi - if [ "${has_net_caps}" -eq 1 ] && { [ "${has_setgid}" -eq 0 ] || [ "${has_setuid}" -eq 0 ]; }; then + if (( has_net_caps == 1 && ( has_setgid == 0 || has_setuid == 0 ) )); then >&2 echo "Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user." fi } @@ -87,15 +109,29 @@ _cap_bits_warn_missing_setid() { _cap_bits_warn_missing_setid if [ "$(id -u)" -ne 0 ]; then - if [ -n "${PUID:-}" ] || [ -n "${PGID:-}" ]; then - >&2 printf 'Note: container running as UID %s GID %s; requested PUID/PGID=%s:%s will not be applied.\n' \ - "$(id -u)" "$(id -g)" "${PUID}" "${PGID}" + for path in "/tmp" "${NETALERTX_DATA:-/data}"; do + if [ -n "$path" ] && [ ! -w "$path" ]; then + _error_msg "FILESYSTEM PERMISSIONS ERROR" \ + " Container is running as User $(id -u), but cannot write to: + ${path} + + Because the container is not running as root, it cannot fix these + permissions automatically. + + Action: + 1. Update Host Volume permissions (e.g. 'chmod 755 ${path}' on host). + 2. Or, run container as root (user: 0) and let PUID/PGID logic handle it." + fi + done + + if [ -n "${PUID:-}" ] && [ "${PUID}" != "$(id -u)" ]; then + >&2 printf 'Note: container running as UID %s; requested PUID=%s ignored.\n' "$(id -u)" "${PUID}" fi exec /entrypoint.sh "$@" fi if [ "${PUID}" -eq 0 ]; then - >&2 echo "WARNING: Running as root (PUID=0). Prefer a non-root PUID. See https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/file-permissions.md" + >&2 echo "WARNING: Running as root (PUID=0). Prefer a non-root PUID." exec /entrypoint.sh "$@" fi @@ -103,28 +139,26 @@ _prime_paths() { runtime_root="${NETALERTX_RUNTIME_BASE:-/tmp}" paths="/tmp ${NETALERTX_DATA:-/data} ${NETALERTX_CONFIG:-/data/config} ${NETALERTX_DB:-/data/db} ${NETALERTX_LOG:-${runtime_root}/log} ${NETALERTX_PLUGINS_LOG:-${runtime_root}/log/plugins} ${NETALERTX_API:-${runtime_root}/api} ${SYSTEM_SERVICES_RUN:-${runtime_root}/run} ${SYSTEM_SERVICES_RUN_TMP:-${runtime_root}/run/tmp} ${SYSTEM_SERVICES_RUN_LOG:-${runtime_root}/run/logs} ${SYSTEM_SERVICES_ACTIVE_CONFIG:-${runtime_root}/nginx/active-config} ${runtime_root}/nginx" - chmod 1777 /tmp 2>/dev/null || true + # Always chown core roots up front so non-root runtime can chmod later. + chown -R "${PUID}:${PGID}" /data 2>/dev/null || true + chown -R "${PUID}:${PGID}" /tmp 2>/dev/null || true for path in ${paths}; do [ -n "${path}" ] || continue - if [ "${path}" = "/tmp" ]; then - continue - fi - install -d -o "${PUID}" -g "${PGID}" -m 700 "${path}" 2>/dev/null || true + if [ "${path}" = "/tmp" ]; then continue; fi + install -d -o "${PUID}" -g "${PGID}" "${path}" 2>/dev/null || true chown -R "${PUID}:${PGID}" "${path}" 2>/dev/null || true - chmod -R u+rwX "${path}" 2>/dev/null || true + # Note: chown must be done by root, chmod can be done by non-root + # (chmod removed as non-root runtime will handle modes after ownership is set) done - - >&2 echo "Permissions prepared for PUID=${PUID}." } - _prime_paths unset NETALERTX_PRIVDROP_FAILED if ! su-exec "${PUID}:${PGID}" /entrypoint.sh "$@"; then rc=$? export NETALERTX_PRIVDROP_FAILED=1 - export NETALERTX_CHECK_ONLY="${NETALERTX_CHECK_ONLY:-1}" + export NETALERTX_CHECK_ONLY="${NETALERTX_CHECK_ONLY:-0}" >&2 echo "Note: su-exec failed (exit ${rc}); continuing as current user without privilege drop." exec /entrypoint.sh "$@" fi \ No newline at end of file diff --git a/test/docker_tests/configurations/mount-tests/docker-compose.mount-test.active_config_unwritable.yml b/test/docker_tests/configurations/mount-tests/docker-compose.mount-test.active_config_unwritable.yml index 62447d31..789b6ef0 100644 --- a/test/docker_tests/configurations/mount-tests/docker-compose.mount-test.active_config_unwritable.yml +++ b/test/docker_tests/configurations/mount-tests/docker-compose.mount-test.active_config_unwritable.yml @@ -14,6 +14,8 @@ services: - ALL cap_add: - CHOWN + - SETGID + - SETUID - NET_ADMIN - NET_RAW - NET_BIND_SERVICE @@ -36,7 +38,11 @@ services: target: /tmp/nginx/active-config read_only: true tmpfs: - - "/tmp:mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime" + # Ensure /tmp is a writable tmpfs for the app user; mode 1777 to support su-exec drop. + - /tmp:uid=20211,gid=20211,mode=1777,noexec,nosuid,nodev,size=64m + - /tmp/log:uid=20211,gid=20211,mode=1777,noexec,nosuid,nodev,size=64m + - /tmp/api:uid=20211,gid=20211,mode=1777,noexec,nosuid,nodev,size=64m + - /tmp/run:uid=20211,gid=20211,mode=1777,noexec,nosuid,nodev,size=64m volumes: test_netalertx_data: test_system_services_active_config: \ No newline at end of file diff --git a/test/docker_tests/configurations/mount-tests/docker-compose.mount-test.data_noread.yml b/test/docker_tests/configurations/mount-tests/docker-compose.mount-test.data_noread.yml index acd54b11..f613c7d8 100644 --- a/test/docker_tests/configurations/mount-tests/docker-compose.mount-test.data_noread.yml +++ b/test/docker_tests/configurations/mount-tests/docker-compose.mount-test.data_noread.yml @@ -8,7 +8,6 @@ services: dockerfile: Dockerfile image: netalertx-test container_name: netalertx-test-mount-data_noread - user: "20211:20211" cap_drop: - ALL cap_add: @@ -38,7 +37,7 @@ services: read_only: false tmpfs: - - "/tmp:mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime" + - "/tmp:mode=1777,uid=20211,gid=20211,rw,noexec,nosuid,nodev,async,noatime,nodiratime" volumes: test_netalertx_data: \ No newline at end of file diff --git a/test/docker_tests/configurations/mount-tests/docker-compose.mount-test.db_noread.yml b/test/docker_tests/configurations/mount-tests/docker-compose.mount-test.db_noread.yml index b78e4440..cc31fe2a 100644 --- a/test/docker_tests/configurations/mount-tests/docker-compose.mount-test.db_noread.yml +++ b/test/docker_tests/configurations/mount-tests/docker-compose.mount-test.db_noread.yml @@ -38,7 +38,7 @@ services: read_only: false tmpfs: - - "/tmp:mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime" + - "/tmp:mode=1700,uid=20211,gid=20211,rw,noexec,nosuid,nodev,async,noatime,nodiratime" volumes: test_netalertx_data: \ No newline at end of file diff --git a/test/docker_tests/configurations/test_results.log b/test/docker_tests/configurations/test_results.log index a0a93a8d..65b2f9cf 100644 --- a/test/docker_tests/configurations/test_results.log +++ b/test/docker_tests/configurations/test_results.log @@ -1,4 +1,4 @@ -Starting Docker Compose Tests - Fri Jan 2 22:39:44 UTC 2026 +Starting Docker Compose Tests - Mon Jan 5 02:20:29 UTC 2026 ========================================== File: docker-compose.missing-caps.yml ---------------------------------------- @@ -12,11 +12,11 @@ Running docker compose up... Container netalertx-test-missing-caps Creating Container netalertx-test-missing-caps Created Attaching to netalertx-test-missing-caps -netalertx-test-missing-caps | Permissions prepared for PUID=20211. +netalertx-test-missing-caps | Ownership prepared for PUID=20211. netalertx-test-missing-caps | su-exec: setgroups(20211): Operation not permitted netalertx-test-missing-caps | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-missing-caps | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. -netalertx-test-missing-caps | Permissions prepared for PUID=20211. +netalertx-test-missing-caps | Ownership prepared for PUID=20211. netalertx-test-missing-caps | su-exec: setgroups(20211): Operation not permitted netalertx-test-missing-caps | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-missing-caps |  @@ -72,38 +72,21 @@ netalertx-test-missing-caps | DB before onboarding sensitive or critical ne netalertx-test-missing-caps | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-missing-caps | --> mandatory folders.sh netalertx-test-missing-caps | --> apply conf override.sh -netalertx-test-missing-caps | mkdir: can't create directory '152NETALERTX_CONFIG': Read-only file system -netalertx-test-missing-caps | ERROR: Failed to create config directory 152NETALERTX_CONFIG -netalertx-test-missing-caps | \033[1;31m══════════════════════════════════════════════════════════════════════════════ -netalertx-test-missing-caps | ❌ NetAlertX startup aborted: critical failure in apply conf override.sh. -netalertx-test-missing-caps | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/troubleshooting.md +netalertx-test-missing-caps | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-missing-caps | 📝 APP_CONF_OVERRIDE detected. Configuration written to /data/config/app_conf_override.json. +netalertx-test-missing-caps | +netalertx-test-missing-caps | Make sure the JSON content is correct before starting the application. netalertx-test-missing-caps | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-missing-caps | NETALERTX_DEBUG=1, continuing despite critical failure in apply conf override.sh. netalertx-test-missing-caps | --> writable config.sh netalertx-test-missing-caps | --> nginx config.sh netalertx-test-missing-caps | --> expected user id match.sh -netalertx-test-missing-caps | \033[0m +netalertx-test-missing-caps |  netalertx-test-missing-caps | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-missing-caps | --> host mode network.sh netalertx-test-missing-caps | --> excessive capabilities.sh netalertx-test-missing-caps | --> appliance integrity.sh netalertx-test-missing-caps | --> ports available.sh -netalertx-test-missing-caps | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-missing-caps | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-missing-caps | -netalertx-test-missing-caps | The main application (defined by $PORT) may fail to start. -netalertx-test-missing-caps | -netalertx-test-missing-caps | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-missing-caps | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-missing-caps | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-missing-caps | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-missing-caps | -netalertx-test-missing-caps | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-missing-caps | may fail to start. -netalertx-test-missing-caps | -netalertx-test-missing-caps | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-missing-caps | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-missing-caps | Container startup checks failed with exit code 1. +netalertx-test-missing-caps | Container startup checks failed with exit code 126. netalertx-test-missing-caps | NETALERTX_DEBUG=1, continuing despite failed pre-checks. netalertx-test-missing-caps exited with code 0 File: docker-compose.missing-net-admin.yml @@ -119,12 +102,12 @@ Running docker compose up... Container netalertx-test-missing-net-admin Created Attaching to netalertx-test-missing-net-admin netalertx-test-missing-net-admin | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-missing-net-admin | Permissions prepared for PUID=20211. +netalertx-test-missing-net-admin | Ownership prepared for PUID=20211. netalertx-test-missing-net-admin | su-exec: setgroups(20211): Operation not permitted netalertx-test-missing-net-admin | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-missing-net-admin | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-missing-net-admin | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-missing-net-admin | Permissions prepared for PUID=20211. +netalertx-test-missing-net-admin | Ownership prepared for PUID=20211. netalertx-test-missing-net-admin | su-exec: setgroups(20211): Operation not permitted netalertx-test-missing-net-admin | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-missing-net-admin |  @@ -171,38 +154,16 @@ netalertx-test-missing-net-admin | DB before onboarding sensitive or critic netalertx-test-missing-net-admin | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-missing-net-admin | --> mandatory folders.sh netalertx-test-missing-net-admin | --> apply conf override.sh -netalertx-test-missing-net-admin | mkdir: can't create directory '151NETALERTX_CONFIG': Read-only file system -netalertx-test-missing-net-admin | ERROR: Failed to create config directory 151NETALERTX_CONFIG -netalertx-test-missing-net-admin | \033[1;31m══════════════════════════════════════════════════════════════════════════════ -netalertx-test-missing-net-admin | ❌ NetAlertX startup aborted: critical failure in apply conf override.sh. -netalertx-test-missing-net-admin | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/troubleshooting.md -netalertx-test-missing-net-admin | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-missing-net-admin | NETALERTX_DEBUG=1, continuing despite critical failure in apply conf override.sh. netalertx-test-missing-net-admin | --> writable config.sh netalertx-test-missing-net-admin | --> nginx config.sh netalertx-test-missing-net-admin | --> expected user id match.sh -netalertx-test-missing-net-admin | \033[0m +netalertx-test-missing-net-admin |  netalertx-test-missing-net-admin | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-missing-net-admin | --> host mode network.sh netalertx-test-missing-net-admin | --> excessive capabilities.sh netalertx-test-missing-net-admin | --> appliance integrity.sh netalertx-test-missing-net-admin | --> ports available.sh -netalertx-test-missing-net-admin | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-missing-net-admin | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-missing-net-admin | -netalertx-test-missing-net-admin | The main application (defined by $PORT) may fail to start. -netalertx-test-missing-net-admin | -netalertx-test-missing-net-admin | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-missing-net-admin | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-missing-net-admin | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-missing-net-admin | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-missing-net-admin | -netalertx-test-missing-net-admin | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-missing-net-admin | may fail to start. -netalertx-test-missing-net-admin | -netalertx-test-missing-net-admin | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-missing-net-admin | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-missing-net-admin | Container startup checks failed with exit code 1. +netalertx-test-missing-net-admin | Container startup checks failed with exit code 126. netalertx-test-missing-net-admin | NETALERTX_DEBUG=1, continuing despite failed pre-checks. netalertx-test-missing-net-admin | APP_CONF_OVERRIDE detected (set from GRAPHQL_PORT) netalertx-test-missing-net-admin exited with code 0 @@ -218,7 +179,7 @@ Running docker compose up... Container netalertx-test-missing-net-raw Creating Container netalertx-test-missing-net-raw Created Attaching to netalertx-test-missing-net-raw -netalertx-test-missing-net-raw | Permissions prepared for PUID=20211. +netalertx-test-missing-net-raw | Ownership prepared for PUID=20211. netalertx-test-missing-net-raw |  netalertx-test-missing-net-raw | _ _ _ ___ _ _ __ __ netalertx-test-missing-net-raw | | \ | | | | / _ \| | | | \ \ / / @@ -262,13 +223,6 @@ netalertx-test-missing-net-raw | DB before onboarding sensitive or critical netalertx-test-missing-net-raw | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-missing-net-raw | --> mandatory folders.sh netalertx-test-missing-net-raw | --> apply conf override.sh -netalertx-test-missing-net-raw | mkdir: can't create directory '103NETALERTX_CONFIG': Read-only file system -netalertx-test-missing-net-raw | ERROR: Failed to create config directory 103NETALERTX_CONFIG -netalertx-test-missing-net-raw | \033[1;31m══════════════════════════════════════════════════════════════════════════════ -netalertx-test-missing-net-raw | ❌ NetAlertX startup aborted: critical failure in apply conf override.sh. -netalertx-test-missing-net-raw | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/troubleshooting.md -netalertx-test-missing-net-raw | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-missing-net-raw | NETALERTX_DEBUG=1, continuing despite critical failure in apply conf override.sh. netalertx-test-missing-net-raw | --> writable config.sh netalertx-test-missing-net-raw | --> nginx config.sh netalertx-test-missing-net-raw | --> expected user id match.sh @@ -276,36 +230,21 @@ netalertx-test-missing-net-raw | --> host mode network.sh netalertx-test-missing-net-raw | --> excessive capabilities.sh netalertx-test-missing-net-raw | --> appliance integrity.sh netalertx-test-missing-net-raw | --> ports available.sh -netalertx-test-missing-net-raw | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-missing-net-raw | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-missing-net-raw | -netalertx-test-missing-net-raw | The main application (defined by $PORT) may fail to start. -netalertx-test-missing-net-raw | -netalertx-test-missing-net-raw | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-missing-net-raw | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-missing-net-raw | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-missing-net-raw | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-missing-net-raw | -netalertx-test-missing-net-raw | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-missing-net-raw | may fail to start. -netalertx-test-missing-net-raw | -netalertx-test-missing-net-raw | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-missing-net-raw | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-missing-net-raw | Container startup checks failed with exit code 1. +netalertx-test-missing-net-raw | Container startup checks failed with exit code 126. netalertx-test-missing-net-raw | NETALERTX_DEBUG=1, continuing despite failed pre-checks. -netalertx-test-missing-net-raw | \033[0mAPP_CONF_OVERRIDE detected (set from GRAPHQL_PORT) +netalertx-test-missing-net-raw | APP_CONF_OVERRIDE detected (set from GRAPHQL_PORT) netalertx-test-missing-net-raw | /services/scripts/update_vendors.sh: line 28: /tmp/run/tmp/ieee-oui.txt.tmp: Read-only file system -netalertx-test-missing-net-raw | Starting supercronic --debug "/services/config/cron/crontab" >>"/tmp/log/cron.log" 2>&1 & netalertx-test-missing-net-raw | Starting /usr/sbin/php-fpm83 -y "/services/config/php/php-fpm.conf" -F (tee stderr to app.php_errors.log) +netalertx-test-missing-net-raw | Starting supercronic --debug "/services/config/cron/crontab" >>"/tmp/log/cron.log" 2>&1 & netalertx-test-missing-net-raw | /services/start-cron.sh: line 37: /tmp/log/cron.log: Read-only file system netalertx-test-missing-net-raw | Supercronic stopped! (exit 1) netalertx-test-missing-net-raw | tee: /tmp/log/app.php_errors.log: Read-only file system netalertx-test-missing-net-raw | mktemp: : Read-only file system netalertx-test-missing-net-raw | Starting python3 -m server > /tmp/log/stdout.log 2> >(tee /tmp/log/stderr.log >&2) netalertx-test-missing-net-raw | /services/start-backend.sh: line 16: /tmp/log/stdout.log: Read-only file system -netalertx-test-missing-net-raw | [02-Jan-2026 17:39:52] ERROR: failed to open error_log (/tmp/log/app.php_errors.log): Read-only file system (30) -netalertx-test-missing-net-raw | [02-Jan-2026 17:39:52] ERROR: failed to post process the configuration -netalertx-test-missing-net-raw | [02-Jan-2026 17:39:52] ERROR: FPM initialization failed +netalertx-test-missing-net-raw | [04-Jan-2026 21:20:39] ERROR: failed to open error_log (/tmp/log/app.php_errors.log): Read-only file system (30) +netalertx-test-missing-net-raw | [04-Jan-2026 21:20:39] ERROR: failed to post process the configuration +netalertx-test-missing-net-raw | [04-Jan-2026 21:20:39] ERROR: FPM initialization failed netalertx-test-missing-net-raw | php-fpm stopped! (exit 78) netalertx-test-missing-net-raw | ERROR: Failed to download or process OUI data Gracefully stopping... (press Ctrl+C again to force) @@ -325,12 +264,12 @@ Running docker compose up... Container netalertx-test-readonly Created Attaching to netalertx-test-readonly netalertx-test-readonly | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-readonly | Permissions prepared for PUID=20211. +netalertx-test-readonly | Ownership prepared for PUID=20211. netalertx-test-readonly | su-exec: setgroups(20211): Operation not permitted netalertx-test-readonly | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-readonly | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-readonly | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-readonly | Permissions prepared for PUID=20211. +netalertx-test-readonly | Ownership prepared for PUID=20211. netalertx-test-readonly | su-exec: setgroups(20211): Operation not permitted netalertx-test-readonly | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-readonly |  @@ -365,43 +304,64 @@ netalertx-test-readonly | DB before onboarding sensitive or critical networ netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-readonly | --> mandatory folders.sh netalertx-test-readonly | --> apply conf override.sh -netalertx-test-readonly | mkdir: can't create directory '150NETALERTX_CONFIG': Read-only file system -netalertx-test-readonly | ERROR: Failed to create config directory 150NETALERTX_CONFIG -netalertx-test-readonly | \033[1;31m══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ❌ NetAlertX startup aborted: critical failure in apply conf override.sh. -netalertx-test-readonly | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/troubleshooting.md +netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-readonly | 📝 APP_CONF_OVERRIDE detected. Configuration written to /data/config/app_conf_override.json. +netalertx-test-readonly | +netalertx-test-readonly | Make sure the JSON content is correct before starting the application. netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | NETALERTX_DEBUG=1, continuing despite critical failure in apply conf override.sh. netalertx-test-readonly | --> writable config.sh netalertx-test-readonly | --> nginx config.sh netalertx-test-readonly | --> expected user id match.sh -netalertx-test-readonly | \033[0m +netalertx-test-readonly |  +netalertx-test-readonly | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 +netalertx-test-readonly | --> host mode network.sh +netalertx-test-readonly | --> excessive capabilities.sh +netalertx-test-readonly | --> appliance integrity.sh +netalertx-test-readonly | --> ports available.sh + netalertx-test-readonly exited with code 0 +netalertx-test-readonly | --> capabilities audit.sh +netalertx-test-readonly | Security context: Operational capabilities (SETGID SETUID) not granted. +netalertx-test-readonly | --> mounts.py +netalertx-test-readonly | --> first run config.sh +netalertx-test-readonly | --> first run db.sh +netalertx-test-readonly | --> mandatory folders.sh +netalertx-test-readonly | --> apply conf override.sh +netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-readonly | 📝 APP_CONF_OVERRIDE detected. Configuration written to /data/config/app_conf_override.json. +netalertx-test-readonly | +netalertx-test-readonly | Make sure the JSON content is correct before starting the application. +netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-readonly | --> writable config.sh +netalertx-test-readonly | --> nginx config.sh +netalertx-test-readonly | --> expected user id match.sh +netalertx-test-readonly |  +netalertx-test-readonly | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 +netalertx-test-readonly | --> host mode network.sh +netalertx-test-readonly | --> excessive capabilities.sh +netalertx-test-readonly | --> appliance integrity.sh +netalertx-test-readonly | --> ports available.sh + netalertx-test-readonly exited with code 0 +netalertx-test-readonly | Security context: Operational capabilities (SETGID SETUID) not granted. +netalertx-test-readonly | --> mounts.py +netalertx-test-readonly | --> first run config.sh +netalertx-test-readonly | --> first run db.sh +netalertx-test-readonly | --> mandatory folders.sh +netalertx-test-readonly | --> apply conf override.sh +netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-readonly | 📝 APP_CONF_OVERRIDE detected. Configuration written to /data/config/app_conf_override.json. +netalertx-test-readonly | +netalertx-test-readonly | Make sure the JSON content is correct before starting the application. +netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-readonly | --> writable config.sh +netalertx-test-readonly | --> nginx config.sh +netalertx-test-readonly | --> expected user id match.sh +netalertx-test-readonly |  netalertx-test-readonly | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-readonly | --> host mode network.sh netalertx-test-readonly | --> excessive capabilities.sh netalertx-test-readonly | --> appliance integrity.sh netalertx-test-readonly | --> ports available.sh -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-readonly | -netalertx-test-readonly | The main application (defined by $PORT) may fail to start. -netalertx-test-readonly | -netalertx-test-readonly | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-readonly | -netalertx-test-readonly | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-readonly | may fail to start. -netalertx-test-readonly | -netalertx-test-readonly | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | Container startup checks failed with exit code 1. -netalertx-test-readonly | NETALERTX_DEBUG=1, continuing despite failed pre-checks. netalertx-test-readonly exited with code 0 -netalertx-test-readonly | Permissions prepared for PUID=20211. -netalertx-test-readonly | su-exec: setgroups(20211): Operation not permitted -netalertx-test-readonly | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-readonly |  netalertx-test-readonly | _ _ _ ___ _ _ __ __ netalertx-test-readonly | | \ | | | | / _ \| | | | \ \ / / @@ -422,267 +382,60 @@ netalertx-test-readonly | --> first run config.sh netalertx-test-readonly | --> first run db.sh netalertx-test-readonly | --> mandatory folders.sh netalertx-test-readonly | --> apply conf override.sh -netalertx-test-readonly | mkdir: can't create directory '143NETALERTX_CONFIG': Read-only file system -netalertx-test-readonly | ERROR: Failed to create config directory 143NETALERTX_CONFIG -netalertx-test-readonly | \033[1;31m══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ❌ NetAlertX startup aborted: critical failure in apply conf override.sh. -netalertx-test-readonly | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/troubleshooting.md netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | NETALERTX_DEBUG=1, continuing despite critical failure in apply conf override.sh. +netalertx-test-readonly | 📝 APP_CONF_OVERRIDE detected. Configuration written to /data/config/app_conf_override.json. +netalertx-test-readonly | +netalertx-test-readonly | Make sure the JSON content is correct before starting the application. +netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-readonly | --> writable config.sh netalertx-test-readonly | --> nginx config.sh netalertx-test-readonly | --> expected user id match.sh -netalertx-test-readonly | \033[0m +netalertx-test-readonly |  netalertx-test-readonly | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-readonly | --> host mode network.sh netalertx-test-readonly | --> excessive capabilities.sh netalertx-test-readonly | --> appliance integrity.sh netalertx-test-readonly | --> ports available.sh -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-readonly | -netalertx-test-readonly | The main application (defined by $PORT) may fail to start. -netalertx-test-readonly | -netalertx-test-readonly | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-readonly | -netalertx-test-readonly | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-readonly | may fail to start. -netalertx-test-readonly | -netalertx-test-readonly | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | Container startup checks failed with exit code 1. -netalertx-test-readonly | NETALERTX_DEBUG=1, continuing despite failed pre-checks. netalertx-test-readonly exited with code 0 -netalertx-test-readonly | Permissions prepared for PUID=20211. -netalertx-test-readonly | su-exec: setgroups(20211): Operation not permitted -netalertx-test-readonly | Note: su-exec failed (exit 0); continuing as current user without privilege drop. -netalertx-test-readonly |  -netalertx-test-readonly | _ _ _ ___ _ _ __ __ -netalertx-test-readonly | | \ | | | | / _ \| | | | \ \ / / -netalertx-test-readonly | | \| | ___| |_/ /_\ \ | ___ _ __| |_ \ V / -netalertx-test-readonly | | . |/ _ \ __| _ | |/ _ \ __| __|/ \ -netalertx-test-readonly | | |\ | __/ |_| | | | | __/ | | |_/ /^\ \ -netalertx-test-readonly | \_| \_/\___|\__\_| |_/_|\___|_| \__\/ \/ -netalertx-test-readonly |  Network intruder and presence detector. -netalertx-test-readonly | https://netalertx.com -netalertx-test-readonly | -netalertx-test-readonly | -netalertx-test-readonly | Startup pre-checks -netalertx-test-readonly | --> data migration.sh -netalertx-test-readonly | --> capabilities audit.sh netalertx-test-readonly | Security context: Operational capabilities (SETGID SETUID) not granted. netalertx-test-readonly | --> mounts.py netalertx-test-readonly | --> first run config.sh netalertx-test-readonly | --> first run db.sh netalertx-test-readonly | --> mandatory folders.sh netalertx-test-readonly | --> apply conf override.sh -netalertx-test-readonly | mkdir: can't create directory '143NETALERTX_CONFIG': Read-only file system -netalertx-test-readonly | ERROR: Failed to create config directory 143NETALERTX_CONFIG -netalertx-test-readonly | \033[1;31m══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ❌ NetAlertX startup aborted: critical failure in apply conf override.sh. -netalertx-test-readonly | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/troubleshooting.md netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | NETALERTX_DEBUG=1, continuing despite critical failure in apply conf override.sh. +netalertx-test-readonly | 📝 APP_CONF_OVERRIDE detected. Configuration written to /data/config/app_conf_override.json. +netalertx-test-readonly | +netalertx-test-readonly | Make sure the JSON content is correct before starting the application. +netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-readonly | --> writable config.sh netalertx-test-readonly | --> nginx config.sh netalertx-test-readonly | --> expected user id match.sh -netalertx-test-readonly | \033[0m +netalertx-test-readonly |  netalertx-test-readonly | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-readonly | --> host mode network.sh netalertx-test-readonly | --> excessive capabilities.sh netalertx-test-readonly | --> appliance integrity.sh netalertx-test-readonly | --> ports available.sh -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-readonly | -netalertx-test-readonly | The main application (defined by $PORT) may fail to start. -netalertx-test-readonly | -netalertx-test-readonly | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-readonly | -netalertx-test-readonly | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-readonly | may fail to start. -netalertx-test-readonly | -netalertx-test-readonly | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | Container startup checks failed with exit code 1. -netalertx-test-readonly | NETALERTX_DEBUG=1, continuing despite failed pre-checks. netalertx-test-readonly exited with code 0 -netalertx-test-readonly | Permissions prepared for PUID=20211. -netalertx-test-readonly | su-exec: setgroups(20211): Operation not permitted -netalertx-test-readonly | Note: su-exec failed (exit 0); continuing as current user without privilege drop. -netalertx-test-readonly |  -netalertx-test-readonly | _ _ _ ___ _ _ __ __ -netalertx-test-readonly | | \ | | | | / _ \| | | | \ \ / / -netalertx-test-readonly | | \| | ___| |_/ /_\ \ | ___ _ __| |_ \ V / -netalertx-test-readonly | | . |/ _ \ __| _ | |/ _ \ __| __|/ \ -netalertx-test-readonly | | |\ | __/ |_| | | | | __/ | | |_/ /^\ \ -netalertx-test-readonly | \_| \_/\___|\__\_| |_/_|\___|_| \__\/ \/ -netalertx-test-readonly |  Network intruder and presence detector. -netalertx-test-readonly | https://netalertx.com -netalertx-test-readonly | -netalertx-test-readonly | -netalertx-test-readonly | Startup pre-checks -netalertx-test-readonly | --> data migration.sh -netalertx-test-readonly | --> capabilities audit.sh -netalertx-test-readonly | Security context: Operational capabilities (SETGID SETUID) not granted. -netalertx-test-readonly | --> mounts.py netalertx-test-readonly | --> first run config.sh netalertx-test-readonly | --> first run db.sh netalertx-test-readonly | --> mandatory folders.sh netalertx-test-readonly | --> apply conf override.sh -netalertx-test-readonly | mkdir: can't create directory '143NETALERTX_CONFIG': Read-only file system -netalertx-test-readonly | ERROR: Failed to create config directory 143NETALERTX_CONFIG -netalertx-test-readonly | \033[1;31m══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ❌ NetAlertX startup aborted: critical failure in apply conf override.sh. -netalertx-test-readonly | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/troubleshooting.md netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | NETALERTX_DEBUG=1, continuing despite critical failure in apply conf override.sh. +netalertx-test-readonly | 📝 APP_CONF_OVERRIDE detected. Configuration written to /data/config/app_conf_override.json. +netalertx-test-readonly | +netalertx-test-readonly | Make sure the JSON content is correct before starting the application. +netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-readonly | --> writable config.sh netalertx-test-readonly | --> nginx config.sh netalertx-test-readonly | --> expected user id match.sh -netalertx-test-readonly | \033[0m +netalertx-test-readonly |  netalertx-test-readonly | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-readonly | --> host mode network.sh netalertx-test-readonly | --> excessive capabilities.sh netalertx-test-readonly | --> appliance integrity.sh netalertx-test-readonly | --> ports available.sh -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-readonly | -netalertx-test-readonly | The main application (defined by $PORT) may fail to start. -netalertx-test-readonly | -netalertx-test-readonly | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-readonly | -netalertx-test-readonly | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-readonly | may fail to start. -netalertx-test-readonly | -netalertx-test-readonly | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | Container startup checks failed with exit code 1. -netalertx-test-readonly | NETALERTX_DEBUG=1, continuing despite failed pre-checks. - netalertx-test-readonly exited with code 0 -netalertx-test-readonly | Permissions prepared for PUID=20211. -netalertx-test-readonly | su-exec: setgroups(20211): Operation not permitted -netalertx-test-readonly | Note: su-exec failed (exit 0); continuing as current user without privilege drop. -netalertx-test-readonly |  -netalertx-test-readonly | _ _ _ ___ _ _ __ __ -netalertx-test-readonly | | \ | | | | / _ \| | | | \ \ / / -netalertx-test-readonly | | \| | ___| |_/ /_\ \ | ___ _ __| |_ \ V / -netalertx-test-readonly | | . |/ _ \ __| _ | |/ _ \ __| __|/ \ -netalertx-test-readonly | | |\ | __/ |_| | | | | __/ | | |_/ /^\ \ -netalertx-test-readonly | \_| \_/\___|\__\_| |_/_|\___|_| \__\/ \/ -netalertx-test-readonly |  Network intruder and presence detector. -netalertx-test-readonly | https://netalertx.com -netalertx-test-readonly | -netalertx-test-readonly | -netalertx-test-readonly | Startup pre-checks -netalertx-test-readonly | --> data migration.sh -netalertx-test-readonly | --> capabilities audit.sh -netalertx-test-readonly | Security context: Operational capabilities (SETGID SETUID) not granted. -netalertx-test-readonly | --> mounts.py -netalertx-test-readonly | --> first run config.sh -netalertx-test-readonly | --> first run db.sh -netalertx-test-readonly | --> mandatory folders.sh -netalertx-test-readonly | --> apply conf override.sh -netalertx-test-readonly | mkdir: can't create directory '143NETALERTX_CONFIG': Read-only file system -netalertx-test-readonly | ERROR: Failed to create config directory 143NETALERTX_CONFIG -netalertx-test-readonly | \033[1;31m══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ❌ NetAlertX startup aborted: critical failure in apply conf override.sh. -netalertx-test-readonly | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/troubleshooting.md -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | NETALERTX_DEBUG=1, continuing despite critical failure in apply conf override.sh. -netalertx-test-readonly | --> writable config.sh -netalertx-test-readonly | --> nginx config.sh -netalertx-test-readonly | --> expected user id match.sh -netalertx-test-readonly | \033[0m -netalertx-test-readonly | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 -netalertx-test-readonly | --> host mode network.sh -netalertx-test-readonly | --> excessive capabilities.sh -netalertx-test-readonly | --> appliance integrity.sh -netalertx-test-readonly | --> ports available.sh -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-readonly | -netalertx-test-readonly | The main application (defined by $PORT) may fail to start. -netalertx-test-readonly | -netalertx-test-readonly | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-readonly | -netalertx-test-readonly | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-readonly | may fail to start. -netalertx-test-readonly | -netalertx-test-readonly | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | Container startup checks failed with exit code 1. -netalertx-test-readonly | NETALERTX_DEBUG=1, continuing despite failed pre-checks. - netalertx-test-readonly exited with code 0 -netalertx-test-readonly | Permissions prepared for PUID=20211. -netalertx-test-readonly | su-exec: setgroups(20211): Operation not permitted -netalertx-test-readonly | Note: su-exec failed (exit 0); continuing as current user without privilege drop. -netalertx-test-readonly |  -netalertx-test-readonly | _ _ _ ___ _ _ __ __ -netalertx-test-readonly | | \ | | | | / _ \| | | | \ \ / / -netalertx-test-readonly | | \| | ___| |_/ /_\ \ | ___ _ __| |_ \ V / -netalertx-test-readonly | | . |/ _ \ __| _ | |/ _ \ __| __|/ \ -netalertx-test-readonly | | |\ | __/ |_| | | | | __/ | | |_/ /^\ \ -netalertx-test-readonly | \_| \_/\___|\__\_| |_/_|\___|_| \__\/ \/ -netalertx-test-readonly |  Network intruder and presence detector. -netalertx-test-readonly | https://netalertx.com -netalertx-test-readonly | -netalertx-test-readonly | -netalertx-test-readonly | Startup pre-checks -netalertx-test-readonly | --> data migration.sh -netalertx-test-readonly | --> capabilities audit.sh -netalertx-test-readonly | Security context: Operational capabilities (SETGID SETUID) not granted. -netalertx-test-readonly | --> mounts.py -netalertx-test-readonly | --> first run config.sh -netalertx-test-readonly | --> first run db.sh -netalertx-test-readonly | --> mandatory folders.sh -netalertx-test-readonly | --> apply conf override.sh -netalertx-test-readonly | mkdir: can't create directory '143NETALERTX_CONFIG': Read-only file system -netalertx-test-readonly | ERROR: Failed to create config directory 143NETALERTX_CONFIG -netalertx-test-readonly | \033[1;31m══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ❌ NetAlertX startup aborted: critical failure in apply conf override.sh. -netalertx-test-readonly | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/troubleshooting.md -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | NETALERTX_DEBUG=1, continuing despite critical failure in apply conf override.sh. -netalertx-test-readonly | --> writable config.sh -netalertx-test-readonly | --> nginx config.sh -netalertx-test-readonly | --> expected user id match.sh -netalertx-test-readonly | \033[0m -netalertx-test-readonly | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 -netalertx-test-readonly | --> host mode network.sh -netalertx-test-readonly | --> excessive capabilities.sh -netalertx-test-readonly | --> appliance integrity.sh -netalertx-test-readonly | --> ports available.sh -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-readonly | -netalertx-test-readonly | The main application (defined by $PORT) may fail to start. -netalertx-test-readonly | -netalertx-test-readonly | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-readonly | -netalertx-test-readonly | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-readonly | may fail to start. -netalertx-test-readonly | -netalertx-test-readonly | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-readonly | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-readonly | Container startup checks failed with exit code 1. -netalertx-test-readonly | NETALERTX_DEBUG=1, continuing despite failed pre-checks. netalertx-test-readonly exited with code 0 Gracefully stopping... (press Ctrl+C again to force) Container netalertx-test-readonly Stopping @@ -701,12 +454,12 @@ Running docker compose up... Container netalertx-test-writable Created Attaching to netalertx-test-writable netalertx-test-writable | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-writable | Permissions prepared for PUID=20211. +netalertx-test-writable | Ownership prepared for PUID=20211. netalertx-test-writable | su-exec: setgroups(20211): Operation not permitted netalertx-test-writable | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-writable | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-writable | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-writable | Permissions prepared for PUID=20211. +netalertx-test-writable | Ownership prepared for PUID=20211. netalertx-test-writable | su-exec: setgroups(20211): Operation not permitted netalertx-test-writable | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-writable |  @@ -765,41 +518,7 @@ netalertx-test-writable | --> host mode network.sh netalertx-test-writable | --> excessive capabilities.sh netalertx-test-writable | --> appliance integrity.sh netalertx-test-writable | --> ports available.sh -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-writable | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-writable | -netalertx-test-writable | The main application (defined by $PORT) may fail to start. -netalertx-test-writable | -netalertx-test-writable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-writable | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-writable | -netalertx-test-writable | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-writable | may fail to start. -netalertx-test-writable | -netalertx-test-writable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-writable exited with code 0 -netalertx-test-writable | Permissions prepared for PUID=20211. -netalertx-test-writable | su-exec: setgroups(20211): Operation not permitted -netalertx-test-writable | Note: su-exec failed (exit 0); continuing as current user without privilege drop. -netalertx-test-writable |  -netalertx-test-writable | _ _ _ ___ _ _ __ __ -netalertx-test-writable | | \ | | | | / _ \| | | | \ \ / / -netalertx-test-writable | | \| | ___| |_/ /_\ \ | ___ _ __| |_ \ V / -netalertx-test-writable | | . |/ _ \ __| _ | |/ _ \ __| __|/ \ -netalertx-test-writable | | |\ | __/ |_| | | | | __/ | | |_/ /^\ \ -netalertx-test-writable | \_| \_/\___|\__\_| |_/_|\___|_| \__\/ \/ -netalertx-test-writable |  Network intruder and presence detector. -netalertx-test-writable | https://netalertx.com -netalertx-test-writable | -netalertx-test-writable | -netalertx-test-writable | Startup pre-checks -netalertx-test-writable | --> data migration.sh -netalertx-test-writable | --> capabilities audit.sh -netalertx-test-writable | Security context: Operational capabilities (SETGID SETUID) not granted. -netalertx-test-writable | --> mounts.py netalertx-test-writable | --> first run config.sh netalertx-test-writable | --> first run db.sh netalertx-test-writable | --> mandatory folders.sh @@ -828,41 +547,7 @@ netalertx-test-writable | --> host mode network.sh netalertx-test-writable | --> excessive capabilities.sh netalertx-test-writable | --> appliance integrity.sh netalertx-test-writable | --> ports available.sh -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-writable | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-writable | -netalertx-test-writable | The main application (defined by $PORT) may fail to start. -netalertx-test-writable | -netalertx-test-writable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-writable | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-writable | -netalertx-test-writable | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-writable | may fail to start. -netalertx-test-writable | -netalertx-test-writable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-writable exited with code 0 -netalertx-test-writable | Permissions prepared for PUID=20211. -netalertx-test-writable | su-exec: setgroups(20211): Operation not permitted -netalertx-test-writable | Note: su-exec failed (exit 0); continuing as current user without privilege drop. -netalertx-test-writable |  -netalertx-test-writable | _ _ _ ___ _ _ __ __ -netalertx-test-writable | | \ | | | | / _ \| | | | \ \ / / -netalertx-test-writable | | \| | ___| |_/ /_\ \ | ___ _ __| |_ \ V / -netalertx-test-writable | | . |/ _ \ __| _ | |/ _ \ __| __|/ \ -netalertx-test-writable | | |\ | __/ |_| | | | | __/ | | |_/ /^\ \ -netalertx-test-writable | \_| \_/\___|\__\_| |_/_|\___|_| \__\/ \/ -netalertx-test-writable |  Network intruder and presence detector. -netalertx-test-writable | https://netalertx.com -netalertx-test-writable | -netalertx-test-writable | -netalertx-test-writable | Startup pre-checks -netalertx-test-writable | --> data migration.sh -netalertx-test-writable | --> capabilities audit.sh -netalertx-test-writable | Security context: Operational capabilities (SETGID SETUID) not granted. -netalertx-test-writable | --> mounts.py netalertx-test-writable | --> first run config.sh netalertx-test-writable | --> first run db.sh netalertx-test-writable | --> mandatory folders.sh @@ -891,41 +576,7 @@ netalertx-test-writable | --> host mode network.sh netalertx-test-writable | --> excessive capabilities.sh netalertx-test-writable | --> appliance integrity.sh netalertx-test-writable | --> ports available.sh -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-writable | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-writable | -netalertx-test-writable | The main application (defined by $PORT) may fail to start. -netalertx-test-writable | -netalertx-test-writable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-writable | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-writable | -netalertx-test-writable | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-writable | may fail to start. -netalertx-test-writable | -netalertx-test-writable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-writable exited with code 0 -netalertx-test-writable | Permissions prepared for PUID=20211. -netalertx-test-writable | su-exec: setgroups(20211): Operation not permitted -netalertx-test-writable | Note: su-exec failed (exit 0); continuing as current user without privilege drop. -netalertx-test-writable |  -netalertx-test-writable | _ _ _ ___ _ _ __ __ -netalertx-test-writable | | \ | | | | / _ \| | | | \ \ / / -netalertx-test-writable | | \| | ___| |_/ /_\ \ | ___ _ __| |_ \ V / -netalertx-test-writable | | . |/ _ \ __| _ | |/ _ \ __| __|/ \ -netalertx-test-writable | | |\ | __/ |_| | | | | __/ | | |_/ /^\ \ -netalertx-test-writable | \_| \_/\___|\__\_| |_/_|\___|_| \__\/ \/ -netalertx-test-writable |  Network intruder and presence detector. -netalertx-test-writable | https://netalertx.com -netalertx-test-writable | -netalertx-test-writable | -netalertx-test-writable | Startup pre-checks -netalertx-test-writable | --> data migration.sh -netalertx-test-writable | --> capabilities audit.sh -netalertx-test-writable | Security context: Operational capabilities (SETGID SETUID) not granted. -netalertx-test-writable | --> mounts.py netalertx-test-writable | --> first run config.sh netalertx-test-writable | --> first run db.sh netalertx-test-writable | --> mandatory folders.sh @@ -954,25 +605,7 @@ netalertx-test-writable | --> host mode network.sh netalertx-test-writable | --> excessive capabilities.sh netalertx-test-writable | --> appliance integrity.sh netalertx-test-writable | --> ports available.sh -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-writable | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-writable | -netalertx-test-writable | The main application (defined by $PORT) may fail to start. -netalertx-test-writable | -netalertx-test-writable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-writable | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-writable | -netalertx-test-writable | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-writable | may fail to start. -netalertx-test-writable | -netalertx-test-writable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-writable exited with code 0 -netalertx-test-writable | --> capabilities audit.sh -netalertx-test-writable | Security context: Operational capabilities (SETGID SETUID) not granted. -netalertx-test-writable | --> mounts.py netalertx-test-writable | --> first run config.sh netalertx-test-writable | --> first run db.sh netalertx-test-writable | --> mandatory folders.sh @@ -1001,41 +634,7 @@ netalertx-test-writable | --> host mode network.sh netalertx-test-writable | --> excessive capabilities.sh netalertx-test-writable | --> appliance integrity.sh netalertx-test-writable | --> ports available.sh -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-writable | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-writable | -netalertx-test-writable | The main application (defined by $PORT) may fail to start. -netalertx-test-writable | -netalertx-test-writable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-writable | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-writable | -netalertx-test-writable | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-writable | may fail to start. -netalertx-test-writable | -netalertx-test-writable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-writable exited with code 0 -netalertx-test-writable | Permissions prepared for PUID=20211. -netalertx-test-writable | su-exec: setgroups(20211): Operation not permitted -netalertx-test-writable | Note: su-exec failed (exit 0); continuing as current user without privilege drop. -netalertx-test-writable |  -netalertx-test-writable | _ _ _ ___ _ _ __ __ -netalertx-test-writable | | \ | | | | / _ \| | | | \ \ / / -netalertx-test-writable | | \| | ___| |_/ /_\ \ | ___ _ __| |_ \ V / -netalertx-test-writable | | . |/ _ \ __| _ | |/ _ \ __| __|/ \ -netalertx-test-writable | | |\ | __/ |_| | | | | __/ | | |_/ /^\ \ -netalertx-test-writable | \_| \_/\___|\__\_| |_/_|\___|_| \__\/ \/ -netalertx-test-writable |  Network intruder and presence detector. -netalertx-test-writable | https://netalertx.com -netalertx-test-writable | -netalertx-test-writable | -netalertx-test-writable | Startup pre-checks -netalertx-test-writable | --> data migration.sh -netalertx-test-writable | --> capabilities audit.sh -netalertx-test-writable | Security context: Operational capabilities (SETGID SETUID) not granted. -netalertx-test-writable | --> mounts.py netalertx-test-writable | --> first run config.sh netalertx-test-writable | --> first run db.sh netalertx-test-writable | --> mandatory folders.sh @@ -1064,21 +663,6 @@ netalertx-test-writable | --> host mode network.sh netalertx-test-writable | --> excessive capabilities.sh netalertx-test-writable | --> appliance integrity.sh netalertx-test-writable | --> ports available.sh -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-writable | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-writable | -netalertx-test-writable | The main application (defined by $PORT) may fail to start. -netalertx-test-writable | -netalertx-test-writable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-writable | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-writable | -netalertx-test-writable | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-writable | may fail to start. -netalertx-test-writable | -netalertx-test-writable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-writable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-writable exited with code 0 Gracefully stopping... (press Ctrl+C again to force) Container netalertx-test-writable Stopping @@ -1103,12 +687,12 @@ Running docker compose up... Container netalertx-test-mount-active_config_mounted Created Attaching to netalertx-test-mount-active_config_mounted netalertx-test-mount-active_config_mounted | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-active_config_mounted | Permissions prepared for PUID=20211. +netalertx-test-mount-active_config_mounted | Ownership prepared for PUID=20211. netalertx-test-mount-active_config_mounted | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-active_config_mounted | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-active_config_mounted | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-active_config_mounted | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-active_config_mounted | Permissions prepared for PUID=20211. +netalertx-test-mount-active_config_mounted | Ownership prepared for PUID=20211. netalertx-test-mount-active_config_mounted | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-active_config_mounted | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-active_config_mounted |  @@ -1194,14 +778,6 @@ netalertx-test-mount-active_config_mounted |  netalertx-test-mount-active_config_mounted | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-active_config_mounted | --> host mode network.sh netalertx-test-mount-active_config_mounted | --> excessive capabilities.sh -netalertx-test-mount-active_config_mounted | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-active_config_mounted | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-active_config_mounted | -netalertx-test-mount-active_config_mounted | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-active_config_mounted | Please remove unnecessary capabilities. -netalertx-test-mount-active_config_mounted | -netalertx-test-mount-active_config_mounted | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-active_config_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-active_config_mounted | --> appliance integrity.sh netalertx-test-mount-active_config_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-active_config_mounted | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -1210,14 +786,6 @@ netalertx-test-mount-active_config_mounted | Please mount the root filesyst netalertx-test-mount-active_config_mounted | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-active_config_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-active_config_mounted | --> ports available.sh -netalertx-test-mount-active_config_mounted | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-active_config_mounted | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-active_config_mounted | -netalertx-test-mount-active_config_mounted | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-active_config_mounted | may fail to start. -netalertx-test-mount-active_config_mounted | -netalertx-test-mount-active_config_mounted | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-active_config_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-active_config_mounted exited with code 0 File: docker-compose.mount-test.active_config_no-mount.yml ---------------------------------------- @@ -1236,12 +804,12 @@ Running docker compose up... Container netalertx-test-mount-active_config_no-mount Created Attaching to netalertx-test-mount-active_config_no-mount netalertx-test-mount-active_config_no-mount | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-active_config_no-mount | Permissions prepared for PUID=20211. +netalertx-test-mount-active_config_no-mount | Ownership prepared for PUID=20211. netalertx-test-mount-active_config_no-mount | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-active_config_no-mount | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-active_config_no-mount | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-active_config_no-mount | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-active_config_no-mount | Permissions prepared for PUID=20211. +netalertx-test-mount-active_config_no-mount | Ownership prepared for PUID=20211. netalertx-test-mount-active_config_no-mount | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-active_config_no-mount | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-active_config_no-mount |  @@ -1338,14 +906,6 @@ netalertx-test-mount-active_config_no-mount |  netalertx-test-mount-active_config_no-mount | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-active_config_no-mount | --> host mode network.sh netalertx-test-mount-active_config_no-mount | --> excessive capabilities.sh -netalertx-test-mount-active_config_no-mount | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-active_config_no-mount | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-active_config_no-mount | -netalertx-test-mount-active_config_no-mount | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-active_config_no-mount | Please remove unnecessary capabilities. -netalertx-test-mount-active_config_no-mount | -netalertx-test-mount-active_config_no-mount | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-active_config_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-active_config_no-mount | --> appliance integrity.sh netalertx-test-mount-active_config_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-active_config_no-mount | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -1380,12 +940,12 @@ Running docker compose up... Container netalertx-test-mount-active_config_ramdisk Created Attaching to netalertx-test-mount-active_config_ramdisk netalertx-test-mount-active_config_ramdisk | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-active_config_ramdisk | Permissions prepared for PUID=20211. +netalertx-test-mount-active_config_ramdisk | Ownership prepared for PUID=20211. netalertx-test-mount-active_config_ramdisk | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-active_config_ramdisk | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-active_config_ramdisk | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-active_config_ramdisk | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-active_config_ramdisk | Permissions prepared for PUID=20211. +netalertx-test-mount-active_config_ramdisk | Ownership prepared for PUID=20211. netalertx-test-mount-active_config_ramdisk | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-active_config_ramdisk | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-active_config_ramdisk |  @@ -1482,14 +1042,6 @@ netalertx-test-mount-active_config_ramdisk |  netalertx-test-mount-active_config_ramdisk | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-active_config_ramdisk | --> host mode network.sh netalertx-test-mount-active_config_ramdisk | --> excessive capabilities.sh -netalertx-test-mount-active_config_ramdisk | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-active_config_ramdisk | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-active_config_ramdisk | -netalertx-test-mount-active_config_ramdisk | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-active_config_ramdisk | Please remove unnecessary capabilities. -netalertx-test-mount-active_config_ramdisk | -netalertx-test-mount-active_config_ramdisk | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-active_config_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-active_config_ramdisk | --> appliance integrity.sh netalertx-test-mount-active_config_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-active_config_ramdisk | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -1518,20 +1070,20 @@ Testing: docker-compose.mount-test.active_config_unwritable.yml Directory: /workspaces/NetAlertX/test/docker_tests/configurations/mount-tests Running docker compose up... - Volume "mount-tests_test_netalertx_data" Creating - Volume "mount-tests_test_netalertx_data" Created Volume "mount-tests_test_system_services_active_config" Creating Volume "mount-tests_test_system_services_active_config" Created + Volume "mount-tests_test_netalertx_data" Creating + Volume "mount-tests_test_netalertx_data" Created Container netalertx-test-mount-active_config_unwritable Creating Container netalertx-test-mount-active_config_unwritable Created Attaching to netalertx-test-mount-active_config_unwritable netalertx-test-mount-active_config_unwritable | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-active_config_unwritable | Permissions prepared for PUID=20211. +netalertx-test-mount-active_config_unwritable | Ownership prepared for PUID=20211. netalertx-test-mount-active_config_unwritable | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-active_config_unwritable | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-active_config_unwritable | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-active_config_unwritable | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-active_config_unwritable | Permissions prepared for PUID=20211. +netalertx-test-mount-active_config_unwritable | Ownership prepared for PUID=20211. netalertx-test-mount-active_config_unwritable | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-active_config_unwritable | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-active_config_unwritable |  @@ -1617,14 +1169,6 @@ netalertx-test-mount-active_config_unwritable |  netalertx-test-mount-active_config_unwritable | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-active_config_unwritable | --> host mode network.sh netalertx-test-mount-active_config_unwritable | --> excessive capabilities.sh -netalertx-test-mount-active_config_unwritable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-active_config_unwritable | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-active_config_unwritable | -netalertx-test-mount-active_config_unwritable | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-active_config_unwritable | Please remove unnecessary capabilities. -netalertx-test-mount-active_config_unwritable | -netalertx-test-mount-active_config_unwritable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-active_config_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-active_config_unwritable | --> appliance integrity.sh netalertx-test-mount-active_config_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-active_config_unwritable | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -1634,13 +1178,6 @@ netalertx-test-mount-active_config_unwritable | https://github.com/jokob-sk netalertx-test-mount-active_config_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-active_config_unwritable | --> ports available.sh netalertx-test-mount-active_config_unwritable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-active_config_unwritable | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-mount-active_config_unwritable | -netalertx-test-mount-active_config_unwritable | The main application (defined by $PORT) may fail to start. -netalertx-test-mount-active_config_unwritable | -netalertx-test-mount-active_config_unwritable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-active_config_unwritable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-active_config_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-active_config_unwritable | ⚠️ Port Warning: GraphQL API port 20212 is already in use. netalertx-test-mount-active_config_unwritable | netalertx-test-mount-active_config_unwritable | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) @@ -1660,22 +1197,22 @@ Testing: docker-compose.mount-test.api_mounted.yml Directory: /workspaces/NetAlertX/test/docker_tests/configurations/mount-tests Running docker compose up... - Volume "mount-tests_netalertx_config" Creating - Volume "mount-tests_netalertx_config" Created Volume "mount-tests_test_netalertx_api" Creating Volume "mount-tests_test_netalertx_api" Created Volume "mount-tests_netalertx_db" Creating Volume "mount-tests_netalertx_db" Created + Volume "mount-tests_netalertx_config" Creating + Volume "mount-tests_netalertx_config" Created Container netalertx-test-mount-api_mounted Creating Container netalertx-test-mount-api_mounted Created Attaching to netalertx-test-mount-api_mounted netalertx-test-mount-api_mounted | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-api_mounted | Permissions prepared for PUID=20211. +netalertx-test-mount-api_mounted | Ownership prepared for PUID=20211. netalertx-test-mount-api_mounted | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-api_mounted | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-api_mounted | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-api_mounted | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-api_mounted | Permissions prepared for PUID=20211. +netalertx-test-mount-api_mounted | Ownership prepared for PUID=20211. netalertx-test-mount-api_mounted | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-api_mounted | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-api_mounted |  @@ -1771,14 +1308,6 @@ netalertx-test-mount-api_mounted |  netalertx-test-mount-api_mounted | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-api_mounted | --> host mode network.sh netalertx-test-mount-api_mounted | --> excessive capabilities.sh -netalertx-test-mount-api_mounted | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-api_mounted | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-api_mounted | -netalertx-test-mount-api_mounted | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-api_mounted | Please remove unnecessary capabilities. -netalertx-test-mount-api_mounted | -netalertx-test-mount-api_mounted | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-api_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_mounted | --> appliance integrity.sh netalertx-test-mount-api_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_mounted | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -1787,14 +1316,6 @@ netalertx-test-mount-api_mounted | Please mount the root filesystem as --re netalertx-test-mount-api_mounted | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-api_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_mounted | --> ports available.sh -netalertx-test-mount-api_mounted | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-api_mounted | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-api_mounted | -netalertx-test-mount-api_mounted | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-api_mounted | may fail to start. -netalertx-test-mount-api_mounted | -netalertx-test-mount-api_mounted | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-api_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_mounted exited with code 0 File: docker-compose.mount-test.api_no-mount.yml ---------------------------------------- @@ -1815,12 +1336,12 @@ Running docker compose up... Container netalertx-test-mount-api_no-mount Created Attaching to netalertx-test-mount-api_no-mount netalertx-test-mount-api_no-mount | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-api_no-mount | Permissions prepared for PUID=20211. +netalertx-test-mount-api_no-mount | Ownership prepared for PUID=20211. netalertx-test-mount-api_no-mount | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-api_no-mount | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-api_no-mount | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-api_no-mount | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-api_no-mount | Permissions prepared for PUID=20211. +netalertx-test-mount-api_no-mount | Ownership prepared for PUID=20211. netalertx-test-mount-api_no-mount | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-api_no-mount | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-api_no-mount |  @@ -1916,14 +1437,6 @@ netalertx-test-mount-api_no-mount |  netalertx-test-mount-api_no-mount | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-api_no-mount | --> host mode network.sh netalertx-test-mount-api_no-mount | --> excessive capabilities.sh -netalertx-test-mount-api_no-mount | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-api_no-mount | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-api_no-mount | -netalertx-test-mount-api_no-mount | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-api_no-mount | Please remove unnecessary capabilities. -netalertx-test-mount-api_no-mount | -netalertx-test-mount-api_no-mount | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-api_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_no-mount | --> appliance integrity.sh netalertx-test-mount-api_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_no-mount | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -1932,14 +1445,6 @@ netalertx-test-mount-api_no-mount | Please mount the root filesystem as --r netalertx-test-mount-api_no-mount | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-api_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_no-mount | --> ports available.sh -netalertx-test-mount-api_no-mount | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-api_no-mount | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-api_no-mount | -netalertx-test-mount-api_no-mount | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-api_no-mount | may fail to start. -netalertx-test-mount-api_no-mount | -netalertx-test-mount-api_no-mount | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-api_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_no-mount exited with code 0 File: docker-compose.mount-test.api_noread.yml ---------------------------------------- @@ -2018,25 +1523,11 @@ netalertx-test-mount-api_noread | * Creating System services run log. netalertx-test-mount-api_noread | * Creating DB locked log. netalertx-test-mount-api_noread | * Creating Execution queue log. netalertx-test-mount-api_noread | --> apply conf override.sh -netalertx-test-mount-api_noread | mkdir: can't create directory '71NETALERTX_CONFIG': Permission denied -netalertx-test-mount-api_noread | ERROR: Failed to create config directory 71NETALERTX_CONFIG -netalertx-test-mount-api_noread | \033[1;31m══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-api_noread | ❌ NetAlertX startup aborted: critical failure in apply conf override.sh. -netalertx-test-mount-api_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/troubleshooting.md -netalertx-test-mount-api_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_noread | --> writable config.sh netalertx-test-mount-api_noread | --> nginx config.sh netalertx-test-mount-api_noread | --> expected user id match.sh netalertx-test-mount-api_noread | --> host mode network.sh netalertx-test-mount-api_noread | --> excessive capabilities.sh -netalertx-test-mount-api_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-api_noread | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x00000000000034c1). -netalertx-test-mount-api_noread | -netalertx-test-mount-api_noread | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-api_noread | Please remove unnecessary capabilities. -netalertx-test-mount-api_noread | -netalertx-test-mount-api_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-api_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_noread | --> appliance integrity.sh netalertx-test-mount-api_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_noread | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -2045,24 +1536,16 @@ netalertx-test-mount-api_noread | Please mount the root filesystem as --rea netalertx-test-mount-api_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-api_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_noread | --> ports available.sh -netalertx-test-mount-api_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-api_noread | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-mount-api_noread | -netalertx-test-mount-api_noread | The main application (defined by $PORT) may fail to start. -netalertx-test-mount-api_noread | -netalertx-test-mount-api_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-api_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-api_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-api_noread | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-api_noread | -netalertx-test-mount-api_noread | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-api_noread | may fail to start. -netalertx-test-mount-api_noread | -netalertx-test-mount-api_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-api_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-api_noread | Container startup checks failed with exit code 1. -netalertx-test-mount-api_noread | \033[0m - netalertx-test-mount-api_noread exited with code 1 +netalertx-test-mount-api_noread | Starting supercronic --quiet "/services/config/cron/crontab" >>"/tmp/log/cron.log" 2>&1 & +netalertx-test-mount-api_noread | Starting /usr/sbin/php-fpm83 -y "/services/config/php/php-fpm.conf" -F (tee stderr to app.php_errors.log) +netalertx-test-mount-api_noread | Starting python3 -m server > /tmp/log/stdout.log 2> >(tee /tmp/log/stderr.log >&2) +netalertx-test-mount-api_noread | Starting /usr/sbin/nginx -p "/tmp/run/" -c "/tmp/nginx/active-config/nginx.conf" -g "error_log stderr; error_log /tmp/log/nginx-error.log; daemon off;" & +netalertx-test-mount-api_noread | 2026/01/05 02:21:45 [error] 180#180: *1 FastCGI sent in stderr: "PHP message: PHP Warning: session_start(): open(/tmp/run/tmp/sess_udr0olecett7cp59ckgddqsndb, O_RDWR) failed: No such file or directory (2) in /app/front/php/templates/security.php on line 50; PHP message: PHP Warning: session_start(): Failed to read session data: files (path: /tmp/run/tmp) in /app/front/php/templates/security.php on line 50" while reading response header from upstream, client: 127.0.0.1, server: , request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/tmp/run/php.sock:", host: "localhost:20211" +netalertx-test-mount-api_noread | Successfully updated IEEE OUI database (112503 entries) +Gracefully stopping... (press Ctrl+C again to force) + Container netalertx-test-mount-api_noread Stopping + Container netalertx-test-mount-api_noread Stopped + File: docker-compose.mount-test.api_ramdisk.yml ---------------------------------------- Expected outcome: Container shows performance warning for API on RAM disk @@ -2080,12 +1563,12 @@ Running docker compose up... Container netalertx-test-mount-api_ramdisk Created Attaching to netalertx-test-mount-api_ramdisk netalertx-test-mount-api_ramdisk | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-api_ramdisk | Permissions prepared for PUID=20211. +netalertx-test-mount-api_ramdisk | Ownership prepared for PUID=20211. netalertx-test-mount-api_ramdisk | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-api_ramdisk | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-api_ramdisk | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-api_ramdisk | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-api_ramdisk | Permissions prepared for PUID=20211. +netalertx-test-mount-api_ramdisk | Ownership prepared for PUID=20211. netalertx-test-mount-api_ramdisk | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-api_ramdisk | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-api_ramdisk |  @@ -2182,14 +1665,6 @@ netalertx-test-mount-api_ramdisk |  netalertx-test-mount-api_ramdisk | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-api_ramdisk | --> host mode network.sh netalertx-test-mount-api_ramdisk | --> excessive capabilities.sh -netalertx-test-mount-api_ramdisk | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-api_ramdisk | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-api_ramdisk | -netalertx-test-mount-api_ramdisk | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-api_ramdisk | Please remove unnecessary capabilities. -netalertx-test-mount-api_ramdisk | -netalertx-test-mount-api_ramdisk | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-api_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_ramdisk | --> appliance integrity.sh netalertx-test-mount-api_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_ramdisk | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -2198,14 +1673,6 @@ netalertx-test-mount-api_ramdisk | Please mount the root filesystem as --re netalertx-test-mount-api_ramdisk | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-api_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_ramdisk | --> ports available.sh -netalertx-test-mount-api_ramdisk | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-api_ramdisk | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-api_ramdisk | -netalertx-test-mount-api_ramdisk | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-api_ramdisk | may fail to start. -netalertx-test-mount-api_ramdisk | -netalertx-test-mount-api_ramdisk | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-api_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_ramdisk exited with code 0 File: docker-compose.mount-test.api_unwritable.yml ---------------------------------------- @@ -2218,22 +1685,22 @@ Testing: docker-compose.mount-test.api_unwritable.yml Directory: /workspaces/NetAlertX/test/docker_tests/configurations/mount-tests Running docker compose up... + Volume "mount-tests_test_netalertx_api" Creating + Volume "mount-tests_test_netalertx_api" Created Volume "mount-tests_netalertx_db" Creating Volume "mount-tests_netalertx_db" Created Volume "mount-tests_netalertx_config" Creating Volume "mount-tests_netalertx_config" Created - Volume "mount-tests_test_netalertx_api" Creating - Volume "mount-tests_test_netalertx_api" Created Container netalertx-test-mount-api_unwritable Creating Container netalertx-test-mount-api_unwritable Created Attaching to netalertx-test-mount-api_unwritable netalertx-test-mount-api_unwritable | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-api_unwritable | Permissions prepared for PUID=20211. +netalertx-test-mount-api_unwritable | Ownership prepared for PUID=20211. netalertx-test-mount-api_unwritable | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-api_unwritable | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-api_unwritable | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-api_unwritable | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-api_unwritable | Permissions prepared for PUID=20211. +netalertx-test-mount-api_unwritable | Ownership prepared for PUID=20211. netalertx-test-mount-api_unwritable | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-api_unwritable | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-api_unwritable |  @@ -2329,14 +1796,6 @@ netalertx-test-mount-api_unwritable |  netalertx-test-mount-api_unwritable | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-api_unwritable | --> host mode network.sh netalertx-test-mount-api_unwritable | --> excessive capabilities.sh -netalertx-test-mount-api_unwritable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-api_unwritable | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-api_unwritable | -netalertx-test-mount-api_unwritable | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-api_unwritable | Please remove unnecessary capabilities. -netalertx-test-mount-api_unwritable | -netalertx-test-mount-api_unwritable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-api_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_unwritable | --> appliance integrity.sh netalertx-test-mount-api_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_unwritable | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -2345,14 +1804,6 @@ netalertx-test-mount-api_unwritable | Please mount the root filesystem as - netalertx-test-mount-api_unwritable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-api_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_unwritable | --> ports available.sh -netalertx-test-mount-api_unwritable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-api_unwritable | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-api_unwritable | -netalertx-test-mount-api_unwritable | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-api_unwritable | may fail to start. -netalertx-test-mount-api_unwritable | -netalertx-test-mount-api_unwritable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-api_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-api_unwritable exited with code 0 File: docker-compose.mount-test.cap_chown_missing.yml ---------------------------------------- @@ -2369,7 +1820,7 @@ Running docker compose up... Container netalertx-test-mount-cap_chown_missing Creating Container netalertx-test-mount-cap_chown_missing Created Attaching to netalertx-test-mount-cap_chown_missing -netalertx-test-mount-cap_chown_missing | Permissions prepared for PUID=20211. +netalertx-test-mount-cap_chown_missing | Ownership prepared for PUID=20211. netalertx-test-mount-cap_chown_missing |  netalertx-test-mount-cap_chown_missing | _ _ _ ___ _ _ __ __ netalertx-test-mount-cap_chown_missing | | \ | | | | / _ \| | | | \ \ / / @@ -2404,9 +1855,35 @@ netalertx-test-mount-cap_chown_missing | ════════════ netalertx-test-mount-cap_chown_missing | Security context: Operational capabilities (CHOWN SETGID SETUID) not granted. netalertx-test-mount-cap_chown_missing | See https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/missing-capabilities.md netalertx-test-mount-cap_chown_missing | --> mounts.py -netalertx-test-mount-cap_chown_missing | env: can't execute 'python3': Operation not permitted -netalertx-test-mount-cap_chown_missing | mounts.py: FAILED with 126 -netalertx-test-mount-cap_chown_missing | Failure detected in: /entrypoint.d/15-mounts.py +netalertx-test-mount-cap_chown_missing | Path | R | W | Mount | RAMDisk | Performance | DataLoss +netalertx-test-mount-cap_chown_missing | --------------------------+---+---+-------+---------+-------------+---------- +netalertx-test-mount-cap_chown_missing | /data | ✅| ✅| ✅ | ➖ | ➖ | ✅ +netalertx-test-mount-cap_chown_missing | /data/db | ✅| ✅| ✅ | ➖ | ➖ | ✅ +netalertx-test-mount-cap_chown_missing | /data/config | ✅| ✅| ✅ | ➖ | ➖ | ✅ +netalertx-test-mount-cap_chown_missing | /tmp/run/tmp | ❌| ❌| ✅ | ✅ | ✅ | ✅ +netalertx-test-mount-cap_chown_missing | /tmp/api | ❌| ❌| ✅ | ✅ | ✅ | ✅ +netalertx-test-mount-cap_chown_missing | /tmp/log | ❌| ❌| ✅ | ✅ | ✅ | ✅ +netalertx-test-mount-cap_chown_missing | /tmp/run | ❌| ❌| ✅ | ✅ | ✅ | ✅ +netalertx-test-mount-cap_chown_missing | /tmp/nginx/active-config | ❌| ❌| ✅ | ✅ | ✅ | ✅ +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-mount-cap_chown_missing | ⚠️ ATTENTION: Configuration issues detected (marked with ❌). +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | * /tmp/run/tmp error writing, error reading +netalertx-test-mount-cap_chown_missing | * /tmp/api error writing, error reading +netalertx-test-mount-cap_chown_missing | * /tmp/log error writing, error reading +netalertx-test-mount-cap_chown_missing | * /tmp/run error writing, error reading +netalertx-test-mount-cap_chown_missing | * /tmp/nginx/active-config error writing, error reading +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | We recommend starting with the default docker-compose.yml as the +netalertx-test-mount-cap_chown_missing | configuration can be quite complex. +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | Review the documentation for a correct setup: +netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md +netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/mount-configuration-issues.md +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-mount-cap_chown_missing |  netalertx-test-mount-cap_chown_missing | --> first run config.sh netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-cap_chown_missing | 🆕 First run detected. Default configuration written to /data/config/app.conf. @@ -2422,6 +1899,12 @@ netalertx-test-mount-cap_chown_missing | Do not interrupt this step. When c netalertx-test-mount-cap_chown_missing | DB before onboarding sensitive or critical networks. netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-cap_chown_missing | --> mandatory folders.sh +netalertx-test-mount-cap_chown_missing | * Creating NetAlertX log directory. +netalertx-test-mount-cap_chown_missing | Warning: Unable to create log directory at /tmp/log (tmpfs not writable with current capabilities). +netalertx-test-mount-cap_chown_missing | * Creating NetAlertX API cache. +netalertx-test-mount-cap_chown_missing | Warning: Unable to create API cache directory at /tmp/api (tmpfs not writable with current capabilities). +netalertx-test-mount-cap_chown_missing | * Creating System services runtime directory. +netalertx-test-mount-cap_chown_missing | Warning: Unable to create System services runtime directory at /tmp/run (tmpfs not writable with current capabilities). netalertx-test-mount-cap_chown_missing | * Creating nginx active configuration directory. netalertx-test-mount-cap_chown_missing | Warning: Unable to create nginx active configuration directory at /tmp/nginx/active-config (tmpfs not writable with current capabilities). netalertx-test-mount-cap_chown_missing | * Creating Plugins log. @@ -2435,218 +1918,6 @@ netalertx-test-mount-cap_chown_missing | Warning: Unable to create DB locked lo netalertx-test-mount-cap_chown_missing | * Creating Execution queue log. netalertx-test-mount-cap_chown_missing | Warning: Unable to create execution queue log file at /tmp/log/execution_queue.log (tmpfs not writable with current capabilities). netalertx-test-mount-cap_chown_missing | --> apply conf override.sh -netalertx-test-mount-cap_chown_missing | mkdir: can't create directory '112NETALERTX_CONFIG': Permission denied -netalertx-test-mount-cap_chown_missing | ERROR: Failed to create config directory 112NETALERTX_CONFIG -netalertx-test-mount-cap_chown_missing | \033[1;31m══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | ❌ NetAlertX startup aborted: critical failure in apply conf override.sh. -netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/troubleshooting.md -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | --> writable config.sh -netalertx-test-mount-cap_chown_missing | --> nginx config.sh -netalertx-test-mount-cap_chown_missing | \033[0m══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | ⚠️ ATTENTION: Nginx configuration mount /tmp/nginx/active-config is missing. -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Custom listen address or port changes require a writable nginx conf.active -netalertx-test-mount-cap_chown_missing | directory. Without it, the container falls back to defaults and ignores -netalertx-test-mount-cap_chown_missing | your overrides. -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Create a bind mount: -netalertx-test-mount-cap_chown_missing | --mount type=bind,src=/path/on/host,dst=/tmp/nginx/active-config -netalertx-test-mount-cap_chown_missing | and ensure it is owned by the netalertx user (20211:20211) with 700 perms. -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/nginx-configuration-mount.md -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | --> expected user id match.sh -netalertx-test-mount-cap_chown_missing | --> host mode network.sh -netalertx-test-mount-cap_chown_missing | --> excessive capabilities.sh -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x00000000a80425fa). -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-cap_chown_missing | Please remove unnecessary capabilities. -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | --> appliance integrity.sh -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | ⚠️ Warning: Container is running as read-write, not in read-only mode. -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Please mount the root filesystem as --read-only or use read_only: true -netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | --> ports available.sh -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-cap_chown_missing | may fail to start. -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | Container startup checks failed with exit code 1. -netalertx-test-mount-cap_chown_missing | Note: su-exec failed (exit 0); continuing as current user without privilege drop. -netalertx-test-mount-cap_chown_missing | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. -netalertx-test-mount-cap_chown_missing | Permissions prepared for PUID=20211. -netalertx-test-mount-cap_chown_missing |  -netalertx-test-mount-cap_chown_missing | _ _ _ ___ _ _ __ __ -netalertx-test-mount-cap_chown_missing | | \ | | | | / _ \| | | | \ \ / / -netalertx-test-mount-cap_chown_missing | | \| | ___| |_/ /_\ \ | ___ _ __| |_ \ V / -netalertx-test-mount-cap_chown_missing | | . |/ _ \ __| _ | |/ _ \ __| __|/ \ -netalertx-test-mount-cap_chown_missing | | |\ | __/ |_| | | | | __/ | | |_/ /^\ \ -netalertx-test-mount-cap_chown_missing | \_| \_/\___|\__\_| |_/_|\___|_| \__\/ \/ -netalertx-test-mount-cap_chown_missing |  Network intruder and presence detector. -netalertx-test-mount-cap_chown_missing | https://netalertx.com -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Startup pre-checks -netalertx-test-mount-cap_chown_missing | --> data migration.sh -netalertx-test-mount-cap_chown_missing | --> capabilities audit.sh -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | 🚨 ALERT: Python execution capabilities (NET_RAW/NET_ADMIN) are missing. -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | The Python binary in this image has file capabilities (+eip) that -netalertx-test-mount-cap_chown_missing | require these bits in the container's bounding set. Without them, -netalertx-test-mount-cap_chown_missing | the binary will fail to execute (Operation not permitted). -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Restart with: --cap-add=NET_RAW --cap-add=NET_ADMIN -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | ⚠️ WARNING: Reduced functionality (NET_BIND_SERVICE missing). -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Tools like nbtscan cannot bind to privileged ports (UDP 137). -netalertx-test-mount-cap_chown_missing | This will reduce discovery accuracy for legacy devices. -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Consider adding: --cap-add=NET_BIND_SERVICE -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | Security context: Operational capabilities (CHOWN SETGID SETUID) not granted. -netalertx-test-mount-cap_chown_missing | See https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/missing-capabilities.md -netalertx-test-mount-cap_chown_missing | --> mounts.py -netalertx-test-mount-cap_chown_missing | env: can't execute 'python3': Operation not permitted -netalertx-test-mount-cap_chown_missing | mounts.py: FAILED with 126 -netalertx-test-mount-cap_chown_missing | Failure detected in: /entrypoint.d/15-mounts.py -netalertx-test-mount-cap_chown_missing | --> first run config.sh -netalertx-test-mount-cap_chown_missing | --> first run db.sh -netalertx-test-mount-cap_chown_missing | INFO: ALWAYS_FRESH_INSTALL enabled — removing existing database. -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | 🆕 First run detected — building initial database at: /data/db/app.db -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Do not interrupt this step. When complete, consider backing up the fresh -netalertx-test-mount-cap_chown_missing | DB before onboarding sensitive or critical networks. -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | --> mandatory folders.sh -netalertx-test-mount-cap_chown_missing | * Creating nginx active configuration directory. -netalertx-test-mount-cap_chown_missing | Warning: Unable to create nginx active configuration directory at /tmp/nginx/active-config (tmpfs not writable with current capabilities). -netalertx-test-mount-cap_chown_missing | * Creating Plugins log. -netalertx-test-mount-cap_chown_missing | Warning: Unable to create plugins log directory at /tmp/log/plugins (tmpfs not writable with current capabilities). -netalertx-test-mount-cap_chown_missing | * Creating System services run log. -netalertx-test-mount-cap_chown_missing | Warning: Unable to create system services run log directory at /tmp/run/logs (tmpfs not writable with current capabilities). -netalertx-test-mount-cap_chown_missing | * Creating System services run tmp. -netalertx-test-mount-cap_chown_missing | Warning: Unable to create system services run tmp directory at /tmp/run/tmp (tmpfs not writable with current capabilities). -netalertx-test-mount-cap_chown_missing | * Creating DB locked log. -netalertx-test-mount-cap_chown_missing | Warning: Unable to create DB locked log file at /tmp/log/db_is_locked.log (tmpfs not writable with current capabilities). -netalertx-test-mount-cap_chown_missing | * Creating Execution queue log. -netalertx-test-mount-cap_chown_missing | Warning: Unable to create execution queue log file at /tmp/log/execution_queue.log (tmpfs not writable with current capabilities). -netalertx-test-mount-cap_chown_missing | --> apply conf override.sh -netalertx-test-mount-cap_chown_missing | mkdir: can't create directory '285NETALERTX_CONFIG': Permission denied -netalertx-test-mount-cap_chown_missing | ERROR: Failed to create config directory 285NETALERTX_CONFIG -netalertx-test-mount-cap_chown_missing | \033[1;31m══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | ❌ NetAlertX startup aborted: critical failure in apply conf override.sh. -netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/troubleshooting.md -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | --> writable config.sh -netalertx-test-mount-cap_chown_missing | --> nginx config.sh -netalertx-test-mount-cap_chown_missing | \033[0m══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | ⚠️ ATTENTION: Nginx configuration mount /tmp/nginx/active-config is missing. -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Custom listen address or port changes require a writable nginx conf.active -netalertx-test-mount-cap_chown_missing | directory. Without it, the container falls back to defaults and ignores -netalertx-test-mount-cap_chown_missing | your overrides. -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Create a bind mount: -netalertx-test-mount-cap_chown_missing | --mount type=bind,src=/path/on/host,dst=/tmp/nginx/active-config -netalertx-test-mount-cap_chown_missing | and ensure it is owned by the netalertx user (20211:20211) with 700 perms. -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/nginx-configuration-mount.md -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | --> expected user id match.sh -netalertx-test-mount-cap_chown_missing | --> host mode network.sh -netalertx-test-mount-cap_chown_missing | --> excessive capabilities.sh -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x00000000a80425fa). -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-cap_chown_missing | Please remove unnecessary capabilities. -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | --> appliance integrity.sh -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | ⚠️ Warning: Container is running as read-write, not in read-only mode. -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Please mount the root filesystem as --read-only or use read_only: true -netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | --> ports available.sh -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-cap_chown_missing | may fail to start. -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | Container startup checks failed with exit code 1. -netalertx-test-mount-cap_chown_missing | Note: su-exec failed (exit 0); continuing as current user without privilege drop. -netalertx-test-mount-cap_chown_missing |  -netalertx-test-mount-cap_chown_missing | _ _ _ ___ _ _ __ __ -netalertx-test-mount-cap_chown_missing | | \ | | | | / _ \| | | | \ \ / / -netalertx-test-mount-cap_chown_missing | | \| | ___| |_/ /_\ \ | ___ _ __| |_ \ V / -netalertx-test-mount-cap_chown_missing | | . |/ _ \ __| _ | |/ _ \ __| __|/ \ -netalertx-test-mount-cap_chown_missing | | |\ | __/ |_| | | | | __/ | | |_/ /^\ \ -netalertx-test-mount-cap_chown_missing | \_| \_/\___|\__\_| |_/_|\___|_| \__\/ \/ -netalertx-test-mount-cap_chown_missing |  Network intruder and presence detector. -netalertx-test-mount-cap_chown_missing | https://netalertx.com -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Startup pre-checks -netalertx-test-mount-cap_chown_missing | --> data migration.sh -netalertx-test-mount-cap_chown_missing | --> capabilities audit.sh -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | 🚨 ALERT: Python execution capabilities (NET_RAW/NET_ADMIN) are missing. -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | The Python binary in this image has file capabilities (+eip) that -netalertx-test-mount-cap_chown_missing | require these bits in the container's bounding set. Without them, -netalertx-test-mount-cap_chown_missing | the binary will fail to execute (Operation not permitted). -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Restart with: --cap-add=NET_RAW --cap-add=NET_ADMIN -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | ⚠️ WARNING: Reduced functionality (NET_BIND_SERVICE missing). -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Tools like nbtscan cannot bind to privileged ports (UDP 137). -netalertx-test-mount-cap_chown_missing | This will reduce discovery accuracy for legacy devices. -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Consider adding: --cap-add=NET_BIND_SERVICE -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | Security context: Operational capabilities (CHOWN SETGID SETUID) not granted. -netalertx-test-mount-cap_chown_missing | See https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/missing-capabilities.md -netalertx-test-mount-cap_chown_missing | --> mounts.py -netalertx-test-mount-cap_chown_missing | env: can't execute 'python3': Operation not permitted -netalertx-test-mount-cap_chown_missing | mounts.py: FAILED with 126 -netalertx-test-mount-cap_chown_missing | Failure detected in: /entrypoint.d/15-mounts.py -netalertx-test-mount-cap_chown_missing | --> first run config.sh -netalertx-test-mount-cap_chown_missing | --> first run db.sh -netalertx-test-mount-cap_chown_missing | INFO: ALWAYS_FRESH_INSTALL enabled — removing existing database. -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | 🆕 First run detected — building initial database at: /data/db/app.db -netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Do not interrupt this step. When complete, consider backing up the fresh -netalertx-test-mount-cap_chown_missing | DB before onboarding sensitive or critical networks. -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | --> mandatory folders.sh -netalertx-test-mount-cap_chown_missing | * Creating DB locked log. -netalertx-test-mount-cap_chown_missing | * Creating Execution queue log. -netalertx-test-mount-cap_chown_missing | --> apply conf override.sh netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-cap_chown_missing | 📝 APP_CONF_OVERRIDE detected. Configuration written to /data/config/app_conf_override.json. netalertx-test-mount-cap_chown_missing | @@ -2654,15 +1925,27 @@ netalertx-test-mount-cap_chown_missing | Make sure the JSON content is corr netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-cap_chown_missing | --> writable config.sh netalertx-test-mount-cap_chown_missing | --> nginx config.sh +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-mount-cap_chown_missing | ⚠️ ATTENTION: Nginx configuration mount /tmp/nginx/active-config is missing. +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | Custom listen address or port changes require a writable nginx conf.active +netalertx-test-mount-cap_chown_missing | directory. Without it, the container falls back to defaults and ignores +netalertx-test-mount-cap_chown_missing | your overrides. +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | Create a bind mount: +netalertx-test-mount-cap_chown_missing | --mount type=bind,src=/path/on/host,dst=/tmp/nginx/active-config +netalertx-test-mount-cap_chown_missing | and ensure it is owned by the netalertx user (20211:20211) with 700 perms. +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/nginx-configuration-mount.md +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-cap_chown_missing | --> expected user id match.sh -netalertx-test-mount-cap_chown_missing | Note: PUID/PGID=20211:20211 requested but privilege drop failed; continuing as UID 0 GID 0. See docs/docker-troubleshooting/missing-capabilities.md netalertx-test-mount-cap_chown_missing | --> host mode network.sh netalertx-test-mount-cap_chown_missing | --> excessive capabilities.sh netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x00000000a80425fa). +netalertx-test-mount-cap_chown_missing | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x00000000a80435fa). netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-cap_chown_missing | Please remove unnecessary capabilities. +netalertx-test-mount-cap_chown_missing | Only CHOWN, SETGID, SETUID, NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are +netalertx-test-mount-cap_chown_missing | required in this container. Please remove unnecessary capabilities. netalertx-test-mount-cap_chown_missing | netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ @@ -2674,16 +1957,156 @@ netalertx-test-mount-cap_chown_missing | Please mount the root filesystem a netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-cap_chown_missing | --> ports available.sh -netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | ⚠️ Port Warning: GraphQL API port 20212 is already in use. +netalertx-test-mount-cap_chown_missing | /services/scripts/update_vendors.sh: line 28: /tmp/run/tmp/ieee-oui.txt.tmp: Permission denied +netalertx-test-mount-cap_chown_missing | mkdir: can't create directory '/tmp/log': Permission denied +netalertx-test-mount-cap_chown_missing | mkdir: can't create directory '/tmp/run': Permission denied +netalertx-test-mount-cap_chown_missing | mkdir: can't create directory '/tmp/nginx': Permission denied +netalertx-test-mount-cap_chown_missing | Starting supercronic --quiet "/services/config/cron/crontab" >>"/tmp/log/cron.log" 2>&1 & +netalertx-test-mount-cap_chown_missing | Starting /usr/sbin/php-fpm83 -y "/services/config/php/php-fpm.conf" -F (tee stderr to app.php_errors.log) +netalertx-test-mount-cap_chown_missing | /services/start-cron.sh: line 37: /tmp/log/cron.log: Permission denied +netalertx-test-mount-cap_chown_missing | Supercronic stopped! (exit 1) +netalertx-test-mount-cap_chown_missing | tee: /tmp/log/app.php_errors.log: Permission denied +netalertx-test-mount-cap_chown_missing | Service nginx exited with status 1. +netalertx-test-mount-cap_chown_missing | Starting python3 -m server > /tmp/log/stdout.log 2> >(tee /tmp/log/stderr.log >&2) +netalertx-test-mount-cap_chown_missing | /services/start-backend.sh: line 16: /tmp/log/stdout.log: Permission denied +netalertx-test-mount-cap_chown_missing | php-fpm stopped! (exit 143) +netalertx-test-mount-cap_chown_missing | All services stopped. +netalertx-test-mount-cap_chown_missing | Note: su-exec failed (exit 0); continuing as current user without privilege drop. +netalertx-test-mount-cap_chown_missing | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. +netalertx-test-mount-cap_chown_missing | Ownership prepared for PUID=20211. +netalertx-test-mount-cap_chown_missing |  +netalertx-test-mount-cap_chown_missing | _ _ _ ___ _ _ __ __ +netalertx-test-mount-cap_chown_missing | | \ | | | | / _ \| | | | \ \ / / +netalertx-test-mount-cap_chown_missing | | \| | ___| |_/ /_\ \ | ___ _ __| |_ \ V / +netalertx-test-mount-cap_chown_missing | | . |/ _ \ __| _ | |/ _ \ __| __|/ \ +netalertx-test-mount-cap_chown_missing | | |\ | __/ |_| | | | | __/ | | |_/ /^\ \ +netalertx-test-mount-cap_chown_missing | \_| \_/\___|\__\_| |_/_|\___|_| \__\/ \/ +netalertx-test-mount-cap_chown_missing |  Network intruder and presence detector. +netalertx-test-mount-cap_chown_missing | https://netalertx.com netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-cap_chown_missing | may fail to start. netalertx-test-mount-cap_chown_missing | -netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md +netalertx-test-mount-cap_chown_missing | Startup pre-checks +netalertx-test-mount-cap_chown_missing | --> data migration.sh +netalertx-test-mount-cap_chown_missing | --> capabilities audit.sh +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-mount-cap_chown_missing | 🚨 ALERT: Python execution capabilities (NET_RAW/NET_ADMIN) are missing. +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | The Python binary in this image has file capabilities (+eip) that +netalertx-test-mount-cap_chown_missing | require these bits in the container's bounding set. Without them, +netalertx-test-mount-cap_chown_missing | the binary will fail to execute (Operation not permitted). +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | Restart with: --cap-add=NET_RAW --cap-add=NET_ADMIN netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-cap_chown_missing | Container startup checks failed with exit code 126. - netalertx-test-mount-cap_chown_missing exited with code 126 +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-mount-cap_chown_missing | ⚠️ WARNING: Reduced functionality (NET_BIND_SERVICE missing). +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | Tools like nbtscan cannot bind to privileged ports (UDP 137). +netalertx-test-mount-cap_chown_missing | This will reduce discovery accuracy for legacy devices. +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | Consider adding: --cap-add=NET_BIND_SERVICE +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-mount-cap_chown_missing | Security context: Operational capabilities (CHOWN SETGID SETUID) not granted. +netalertx-test-mount-cap_chown_missing | See https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/missing-capabilities.md +netalertx-test-mount-cap_chown_missing | --> mounts.py +netalertx-test-mount-cap_chown_missing | Path | R | W | Mount | RAMDisk | Performance | DataLoss +netalertx-test-mount-cap_chown_missing | --------------------------+---+---+-------+---------+-------------+---------- +netalertx-test-mount-cap_chown_missing | /data | ✅| ✅| ✅ | ➖ | ➖ | ✅ +netalertx-test-mount-cap_chown_missing | /data/db | ✅| ✅| ✅ | ➖ | ➖ | ✅ +netalertx-test-mount-cap_chown_missing | /data/config | ✅| ✅| ✅ | ➖ | ➖ | ✅ +netalertx-test-mount-cap_chown_missing | /tmp/run/tmp | ❌| ❌| ✅ | ✅ | ✅ | ✅ +netalertx-test-mount-cap_chown_missing | /tmp/api | ❌| ❌| ✅ | ✅ | ✅ | ✅ +netalertx-test-mount-cap_chown_missing | /tmp/log | ❌| ❌| ✅ | ✅ | ✅ | ✅ +netalertx-test-mount-cap_chown_missing | /tmp/run | ❌| ❌| ✅ | ✅ | ✅ | ✅ +netalertx-test-mount-cap_chown_missing | /tmp/nginx/active-config | ❌| ❌| ✅ | ✅ | ✅ | ✅ +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-mount-cap_chown_missing | ⚠️ ATTENTION: Configuration issues detected (marked with ❌). +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | * /tmp/run/tmp error writing, error reading +netalertx-test-mount-cap_chown_missing | * /tmp/api error writing, error reading +netalertx-test-mount-cap_chown_missing | * /tmp/log error writing, error reading +netalertx-test-mount-cap_chown_missing | * /tmp/run error writing, error reading +netalertx-test-mount-cap_chown_missing | * /tmp/nginx/active-config error writing, error reading +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | We recommend starting with the default docker-compose.yml as the +netalertx-test-mount-cap_chown_missing | configuration can be quite complex. +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | Review the documentation for a correct setup: +netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md +netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/mount-configuration-issues.md +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-mount-cap_chown_missing |  +netalertx-test-mount-cap_chown_missing | --> first run config.sh +netalertx-test-mount-cap_chown_missing | --> first run db.sh +netalertx-test-mount-cap_chown_missing | INFO: ALWAYS_FRESH_INSTALL enabled — removing existing database. +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-mount-cap_chown_missing | 🆕 First run detected — building initial database at: /data/db/app.db +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | Do not interrupt this step. When complete, consider backing up the fresh +netalertx-test-mount-cap_chown_missing | DB before onboarding sensitive or critical networks. +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-mount-cap_chown_missing | --> mandatory folders.sh +netalertx-test-mount-cap_chown_missing | * Creating NetAlertX log directory. +netalertx-test-mount-cap_chown_missing | Warning: Unable to create log directory at /tmp/log (tmpfs not writable with current capabilities). +netalertx-test-mount-cap_chown_missing | * Creating NetAlertX API cache. +netalertx-test-mount-cap_chown_missing | Warning: Unable to create API cache directory at /tmp/api (tmpfs not writable with current capabilities). +netalertx-test-mount-cap_chown_missing | * Creating System services runtime directory. +netalertx-test-mount-cap_chown_missing | Warning: Unable to create System services runtime directory at /tmp/run (tmpfs not writable with current capabilities). +netalertx-test-mount-cap_chown_missing | * Creating nginx active configuration directory. +netalertx-test-mount-cap_chown_missing | Warning: Unable to create nginx active configuration directory at /tmp/nginx/active-config (tmpfs not writable with current capabilities). +netalertx-test-mount-cap_chown_missing | * Creating Plugins log. +netalertx-test-mount-cap_chown_missing | Warning: Unable to create plugins log directory at /tmp/log/plugins (tmpfs not writable with current capabilities). +netalertx-test-mount-cap_chown_missing | * Creating System services run log. +netalertx-test-mount-cap_chown_missing | Warning: Unable to create system services run log directory at /tmp/run/logs (tmpfs not writable with current capabilities). +netalertx-test-mount-cap_chown_missing | * Creating System services run tmp. +netalertx-test-mount-cap_chown_missing | Warning: Unable to create system services run tmp directory at /tmp/run/tmp (tmpfs not writable with current capabilities). +netalertx-test-mount-cap_chown_missing | * Creating DB locked log. +netalertx-test-mount-cap_chown_missing | Warning: Unable to create DB locked log file at /tmp/log/db_is_locked.log (tmpfs not writable with current capabilities). +netalertx-test-mount-cap_chown_missing | * Creating Execution queue log. +netalertx-test-mount-cap_chown_missing | Warning: Unable to create execution queue log file at /tmp/log/execution_queue.log (tmpfs not writable with current capabilities). +netalertx-test-mount-cap_chown_missing | --> apply conf override.sh +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-mount-cap_chown_missing | 📝 APP_CONF_OVERRIDE detected. Configuration written to /data/config/app_conf_override.json. +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | Make sure the JSON content is correct before starting the application. +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-mount-cap_chown_missing | --> writable config.sh +netalertx-test-mount-cap_chown_missing | --> nginx config.sh +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-mount-cap_chown_missing | ⚠️ ATTENTION: Nginx configuration mount /tmp/nginx/active-config is missing. +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | Custom listen address or port changes require a writable nginx conf.active +netalertx-test-mount-cap_chown_missing | directory. Without it, the container falls back to defaults and ignores +netalertx-test-mount-cap_chown_missing | your overrides. +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | Create a bind mount: +netalertx-test-mount-cap_chown_missing | --mount type=bind,src=/path/on/host,dst=/tmp/nginx/active-config +netalertx-test-mount-cap_chown_missing | and ensure it is owned by the netalertx user (20211:20211) with 700 perms. +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/nginx-configuration-mount.md +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-mount-cap_chown_missing | --> expected user id match.sh +netalertx-test-mount-cap_chown_missing | --> host mode network.sh +netalertx-test-mount-cap_chown_missing | --> excessive capabilities.sh +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-mount-cap_chown_missing | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x00000000a80435fa). +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | Only CHOWN, SETGID, SETUID, NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are +netalertx-test-mount-cap_chown_missing | required in this container. Please remove unnecessary capabilities. +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-mount-cap_chown_missing | --> appliance integrity.sh +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-mount-cap_chown_missing | ⚠️ Warning: Container is running as read-write, not in read-only mode. +netalertx-test-mount-cap_chown_missing | +netalertx-test-mount-cap_chown_missing | Please mount the root filesystem as --read-only or use read_only: true +netalertx-test-mount-cap_chown_missing | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md +netalertx-test-mount-cap_chown_missing | ══════════════════════════════════════════════════════════════════════════════ +netalertx-test-mount-cap_chown_missing | --> ports available.sh +netalertx-test-mount-cap_chown_missing |  + netalertx-test-mount-cap_chown_missing exited with code 0 File: docker-compose.mount-test.config_mounted.yml ---------------------------------------- Expected outcome: Container starts successfully with proper config mount @@ -2701,12 +2124,12 @@ Running docker compose up... Container netalertx-test-mount-config_mounted Created Attaching to netalertx-test-mount-config_mounted netalertx-test-mount-config_mounted | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-config_mounted | Permissions prepared for PUID=20211. +netalertx-test-mount-config_mounted | Ownership prepared for PUID=20211. netalertx-test-mount-config_mounted | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-config_mounted | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-config_mounted | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-config_mounted | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-config_mounted | Permissions prepared for PUID=20211. +netalertx-test-mount-config_mounted | Ownership prepared for PUID=20211. netalertx-test-mount-config_mounted | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-config_mounted | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-config_mounted |  @@ -2813,14 +2236,6 @@ netalertx-test-mount-config_mounted |  netalertx-test-mount-config_mounted | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-config_mounted | --> host mode network.sh netalertx-test-mount-config_mounted | --> excessive capabilities.sh -netalertx-test-mount-config_mounted | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-config_mounted | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-config_mounted | -netalertx-test-mount-config_mounted | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-config_mounted | Please remove unnecessary capabilities. -netalertx-test-mount-config_mounted | -netalertx-test-mount-config_mounted | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-config_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-config_mounted | --> appliance integrity.sh netalertx-test-mount-config_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-config_mounted | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -2829,14 +2244,6 @@ netalertx-test-mount-config_mounted | Please mount the root filesystem as - netalertx-test-mount-config_mounted | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-config_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-config_mounted | --> ports available.sh -netalertx-test-mount-config_mounted | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-config_mounted | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-config_mounted | -netalertx-test-mount-config_mounted | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-config_mounted | may fail to start. -netalertx-test-mount-config_mounted | -netalertx-test-mount-config_mounted | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-config_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-config_mounted exited with code 0 File: docker-compose.mount-test.config_no-mount.yml ---------------------------------------- @@ -2855,12 +2262,12 @@ Running docker compose up... Container netalertx-test-mount-config_no-mount Created Attaching to netalertx-test-mount-config_no-mount netalertx-test-mount-config_no-mount | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-config_no-mount | Permissions prepared for PUID=20211. +netalertx-test-mount-config_no-mount | Ownership prepared for PUID=20211. netalertx-test-mount-config_no-mount | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-config_no-mount | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-config_no-mount | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-config_no-mount | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-config_no-mount | Permissions prepared for PUID=20211. +netalertx-test-mount-config_no-mount | Ownership prepared for PUID=20211. netalertx-test-mount-config_no-mount | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-config_no-mount | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-config_no-mount |  @@ -2959,14 +2366,6 @@ netalertx-test-mount-config_no-mount |  netalertx-test-mount-config_no-mount | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-config_no-mount | --> host mode network.sh netalertx-test-mount-config_no-mount | --> excessive capabilities.sh -netalertx-test-mount-config_no-mount | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-config_no-mount | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-config_no-mount | -netalertx-test-mount-config_no-mount | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-config_no-mount | Please remove unnecessary capabilities. -netalertx-test-mount-config_no-mount | -netalertx-test-mount-config_no-mount | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-config_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-config_no-mount | --> appliance integrity.sh netalertx-test-mount-config_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-config_no-mount | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -2975,14 +2374,6 @@ netalertx-test-mount-config_no-mount | Please mount the root filesystem as netalertx-test-mount-config_no-mount | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-config_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-config_no-mount | --> ports available.sh -netalertx-test-mount-config_no-mount | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-config_no-mount | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-config_no-mount | -netalertx-test-mount-config_no-mount | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-config_no-mount | may fail to start. -netalertx-test-mount-config_no-mount | -netalertx-test-mount-config_no-mount | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-config_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-config_no-mount exited with code 0 File: docker-compose.mount-test.config_ramdisk.yml ---------------------------------------- @@ -3001,12 +2392,12 @@ Running docker compose up... Container netalertx-test-mount-config_ramdisk Created Attaching to netalertx-test-mount-config_ramdisk netalertx-test-mount-config_ramdisk | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-config_ramdisk | Permissions prepared for PUID=20211. +netalertx-test-mount-config_ramdisk | Ownership prepared for PUID=20211. netalertx-test-mount-config_ramdisk | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-config_ramdisk | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-config_ramdisk | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-config_ramdisk | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-config_ramdisk | Permissions prepared for PUID=20211. +netalertx-test-mount-config_ramdisk | Ownership prepared for PUID=20211. netalertx-test-mount-config_ramdisk | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-config_ramdisk | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-config_ramdisk |  @@ -3119,14 +2510,6 @@ netalertx-test-mount-config_ramdisk |  netalertx-test-mount-config_ramdisk | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-config_ramdisk | --> host mode network.sh netalertx-test-mount-config_ramdisk | --> excessive capabilities.sh -netalertx-test-mount-config_ramdisk | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-config_ramdisk | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-config_ramdisk | -netalertx-test-mount-config_ramdisk | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-config_ramdisk | Please remove unnecessary capabilities. -netalertx-test-mount-config_ramdisk | -netalertx-test-mount-config_ramdisk | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-config_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-config_ramdisk | --> appliance integrity.sh netalertx-test-mount-config_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-config_ramdisk | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -3135,14 +2518,6 @@ netalertx-test-mount-config_ramdisk | Please mount the root filesystem as - netalertx-test-mount-config_ramdisk | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-config_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-config_ramdisk | --> ports available.sh -netalertx-test-mount-config_ramdisk | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-config_ramdisk | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-config_ramdisk | -netalertx-test-mount-config_ramdisk | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-config_ramdisk | may fail to start. -netalertx-test-mount-config_ramdisk | -netalertx-test-mount-config_ramdisk | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-config_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-config_ramdisk | Container startup checks failed with exit code 1. netalertx-test-mount-config_ramdisk exited with code 1 File: docker-compose.mount-test.config_unwritable.yml @@ -3164,12 +2539,12 @@ Running docker compose up... Container netalertx-test-mount-config_unwritable Created Attaching to netalertx-test-mount-config_unwritable netalertx-test-mount-config_unwritable | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-config_unwritable | Permissions prepared for PUID=20211. +netalertx-test-mount-config_unwritable | Ownership prepared for PUID=20211. netalertx-test-mount-config_unwritable | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-config_unwritable | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-config_unwritable | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-config_unwritable | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-config_unwritable | Permissions prepared for PUID=20211. +netalertx-test-mount-config_unwritable | Ownership prepared for PUID=20211. netalertx-test-mount-config_unwritable | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-config_unwritable | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-config_unwritable |  @@ -3281,14 +2656,6 @@ netalertx-test-mount-config_unwritable |  netalertx-test-mount-config_unwritable | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-config_unwritable | --> host mode network.sh netalertx-test-mount-config_unwritable | --> excessive capabilities.sh -netalertx-test-mount-config_unwritable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-config_unwritable | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-config_unwritable | -netalertx-test-mount-config_unwritable | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-config_unwritable | Please remove unnecessary capabilities. -netalertx-test-mount-config_unwritable | -netalertx-test-mount-config_unwritable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-config_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-config_unwritable | --> appliance integrity.sh netalertx-test-mount-config_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-config_unwritable | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -3297,14 +2664,6 @@ netalertx-test-mount-config_unwritable | Please mount the root filesystem a netalertx-test-mount-config_unwritable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-config_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-config_unwritable | --> ports available.sh -netalertx-test-mount-config_unwritable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-config_unwritable | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-config_unwritable | -netalertx-test-mount-config_unwritable | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-config_unwritable | may fail to start. -netalertx-test-mount-config_unwritable | -netalertx-test-mount-config_unwritable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-config_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-config_unwritable | Container startup checks failed with exit code 1. netalertx-test-mount-config_unwritable exited with code 1 File: docker-compose.mount-test.data_noread.yml @@ -3321,7 +2680,6 @@ Running docker compose up... Container netalertx-test-mount-data_noread Creating Container netalertx-test-mount-data_noread Created Attaching to netalertx-test-mount-data_noread -netalertx-test-mount-data_noread | Note: container running as UID 20211 GID 20211; requested PUID/PGID=20211:20211 will not be applied. netalertx-test-mount-data_noread |  netalertx-test-mount-data_noread | _ _ _ ___ _ _ __ __ netalertx-test-mount-data_noread | | \ | | | | / _ \| | | | \ \ / / @@ -3342,30 +2700,11 @@ netalertx-test-mount-data_noread | --------------------------+---+---+-------+- netalertx-test-mount-data_noread | /data | ✅| ✅| ✅ | ➖ | ➖ | ✅ netalertx-test-mount-data_noread | /data/db | ✅| ✅| ✅ | ➖ | ➖ | ✅ netalertx-test-mount-data_noread | /data/config | ✅| ✅| ✅ | ➖ | ➖ | ✅ -netalertx-test-mount-data_noread | /tmp | ❌| ❌| ✅ | ✅ | ✅ | ✅ -netalertx-test-mount-data_noread | /tmp/api | ❌| ❌| ✅ | ✅ | ✅ | ✅ -netalertx-test-mount-data_noread | /tmp/log | ❌| ❌| ✅ | ✅ | ✅ | ✅ -netalertx-test-mount-data_noread | /tmp/run | ❌| ❌| ✅ | ✅ | ✅ | ✅ -netalertx-test-mount-data_noread | /tmp/nginx/active-config | ❌| ❌| ✅ | ✅ | ✅ | ✅ -netalertx-test-mount-data_noread | -netalertx-test-mount-data_noread | -netalertx-test-mount-data_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-data_noread | ⚠️ ATTENTION: Configuration issues detected (marked with ❌). -netalertx-test-mount-data_noread | -netalertx-test-mount-data_noread | * /tmp error writing, error reading -netalertx-test-mount-data_noread | * /tmp/api error writing, error reading -netalertx-test-mount-data_noread | * /tmp/log error writing, error reading -netalertx-test-mount-data_noread | * /tmp/run error writing, error reading -netalertx-test-mount-data_noread | * /tmp/nginx/active-config error writing, error reading -netalertx-test-mount-data_noread | -netalertx-test-mount-data_noread | We recommend starting with the default docker-compose.yml as the -netalertx-test-mount-data_noread | configuration can be quite complex. -netalertx-test-mount-data_noread | -netalertx-test-mount-data_noread | Review the documentation for a correct setup: -netalertx-test-mount-data_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md -netalertx-test-mount-data_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/mount-configuration-issues.md -netalertx-test-mount-data_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-data_noread |  +netalertx-test-mount-data_noread | /tmp | ✅| ✅| ✅ | ✅ | ✅ | ✅ +netalertx-test-mount-data_noread | /tmp/api | ✅| ✅| ✅ | ✅ | ✅ | ✅ +netalertx-test-mount-data_noread | /tmp/log | ✅| ✅| ✅ | ✅ | ✅ | ✅ +netalertx-test-mount-data_noread | /tmp/run | ✅| ✅| ✅ | ✅ | ✅ | ✅ +netalertx-test-mount-data_noread | /tmp/nginx/active-config | ✅| ✅| ✅ | ✅ | ✅ | ✅ netalertx-test-mount-data_noread | --> first run config.sh netalertx-test-mount-data_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-data_noread | 🆕 First run detected. Default configuration written to /data/config/app.conf. @@ -3382,41 +2721,19 @@ netalertx-test-mount-data_noread | DB before onboarding sensitive or critic netalertx-test-mount-data_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-data_noread | --> mandatory folders.sh netalertx-test-mount-data_noread | * Creating NetAlertX log directory. -netalertx-test-mount-data_noread | Warning: Unable to create log directory at /tmp/log (tmpfs not writable with current capabilities). netalertx-test-mount-data_noread | * Creating NetAlertX API cache. -netalertx-test-mount-data_noread | Warning: Unable to create API cache directory at /tmp/api (tmpfs not writable with current capabilities). netalertx-test-mount-data_noread | * Creating System services runtime directory. -netalertx-test-mount-data_noread | Warning: Unable to create System services runtime directory at /tmp/run (tmpfs not writable with current capabilities). netalertx-test-mount-data_noread | * Creating nginx active configuration directory. -netalertx-test-mount-data_noread | Warning: Unable to create nginx active configuration directory at /tmp/nginx/active-config (tmpfs not writable with current capabilities). netalertx-test-mount-data_noread | * Creating Plugins log. -netalertx-test-mount-data_noread | Warning: Unable to create plugins log directory at /tmp/log/plugins (tmpfs not writable with current capabilities). netalertx-test-mount-data_noread | * Creating System services run log. -netalertx-test-mount-data_noread | Warning: Unable to create system services run log directory at /tmp/run/logs (tmpfs not writable with current capabilities). netalertx-test-mount-data_noread | * Creating DB locked log. -netalertx-test-mount-data_noread | Warning: Unable to create DB locked log file at /tmp/log/db_is_locked.log (tmpfs not writable with current capabilities). netalertx-test-mount-data_noread | * Creating Execution queue log. -netalertx-test-mount-data_noread | Warning: Unable to create execution queue log file at /tmp/log/execution_queue.log (tmpfs not writable with current capabilities). netalertx-test-mount-data_noread | --> apply conf override.sh -netalertx-test-mount-data_noread | mkdir: can't create directory '77NETALERTX_CONFIG': Permission denied -netalertx-test-mount-data_noread | ERROR: Failed to create config directory 77NETALERTX_CONFIG -netalertx-test-mount-data_noread | \033[1;31m══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-data_noread | ❌ NetAlertX startup aborted: critical failure in apply conf override.sh. -netalertx-test-mount-data_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/troubleshooting.md -netalertx-test-mount-data_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-data_noread | --> writable config.sh netalertx-test-mount-data_noread | --> nginx config.sh netalertx-test-mount-data_noread | --> expected user id match.sh netalertx-test-mount-data_noread | --> host mode network.sh netalertx-test-mount-data_noread | --> excessive capabilities.sh -netalertx-test-mount-data_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-data_noread | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x00000000000034c1). -netalertx-test-mount-data_noread | -netalertx-test-mount-data_noread | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-data_noread | Please remove unnecessary capabilities. -netalertx-test-mount-data_noread | -netalertx-test-mount-data_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-data_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-data_noread | --> appliance integrity.sh netalertx-test-mount-data_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-data_noread | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -3425,24 +2742,16 @@ netalertx-test-mount-data_noread | Please mount the root filesystem as --re netalertx-test-mount-data_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-data_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-data_noread | --> ports available.sh -netalertx-test-mount-data_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-data_noread | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-mount-data_noread | -netalertx-test-mount-data_noread | The main application (defined by $PORT) may fail to start. -netalertx-test-mount-data_noread | -netalertx-test-mount-data_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-data_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-data_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-data_noread | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-data_noread | -netalertx-test-mount-data_noread | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-data_noread | may fail to start. -netalertx-test-mount-data_noread | -netalertx-test-mount-data_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-data_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-data_noread | Container startup checks failed with exit code 1. -netalertx-test-mount-data_noread | \033[0m - netalertx-test-mount-data_noread exited with code 1 +netalertx-test-mount-data_noread | Starting /usr/sbin/php-fpm83 -y "/services/config/php/php-fpm.conf" -F (tee stderr to app.php_errors.log) +netalertx-test-mount-data_noread | Starting supercronic --quiet "/services/config/cron/crontab" >>"/tmp/log/cron.log" 2>&1 & +netalertx-test-mount-data_noread | Starting python3 -m server > /tmp/log/stdout.log 2> >(tee /tmp/log/stderr.log >&2) +netalertx-test-mount-data_noread | Starting /usr/sbin/nginx -p "/tmp/run/" -c "/tmp/nginx/active-config/nginx.conf" -g "error_log stderr; error_log /tmp/log/nginx-error.log; daemon off;" & +netalertx-test-mount-data_noread | 2026/01/05 02:22:26 [error] 190#190: *1 FastCGI sent in stderr: "PHP message: PHP Warning: session_start(): open(/tmp/run/tmp/sess_ufehnqbor2g6aevc5kn0eb9f2k, O_RDWR) failed: No such file or directory (2) in /app/front/php/templates/security.php on line 50; PHP message: PHP Warning: session_start(): Failed to read session data: files (path: /tmp/run/tmp) in /app/front/php/templates/security.php on line 50" while reading response header from upstream, client: 127.0.0.1, server: , request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/tmp/run/php.sock:", host: "localhost:20211" +netalertx-test-mount-data_noread | Successfully updated IEEE OUI database (112503 entries) +Gracefully stopping... (press Ctrl+C again to force) + Container netalertx-test-mount-data_noread Stopping + Container netalertx-test-mount-data_noread Stopped + File: docker-compose.mount-test.db_mounted.yml ---------------------------------------- Expected outcome: Container starts successfully with proper database mount @@ -3460,12 +2769,12 @@ Running docker compose up... Container netalertx-test-mount-db_mounted Created Attaching to netalertx-test-mount-db_mounted netalertx-test-mount-db_mounted | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-db_mounted | Permissions prepared for PUID=20211. +netalertx-test-mount-db_mounted | Ownership prepared for PUID=20211. netalertx-test-mount-db_mounted | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-db_mounted | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-db_mounted | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-db_mounted | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-db_mounted | Permissions prepared for PUID=20211. +netalertx-test-mount-db_mounted | Ownership prepared for PUID=20211. netalertx-test-mount-db_mounted | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-db_mounted | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-db_mounted |  @@ -3562,14 +2871,6 @@ netalertx-test-mount-db_mounted |  netalertx-test-mount-db_mounted | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-db_mounted | --> host mode network.sh netalertx-test-mount-db_mounted | --> excessive capabilities.sh -netalertx-test-mount-db_mounted | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-db_mounted | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-db_mounted | -netalertx-test-mount-db_mounted | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-db_mounted | Please remove unnecessary capabilities. -netalertx-test-mount-db_mounted | -netalertx-test-mount-db_mounted | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-db_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_mounted | --> appliance integrity.sh netalertx-test-mount-db_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_mounted | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -3578,14 +2879,6 @@ netalertx-test-mount-db_mounted | Please mount the root filesystem as --rea netalertx-test-mount-db_mounted | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-db_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_mounted | --> ports available.sh -netalertx-test-mount-db_mounted | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-db_mounted | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-db_mounted | -netalertx-test-mount-db_mounted | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-db_mounted | may fail to start. -netalertx-test-mount-db_mounted | -netalertx-test-mount-db_mounted | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-db_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_mounted exited with code 0 File: docker-compose.mount-test.db_no-mount.yml ---------------------------------------- @@ -3604,12 +2897,12 @@ Running docker compose up... Container netalertx-test-mount-db_no-mount Created Attaching to netalertx-test-mount-db_no-mount netalertx-test-mount-db_no-mount | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-db_no-mount | Permissions prepared for PUID=20211. +netalertx-test-mount-db_no-mount | Ownership prepared for PUID=20211. netalertx-test-mount-db_no-mount | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-db_no-mount | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-db_no-mount | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-db_no-mount | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-db_no-mount | Permissions prepared for PUID=20211. +netalertx-test-mount-db_no-mount | Ownership prepared for PUID=20211. netalertx-test-mount-db_no-mount | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-db_no-mount | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-db_no-mount |  @@ -3708,14 +3001,6 @@ netalertx-test-mount-db_no-mount |  netalertx-test-mount-db_no-mount | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-db_no-mount | --> host mode network.sh netalertx-test-mount-db_no-mount | --> excessive capabilities.sh -netalertx-test-mount-db_no-mount | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-db_no-mount | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-db_no-mount | -netalertx-test-mount-db_no-mount | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-db_no-mount | Please remove unnecessary capabilities. -netalertx-test-mount-db_no-mount | -netalertx-test-mount-db_no-mount | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-db_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_no-mount | --> appliance integrity.sh netalertx-test-mount-db_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_no-mount | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -3724,14 +3009,6 @@ netalertx-test-mount-db_no-mount | Please mount the root filesystem as --re netalertx-test-mount-db_no-mount | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-db_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_no-mount | --> ports available.sh -netalertx-test-mount-db_no-mount | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-db_no-mount | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-db_no-mount | -netalertx-test-mount-db_no-mount | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-db_no-mount | may fail to start. -netalertx-test-mount-db_no-mount | -netalertx-test-mount-db_no-mount | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-db_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_no-mount exited with code 0 File: docker-compose.mount-test.db_noread.yml ---------------------------------------- @@ -3747,7 +3024,6 @@ Running docker compose up... Container netalertx-test-mount-db_noread Creating Container netalertx-test-mount-db_noread Created Attaching to netalertx-test-mount-db_noread -netalertx-test-mount-db_noread | Note: container running as UID 20211 GID 20211; requested PUID/PGID=20211:20211 will not be applied. netalertx-test-mount-db_noread |  netalertx-test-mount-db_noread | _ _ _ ___ _ _ __ __ netalertx-test-mount-db_noread | | \ | | | | / _ \| | | | \ \ / / @@ -3768,30 +3044,11 @@ netalertx-test-mount-db_noread | --------------------------+---+---+-------+--- netalertx-test-mount-db_noread | /data | ✅| ✅| ✅ | ➖ | ➖ | ✅ netalertx-test-mount-db_noread | /data/db | ✅| ✅| ✅ | ➖ | ➖ | ✅ netalertx-test-mount-db_noread | /data/config | ✅| ✅| ✅ | ➖ | ➖ | ✅ -netalertx-test-mount-db_noread | /tmp | ❌| ❌| ✅ | ✅ | ✅ | ✅ -netalertx-test-mount-db_noread | /tmp/api | ❌| ❌| ✅ | ✅ | ✅ | ✅ -netalertx-test-mount-db_noread | /tmp/log | ❌| ❌| ✅ | ✅ | ✅ | ✅ -netalertx-test-mount-db_noread | /tmp/run | ❌| ❌| ✅ | ✅ | ✅ | ✅ -netalertx-test-mount-db_noread | /tmp/nginx/active-config | ❌| ❌| ✅ | ✅ | ✅ | ✅ -netalertx-test-mount-db_noread | -netalertx-test-mount-db_noread | -netalertx-test-mount-db_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-db_noread | ⚠️ ATTENTION: Configuration issues detected (marked with ❌). -netalertx-test-mount-db_noread | -netalertx-test-mount-db_noread | * /tmp error writing, error reading -netalertx-test-mount-db_noread | * /tmp/api error writing, error reading -netalertx-test-mount-db_noread | * /tmp/log error writing, error reading -netalertx-test-mount-db_noread | * /tmp/run error writing, error reading -netalertx-test-mount-db_noread | * /tmp/nginx/active-config error writing, error reading -netalertx-test-mount-db_noread | -netalertx-test-mount-db_noread | We recommend starting with the default docker-compose.yml as the -netalertx-test-mount-db_noread | configuration can be quite complex. -netalertx-test-mount-db_noread | -netalertx-test-mount-db_noread | Review the documentation for a correct setup: -netalertx-test-mount-db_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md -netalertx-test-mount-db_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/mount-configuration-issues.md -netalertx-test-mount-db_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-db_noread |  +netalertx-test-mount-db_noread | /tmp | ✅| ✅| ✅ | ✅ | ✅ | ✅ +netalertx-test-mount-db_noread | /tmp/api | ✅| ✅| ✅ | ✅ | ✅ | ✅ +netalertx-test-mount-db_noread | /tmp/log | ✅| ✅| ✅ | ✅ | ✅ | ✅ +netalertx-test-mount-db_noread | /tmp/run | ✅| ✅| ✅ | ✅ | ✅ | ✅ +netalertx-test-mount-db_noread | /tmp/nginx/active-config | ✅| ✅| ✅ | ✅ | ✅ | ✅ netalertx-test-mount-db_noread | --> first run config.sh netalertx-test-mount-db_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_noread | 🆕 First run detected. Default configuration written to /data/config/app.conf. @@ -3808,41 +3065,19 @@ netalertx-test-mount-db_noread | DB before onboarding sensitive or critical netalertx-test-mount-db_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_noread | --> mandatory folders.sh netalertx-test-mount-db_noread | * Creating NetAlertX log directory. -netalertx-test-mount-db_noread | Warning: Unable to create log directory at /tmp/log (tmpfs not writable with current capabilities). netalertx-test-mount-db_noread | * Creating NetAlertX API cache. -netalertx-test-mount-db_noread | Warning: Unable to create API cache directory at /tmp/api (tmpfs not writable with current capabilities). netalertx-test-mount-db_noread | * Creating System services runtime directory. -netalertx-test-mount-db_noread | Warning: Unable to create System services runtime directory at /tmp/run (tmpfs not writable with current capabilities). netalertx-test-mount-db_noread | * Creating nginx active configuration directory. -netalertx-test-mount-db_noread | Warning: Unable to create nginx active configuration directory at /tmp/nginx/active-config (tmpfs not writable with current capabilities). netalertx-test-mount-db_noread | * Creating Plugins log. -netalertx-test-mount-db_noread | Warning: Unable to create plugins log directory at /tmp/log/plugins (tmpfs not writable with current capabilities). netalertx-test-mount-db_noread | * Creating System services run log. -netalertx-test-mount-db_noread | Warning: Unable to create system services run log directory at /tmp/run/logs (tmpfs not writable with current capabilities). netalertx-test-mount-db_noread | * Creating DB locked log. -netalertx-test-mount-db_noread | Warning: Unable to create DB locked log file at /tmp/log/db_is_locked.log (tmpfs not writable with current capabilities). netalertx-test-mount-db_noread | * Creating Execution queue log. -netalertx-test-mount-db_noread | Warning: Unable to create execution queue log file at /tmp/log/execution_queue.log (tmpfs not writable with current capabilities). netalertx-test-mount-db_noread | --> apply conf override.sh -netalertx-test-mount-db_noread | mkdir: can't create directory '77NETALERTX_CONFIG': Permission denied -netalertx-test-mount-db_noread | ERROR: Failed to create config directory 77NETALERTX_CONFIG -netalertx-test-mount-db_noread | \033[1;31m══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-db_noread | ❌ NetAlertX startup aborted: critical failure in apply conf override.sh. -netalertx-test-mount-db_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/troubleshooting.md -netalertx-test-mount-db_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_noread | --> writable config.sh netalertx-test-mount-db_noread | --> nginx config.sh netalertx-test-mount-db_noread | --> expected user id match.sh netalertx-test-mount-db_noread | --> host mode network.sh netalertx-test-mount-db_noread | --> excessive capabilities.sh -netalertx-test-mount-db_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-db_noread | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x00000000000034c1). -netalertx-test-mount-db_noread | -netalertx-test-mount-db_noread | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-db_noread | Please remove unnecessary capabilities. -netalertx-test-mount-db_noread | -netalertx-test-mount-db_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-db_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_noread | --> appliance integrity.sh netalertx-test-mount-db_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_noread | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -3851,24 +3086,17 @@ netalertx-test-mount-db_noread | Please mount the root filesystem as --read netalertx-test-mount-db_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-db_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_noread | --> ports available.sh -netalertx-test-mount-db_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-db_noread | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-mount-db_noread | -netalertx-test-mount-db_noread | The main application (defined by $PORT) may fail to start. -netalertx-test-mount-db_noread | -netalertx-test-mount-db_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-db_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-db_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-db_noread | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-db_noread | -netalertx-test-mount-db_noread | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-db_noread | may fail to start. -netalertx-test-mount-db_noread | -netalertx-test-mount-db_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-db_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-db_noread | Container startup checks failed with exit code 1. -netalertx-test-mount-db_noread | \033[0m - netalertx-test-mount-db_noread exited with code 1 +netalertx-test-mount-db_noread | Starting supercronic --quiet "/services/config/cron/crontab" >>"/tmp/log/cron.log" 2>&1 & +netalertx-test-mount-db_noread | Starting /usr/sbin/php-fpm83 -y "/services/config/php/php-fpm.conf" -F (tee stderr to app.php_errors.log) +netalertx-test-mount-db_noread | Starting python3 -m server > /tmp/log/stdout.log 2> >(tee /tmp/log/stderr.log >&2) +netalertx-test-mount-db_noread | Starting /usr/sbin/nginx -p "/tmp/run/" -c "/tmp/nginx/active-config/nginx.conf" -g "error_log stderr; error_log /tmp/log/nginx-error.log; daemon off;" & +netalertx-test-mount-db_noread | 2026/01/05 02:22:43 [error] 190#190: *1 FastCGI sent in stderr: "PHP message: PHP Warning: session_start(): open(/tmp/run/tmp/sess_4c8q75r1vlsf59n7bmcfsuo41q, O_RDWR) failed: No such file or directory (2) in /app/front/php/templates/security.php on line 50; PHP message: PHP Warning: session_start(): Failed to read session data: files (path: /tmp/run/tmp) in /app/front/php/templates/security.php on line 50" while reading response header from upstream, client: 127.0.0.1, server: , request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/tmp/run/php.sock:", host: "localhost:20211" +netalertx-test-mount-db_noread | Successfully updated IEEE OUI database (112503 entries) +netalertx-test-mount-db_noread | 2026/01/05 02:22:45 [error] 191#191: *3 FastCGI sent in stderr: "PHP message: PHP Warning: session_start(): open(/tmp/run/tmp/sess_vnqqcr4d26f61l8o1hmtmomn08, O_RDWR) failed: No such file or directory (2) in /app/front/php/templates/security.php on line 50; PHP message: PHP Warning: session_start(): Failed to read session data: files (path: /tmp/run/tmp) in /app/front/php/templates/security.php on line 50" while reading response header from upstream, client: 127.0.0.1, server: , request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/tmp/run/php.sock:", host: "localhost:20211" +Gracefully stopping... (press Ctrl+C again to force) + Container netalertx-test-mount-db_noread Stopping + Container netalertx-test-mount-db_noread Stopped + File: docker-compose.mount-test.db_ramdisk.yml ---------------------------------------- Expected outcome: Container shows dataloss risk warning for database on RAM disk @@ -3886,12 +3114,12 @@ Running docker compose up... Container netalertx-test-mount-db_ramdisk Created Attaching to netalertx-test-mount-db_ramdisk netalertx-test-mount-db_ramdisk | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-db_ramdisk | Permissions prepared for PUID=20211. +netalertx-test-mount-db_ramdisk | Ownership prepared for PUID=20211. netalertx-test-mount-db_ramdisk | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-db_ramdisk | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-db_ramdisk | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-db_ramdisk | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-db_ramdisk | Permissions prepared for PUID=20211. +netalertx-test-mount-db_ramdisk | Ownership prepared for PUID=20211. netalertx-test-mount-db_ramdisk | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-db_ramdisk | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-db_ramdisk |  @@ -4011,14 +3239,6 @@ netalertx-test-mount-db_ramdisk |  netalertx-test-mount-db_ramdisk | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-db_ramdisk | --> host mode network.sh netalertx-test-mount-db_ramdisk | --> excessive capabilities.sh -netalertx-test-mount-db_ramdisk | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-db_ramdisk | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-db_ramdisk | -netalertx-test-mount-db_ramdisk | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-db_ramdisk | Please remove unnecessary capabilities. -netalertx-test-mount-db_ramdisk | -netalertx-test-mount-db_ramdisk | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-db_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_ramdisk | --> appliance integrity.sh netalertx-test-mount-db_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_ramdisk | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -4027,14 +3247,6 @@ netalertx-test-mount-db_ramdisk | Please mount the root filesystem as --rea netalertx-test-mount-db_ramdisk | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-db_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_ramdisk | --> ports available.sh -netalertx-test-mount-db_ramdisk | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-db_ramdisk | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-db_ramdisk | -netalertx-test-mount-db_ramdisk | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-db_ramdisk | may fail to start. -netalertx-test-mount-db_ramdisk | -netalertx-test-mount-db_ramdisk | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-db_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_ramdisk | Container startup checks failed with exit code 1. netalertx-test-mount-db_ramdisk exited with code 1 File: docker-compose.mount-test.db_unwritable.yml @@ -4056,12 +3268,12 @@ Running docker compose up... Container netalertx-test-mount-db_unwritable Created Attaching to netalertx-test-mount-db_unwritable netalertx-test-mount-db_unwritable | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-db_unwritable | Permissions prepared for PUID=20211. +netalertx-test-mount-db_unwritable | Ownership prepared for PUID=20211. netalertx-test-mount-db_unwritable | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-db_unwritable | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-db_unwritable | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-db_unwritable | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-db_unwritable | Permissions prepared for PUID=20211. +netalertx-test-mount-db_unwritable | Ownership prepared for PUID=20211. netalertx-test-mount-db_unwritable | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-db_unwritable | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-db_unwritable |  @@ -4181,14 +3393,6 @@ netalertx-test-mount-db_unwritable |  netalertx-test-mount-db_unwritable | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-db_unwritable | --> host mode network.sh netalertx-test-mount-db_unwritable | --> excessive capabilities.sh -netalertx-test-mount-db_unwritable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-db_unwritable | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-db_unwritable | -netalertx-test-mount-db_unwritable | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-db_unwritable | Please remove unnecessary capabilities. -netalertx-test-mount-db_unwritable | -netalertx-test-mount-db_unwritable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-db_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_unwritable | --> appliance integrity.sh netalertx-test-mount-db_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_unwritable | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -4197,14 +3401,6 @@ netalertx-test-mount-db_unwritable | Please mount the root filesystem as -- netalertx-test-mount-db_unwritable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-db_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_unwritable | --> ports available.sh -netalertx-test-mount-db_unwritable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-db_unwritable | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-db_unwritable | -netalertx-test-mount-db_unwritable | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-db_unwritable | may fail to start. -netalertx-test-mount-db_unwritable | -netalertx-test-mount-db_unwritable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-db_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-db_unwritable | Container startup checks failed with exit code 1. netalertx-test-mount-db_unwritable exited with code 1 File: docker-compose.mount-test.log_mounted.yml @@ -4228,12 +3424,12 @@ Running docker compose up... Container netalertx-test-mount-log_mounted Created Attaching to netalertx-test-mount-log_mounted netalertx-test-mount-log_mounted | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-log_mounted | Permissions prepared for PUID=20211. +netalertx-test-mount-log_mounted | Ownership prepared for PUID=20211. netalertx-test-mount-log_mounted | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-log_mounted | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-log_mounted | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-log_mounted | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-log_mounted | Permissions prepared for PUID=20211. +netalertx-test-mount-log_mounted | Ownership prepared for PUID=20211. netalertx-test-mount-log_mounted | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-log_mounted | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-log_mounted |  @@ -4323,14 +3519,6 @@ netalertx-test-mount-log_mounted |  netalertx-test-mount-log_mounted | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-log_mounted | --> host mode network.sh netalertx-test-mount-log_mounted | --> excessive capabilities.sh -netalertx-test-mount-log_mounted | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-log_mounted | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-log_mounted | -netalertx-test-mount-log_mounted | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-log_mounted | Please remove unnecessary capabilities. -netalertx-test-mount-log_mounted | -netalertx-test-mount-log_mounted | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-log_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-log_mounted | --> appliance integrity.sh netalertx-test-mount-log_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-log_mounted | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -4339,14 +3527,6 @@ netalertx-test-mount-log_mounted | Please mount the root filesystem as --re netalertx-test-mount-log_mounted | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-log_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-log_mounted | --> ports available.sh -netalertx-test-mount-log_mounted | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-log_mounted | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-log_mounted | -netalertx-test-mount-log_mounted | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-log_mounted | may fail to start. -netalertx-test-mount-log_mounted | -netalertx-test-mount-log_mounted | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-log_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-log_mounted exited with code 0 File: docker-compose.mount-test.log_no-mount.yml ---------------------------------------- @@ -4367,12 +3547,12 @@ Running docker compose up... Container netalertx-test-mount-log_no-mount Created Attaching to netalertx-test-mount-log_no-mount netalertx-test-mount-log_no-mount | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-log_no-mount | Permissions prepared for PUID=20211. +netalertx-test-mount-log_no-mount | Ownership prepared for PUID=20211. netalertx-test-mount-log_no-mount | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-log_no-mount | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-log_no-mount | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-log_no-mount | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-log_no-mount | Permissions prepared for PUID=20211. +netalertx-test-mount-log_no-mount | Ownership prepared for PUID=20211. netalertx-test-mount-log_no-mount | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-log_no-mount | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-log_no-mount |  @@ -4462,14 +3642,6 @@ netalertx-test-mount-log_no-mount |  netalertx-test-mount-log_no-mount | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-log_no-mount | --> host mode network.sh netalertx-test-mount-log_no-mount | --> excessive capabilities.sh -netalertx-test-mount-log_no-mount | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-log_no-mount | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-log_no-mount | -netalertx-test-mount-log_no-mount | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-log_no-mount | Please remove unnecessary capabilities. -netalertx-test-mount-log_no-mount | -netalertx-test-mount-log_no-mount | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-log_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-log_no-mount | --> appliance integrity.sh netalertx-test-mount-log_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-log_no-mount | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -4478,14 +3650,6 @@ netalertx-test-mount-log_no-mount | Please mount the root filesystem as --r netalertx-test-mount-log_no-mount | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-log_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-log_no-mount | --> ports available.sh -netalertx-test-mount-log_no-mount | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-log_no-mount | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-log_no-mount | -netalertx-test-mount-log_no-mount | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-log_no-mount | may fail to start. -netalertx-test-mount-log_no-mount | -netalertx-test-mount-log_no-mount | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-log_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-log_no-mount exited with code 0 File: docker-compose.mount-test.log_ramdisk.yml ---------------------------------------- @@ -4504,12 +3668,12 @@ Running docker compose up... Container netalertx-test-mount-log_ramdisk Created Attaching to netalertx-test-mount-log_ramdisk netalertx-test-mount-log_ramdisk | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-log_ramdisk | Permissions prepared for PUID=20211. +netalertx-test-mount-log_ramdisk | Ownership prepared for PUID=20211. netalertx-test-mount-log_ramdisk | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-log_ramdisk | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-log_ramdisk | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-log_ramdisk | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-log_ramdisk | Permissions prepared for PUID=20211. +netalertx-test-mount-log_ramdisk | Ownership prepared for PUID=20211. netalertx-test-mount-log_ramdisk | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-log_ramdisk | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-log_ramdisk |  @@ -4606,14 +3770,6 @@ netalertx-test-mount-log_ramdisk |  netalertx-test-mount-log_ramdisk | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-log_ramdisk | --> host mode network.sh netalertx-test-mount-log_ramdisk | --> excessive capabilities.sh -netalertx-test-mount-log_ramdisk | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-log_ramdisk | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-log_ramdisk | -netalertx-test-mount-log_ramdisk | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-log_ramdisk | Please remove unnecessary capabilities. -netalertx-test-mount-log_ramdisk | -netalertx-test-mount-log_ramdisk | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-log_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-log_ramdisk | --> appliance integrity.sh netalertx-test-mount-log_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-log_ramdisk | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -4622,14 +3778,6 @@ netalertx-test-mount-log_ramdisk | Please mount the root filesystem as --re netalertx-test-mount-log_ramdisk | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-log_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-log_ramdisk | --> ports available.sh -netalertx-test-mount-log_ramdisk | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-log_ramdisk | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-log_ramdisk | -netalertx-test-mount-log_ramdisk | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-log_ramdisk | may fail to start. -netalertx-test-mount-log_ramdisk | -netalertx-test-mount-log_ramdisk | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-log_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-log_ramdisk exited with code 0 File: docker-compose.mount-test.log_unwritable.yml ---------------------------------------- @@ -4642,22 +3790,22 @@ Testing: docker-compose.mount-test.log_unwritable.yml Directory: /workspaces/NetAlertX/test/docker_tests/configurations/mount-tests Running docker compose up... - Volume "mount-tests_netalertx_db" Creating - Volume "mount-tests_netalertx_db" Created Volume "mount-tests_netalertx_config" Creating Volume "mount-tests_netalertx_config" Created Volume "mount-tests_test_netalertx_log" Creating Volume "mount-tests_test_netalertx_log" Created + Volume "mount-tests_netalertx_db" Creating + Volume "mount-tests_netalertx_db" Created Container netalertx-test-mount-log_unwritable Creating Container netalertx-test-mount-log_unwritable Created Attaching to netalertx-test-mount-log_unwritable netalertx-test-mount-log_unwritable | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-log_unwritable | Permissions prepared for PUID=20211. +netalertx-test-mount-log_unwritable | Ownership prepared for PUID=20211. netalertx-test-mount-log_unwritable | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-log_unwritable | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-log_unwritable | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-log_unwritable | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-log_unwritable | Permissions prepared for PUID=20211. +netalertx-test-mount-log_unwritable | Ownership prepared for PUID=20211. netalertx-test-mount-log_unwritable | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-log_unwritable | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-log_unwritable |  @@ -4747,14 +3895,6 @@ netalertx-test-mount-log_unwritable |  netalertx-test-mount-log_unwritable | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-log_unwritable | --> host mode network.sh netalertx-test-mount-log_unwritable | --> excessive capabilities.sh -netalertx-test-mount-log_unwritable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-log_unwritable | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-log_unwritable | -netalertx-test-mount-log_unwritable | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-log_unwritable | Please remove unnecessary capabilities. -netalertx-test-mount-log_unwritable | -netalertx-test-mount-log_unwritable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-log_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-log_unwritable | --> appliance integrity.sh netalertx-test-mount-log_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-log_unwritable | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -4763,14 +3903,6 @@ netalertx-test-mount-log_unwritable | Please mount the root filesystem as - netalertx-test-mount-log_unwritable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-log_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-log_unwritable | --> ports available.sh -netalertx-test-mount-log_unwritable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-log_unwritable | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-log_unwritable | -netalertx-test-mount-log_unwritable | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-log_unwritable | may fail to start. -netalertx-test-mount-log_unwritable | -netalertx-test-mount-log_unwritable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-log_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-log_unwritable exited with code 0 File: docker-compose.mount-test.run_mounted.yml ---------------------------------------- @@ -4783,22 +3915,22 @@ Testing: docker-compose.mount-test.run_mounted.yml Directory: /workspaces/NetAlertX/test/docker_tests/configurations/mount-tests Running docker compose up... - Volume "mount-tests_test_system_services_run" Creating - Volume "mount-tests_test_system_services_run" Created Volume "mount-tests_netalertx_db" Creating Volume "mount-tests_netalertx_db" Created Volume "mount-tests_netalertx_config" Creating Volume "mount-tests_netalertx_config" Created + Volume "mount-tests_test_system_services_run" Creating + Volume "mount-tests_test_system_services_run" Created Container netalertx-test-mount-run_mounted Creating Container netalertx-test-mount-run_mounted Created Attaching to netalertx-test-mount-run_mounted netalertx-test-mount-run_mounted | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-run_mounted | Permissions prepared for PUID=20211. +netalertx-test-mount-run_mounted | Ownership prepared for PUID=20211. netalertx-test-mount-run_mounted | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-run_mounted | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-run_mounted | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-run_mounted | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-run_mounted | Permissions prepared for PUID=20211. +netalertx-test-mount-run_mounted | Ownership prepared for PUID=20211. netalertx-test-mount-run_mounted | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-run_mounted | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-run_mounted |  @@ -4890,14 +4022,6 @@ netalertx-test-mount-run_mounted |  netalertx-test-mount-run_mounted | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-run_mounted | --> host mode network.sh netalertx-test-mount-run_mounted | --> excessive capabilities.sh -netalertx-test-mount-run_mounted | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-run_mounted | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-run_mounted | -netalertx-test-mount-run_mounted | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-run_mounted | Please remove unnecessary capabilities. -netalertx-test-mount-run_mounted | -netalertx-test-mount-run_mounted | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-run_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-run_mounted | --> appliance integrity.sh netalertx-test-mount-run_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-run_mounted | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -4906,14 +4030,6 @@ netalertx-test-mount-run_mounted | Please mount the root filesystem as --re netalertx-test-mount-run_mounted | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-run_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-run_mounted | --> ports available.sh -netalertx-test-mount-run_mounted | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-run_mounted | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-run_mounted | -netalertx-test-mount-run_mounted | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-run_mounted | may fail to start. -netalertx-test-mount-run_mounted | -netalertx-test-mount-run_mounted | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-run_mounted | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-run_mounted exited with code 0 File: docker-compose.mount-test.run_no-mount.yml ---------------------------------------- @@ -4934,12 +4050,12 @@ Running docker compose up... Container netalertx-test-mount-run_no-mount Created Attaching to netalertx-test-mount-run_no-mount netalertx-test-mount-run_no-mount | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-run_no-mount | Permissions prepared for PUID=20211. +netalertx-test-mount-run_no-mount | Ownership prepared for PUID=20211. netalertx-test-mount-run_no-mount | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-run_no-mount | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-run_no-mount | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-run_no-mount | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-run_no-mount | Permissions prepared for PUID=20211. +netalertx-test-mount-run_no-mount | Ownership prepared for PUID=20211. netalertx-test-mount-run_no-mount | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-run_no-mount | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-run_no-mount |  @@ -5025,14 +4141,6 @@ netalertx-test-mount-run_no-mount |  netalertx-test-mount-run_no-mount | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-run_no-mount | --> host mode network.sh netalertx-test-mount-run_no-mount | --> excessive capabilities.sh -netalertx-test-mount-run_no-mount | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-run_no-mount | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-run_no-mount | -netalertx-test-mount-run_no-mount | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-run_no-mount | Please remove unnecessary capabilities. -netalertx-test-mount-run_no-mount | -netalertx-test-mount-run_no-mount | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-run_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-run_no-mount | --> appliance integrity.sh netalertx-test-mount-run_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-run_no-mount | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -5041,14 +4149,6 @@ netalertx-test-mount-run_no-mount | Please mount the root filesystem as --r netalertx-test-mount-run_no-mount | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-run_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-run_no-mount | --> ports available.sh -netalertx-test-mount-run_no-mount | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-run_no-mount | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-run_no-mount | -netalertx-test-mount-run_no-mount | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-run_no-mount | may fail to start. -netalertx-test-mount-run_no-mount | -netalertx-test-mount-run_no-mount | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-run_no-mount | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-run_no-mount exited with code 0 File: docker-compose.mount-test.run_ramdisk.yml ---------------------------------------- @@ -5067,12 +4167,12 @@ Running docker compose up... Container netalertx-test-mount-run_ramdisk Created Attaching to netalertx-test-mount-run_ramdisk netalertx-test-mount-run_ramdisk | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-run_ramdisk | Permissions prepared for PUID=20211. +netalertx-test-mount-run_ramdisk | Ownership prepared for PUID=20211. netalertx-test-mount-run_ramdisk | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-run_ramdisk | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-run_ramdisk | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-run_ramdisk | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-run_ramdisk | Permissions prepared for PUID=20211. +netalertx-test-mount-run_ramdisk | Ownership prepared for PUID=20211. netalertx-test-mount-run_ramdisk | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-run_ramdisk | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-run_ramdisk |  @@ -5169,14 +4269,6 @@ netalertx-test-mount-run_ramdisk |  netalertx-test-mount-run_ramdisk | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-run_ramdisk | --> host mode network.sh netalertx-test-mount-run_ramdisk | --> excessive capabilities.sh -netalertx-test-mount-run_ramdisk | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-run_ramdisk | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-run_ramdisk | -netalertx-test-mount-run_ramdisk | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-run_ramdisk | Please remove unnecessary capabilities. -netalertx-test-mount-run_ramdisk | -netalertx-test-mount-run_ramdisk | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-run_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-run_ramdisk | --> appliance integrity.sh netalertx-test-mount-run_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-run_ramdisk | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -5185,14 +4277,6 @@ netalertx-test-mount-run_ramdisk | Please mount the root filesystem as --re netalertx-test-mount-run_ramdisk | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-run_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-run_ramdisk | --> ports available.sh -netalertx-test-mount-run_ramdisk | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-run_ramdisk | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-run_ramdisk | -netalertx-test-mount-run_ramdisk | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-run_ramdisk | may fail to start. -netalertx-test-mount-run_ramdisk | -netalertx-test-mount-run_ramdisk | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-run_ramdisk | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-run_ramdisk exited with code 0 File: docker-compose.mount-test.run_unwritable.yml ---------------------------------------- @@ -5205,22 +4289,22 @@ Testing: docker-compose.mount-test.run_unwritable.yml Directory: /workspaces/NetAlertX/test/docker_tests/configurations/mount-tests Running docker compose up... - Volume "mount-tests_test_system_services_run" Creating - Volume "mount-tests_test_system_services_run" Created Volume "mount-tests_netalertx_db" Creating Volume "mount-tests_netalertx_db" Created Volume "mount-tests_netalertx_config" Creating Volume "mount-tests_netalertx_config" Created + Volume "mount-tests_test_system_services_run" Creating + Volume "mount-tests_test_system_services_run" Created Container netalertx-test-mount-run_unwritable Creating Container netalertx-test-mount-run_unwritable Created Attaching to netalertx-test-mount-run_unwritable netalertx-test-mount-run_unwritable | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-run_unwritable | Permissions prepared for PUID=20211. +netalertx-test-mount-run_unwritable | Ownership prepared for PUID=20211. netalertx-test-mount-run_unwritable | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-run_unwritable | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-run_unwritable | NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation. netalertx-test-mount-run_unwritable | Note: CAP_SETUID/CAP_SETGID unavailable alongside NET_* caps; continuing as current user. -netalertx-test-mount-run_unwritable | Permissions prepared for PUID=20211. +netalertx-test-mount-run_unwritable | Ownership prepared for PUID=20211. netalertx-test-mount-run_unwritable | su-exec: setgroups(20211): Operation not permitted netalertx-test-mount-run_unwritable | Note: su-exec failed (exit 0); continuing as current user without privilege drop. netalertx-test-mount-run_unwritable |  @@ -5312,14 +4396,6 @@ netalertx-test-mount-run_unwritable |  netalertx-test-mount-run_unwritable | NetAlertX note: current UID 0 GID 0, expected UID 20211 GID 20211 netalertx-test-mount-run_unwritable | --> host mode network.sh netalertx-test-mount-run_unwritable | --> excessive capabilities.sh -netalertx-test-mount-run_unwritable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-run_unwritable | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x0000000000003401). -netalertx-test-mount-run_unwritable | -netalertx-test-mount-run_unwritable | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-run_unwritable | Please remove unnecessary capabilities. -netalertx-test-mount-run_unwritable | -netalertx-test-mount-run_unwritable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-run_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-run_unwritable | --> appliance integrity.sh netalertx-test-mount-run_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-run_unwritable | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -5328,14 +4404,6 @@ netalertx-test-mount-run_unwritable | Please mount the root filesystem as - netalertx-test-mount-run_unwritable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-run_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-run_unwritable | --> ports available.sh -netalertx-test-mount-run_unwritable | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-run_unwritable | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-run_unwritable | -netalertx-test-mount-run_unwritable | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-run_unwritable | may fail to start. -netalertx-test-mount-run_unwritable | -netalertx-test-mount-run_unwritable | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-run_unwritable | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-run_unwritable exited with code 0 File: docker-compose.mount-test.tmp_noread.yml ---------------------------------------- @@ -5351,7 +4419,6 @@ Running docker compose up... Container netalertx-test-mount-tmp_noread Creating Container netalertx-test-mount-tmp_noread Created Attaching to netalertx-test-mount-tmp_noread -netalertx-test-mount-tmp_noread | Note: container running as UID 20211 GID 20211; requested PUID/PGID=20211:20211 will not be applied. netalertx-test-mount-tmp_noread |  netalertx-test-mount-tmp_noread | _ _ _ ___ _ _ __ __ netalertx-test-mount-tmp_noread | | \ | | | | / _ \| | | | \ \ / / @@ -5420,25 +4487,11 @@ netalertx-test-mount-tmp_noread | * Creating System services run log. netalertx-test-mount-tmp_noread | * Creating DB locked log. netalertx-test-mount-tmp_noread | * Creating Execution queue log. netalertx-test-mount-tmp_noread | --> apply conf override.sh -netalertx-test-mount-tmp_noread | mkdir: can't create directory '83NETALERTX_CONFIG': Permission denied -netalertx-test-mount-tmp_noread | ERROR: Failed to create config directory 83NETALERTX_CONFIG -netalertx-test-mount-tmp_noread | \033[1;31m══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-tmp_noread | ❌ NetAlertX startup aborted: critical failure in apply conf override.sh. -netalertx-test-mount-tmp_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/troubleshooting.md -netalertx-test-mount-tmp_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-tmp_noread | --> writable config.sh netalertx-test-mount-tmp_noread | --> nginx config.sh netalertx-test-mount-tmp_noread | --> expected user id match.sh netalertx-test-mount-tmp_noread | --> host mode network.sh netalertx-test-mount-tmp_noread | --> excessive capabilities.sh -netalertx-test-mount-tmp_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-tmp_noread | ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x00000000000034c1). -netalertx-test-mount-tmp_noread | -netalertx-test-mount-tmp_noread | Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. -netalertx-test-mount-tmp_noread | Please remove unnecessary capabilities. -netalertx-test-mount-tmp_noread | -netalertx-test-mount-tmp_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md -netalertx-test-mount-tmp_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-tmp_noread | --> appliance integrity.sh netalertx-test-mount-tmp_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-tmp_noread | ⚠️ Warning: Container is running as read-write, not in read-only mode. @@ -5447,22 +4500,15 @@ netalertx-test-mount-tmp_noread | Please mount the root filesystem as --rea netalertx-test-mount-tmp_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/read-only-filesystem.md netalertx-test-mount-tmp_noread | ══════════════════════════════════════════════════════════════════════════════ netalertx-test-mount-tmp_noread | --> ports available.sh -netalertx-test-mount-tmp_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-tmp_noread | ⚠️ Port Warning: Application port 20211 is already in use. -netalertx-test-mount-tmp_noread | -netalertx-test-mount-tmp_noread | The main application (defined by $PORT) may fail to start. -netalertx-test-mount-tmp_noread | -netalertx-test-mount-tmp_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-tmp_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-tmp_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-tmp_noread | ⚠️ Port Warning: GraphQL API port 20212 is already in use. -netalertx-test-mount-tmp_noread | -netalertx-test-mount-tmp_noread | The GraphQL API (defined by $APP_CONF_OVERRIDE or $GRAPHQL_PORT) -netalertx-test-mount-tmp_noread | may fail to start. -netalertx-test-mount-tmp_noread | -netalertx-test-mount-tmp_noread | https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/port-conflicts.md -netalertx-test-mount-tmp_noread | ══════════════════════════════════════════════════════════════════════════════ -netalertx-test-mount-tmp_noread | Container startup checks failed with exit code 1. -netalertx-test-mount-tmp_noread | \033[0m - netalertx-test-mount-tmp_noread exited with code 1 -All tests completed - Fri Jan 2 22:41:59 UTC 2026 +netalertx-test-mount-tmp_noread | Starting supercronic --quiet "/services/config/cron/crontab" >>"/tmp/log/cron.log" 2>&1 & +netalertx-test-mount-tmp_noread | Starting /usr/sbin/php-fpm83 -y "/services/config/php/php-fpm.conf" -F (tee stderr to app.php_errors.log) +netalertx-test-mount-tmp_noread | Starting python3 -m server > /tmp/log/stdout.log 2> >(tee /tmp/log/stderr.log >&2) +netalertx-test-mount-tmp_noread | Starting /usr/sbin/nginx -p "/tmp/run/" -c "/tmp/nginx/active-config/nginx.conf" -g "error_log stderr; error_log /tmp/log/nginx-error.log; daemon off;" & +netalertx-test-mount-tmp_noread | 2026/01/05 02:23:24 [error] 190#190: *1 FastCGI sent in stderr: "PHP message: PHP Warning: session_start(): open(/tmp/run/tmp/sess_kitrk7dgsf2rgt911ren35b9sj, O_RDWR) failed: No such file or directory (2) in /app/front/php/templates/security.php on line 50; PHP message: PHP Warning: session_start(): Failed to read session data: files (path: /tmp/run/tmp) in /app/front/php/templates/security.php on line 50" while reading response header from upstream, client: 127.0.0.1, server: , request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/tmp/run/php.sock:", host: "localhost:20211" +netalertx-test-mount-tmp_noread | Successfully updated IEEE OUI database (112503 entries) +netalertx-test-mount-tmp_noread | 2026/01/05 02:23:25 [error] 191#191: *3 FastCGI sent in stderr: "PHP message: PHP Warning: session_start(): open(/tmp/run/tmp/sess_e6st6pce0a0ksi5rr46o4ri3bu, O_RDWR) failed: No such file or directory (2) in /app/front/php/templates/security.php on line 50; PHP message: PHP Warning: session_start(): Failed to read session data: files (path: /tmp/run/tmp) in /app/front/php/templates/security.php on line 50" while reading response header from upstream, client: 127.0.0.1, server: , request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/tmp/run/php.sock:", host: "localhost:20211" +Gracefully stopping... (press Ctrl+C again to force) + Container netalertx-test-mount-tmp_noread Stopping + Container netalertx-test-mount-tmp_noread Stopped + +All tests completed - Mon Jan 5 02:23:32 UTC 2026 diff --git a/test/docker_tests/test_container_environment.py b/test/docker_tests/test_container_environment.py index 15e6f057..1ccc0f29 100644 --- a/test/docker_tests/test_container_environment.py +++ b/test/docker_tests/test_container_environment.py @@ -476,6 +476,7 @@ def test_root_then_user_20211_transition() -> None: "transition-root", volumes=None, volume_specs=[f"{volume}:/data"], + env={"NETALERTX_CHECK_ONLY": "1"}, sleep_seconds=8, ) assert init_result.returncode == 0 @@ -493,6 +494,7 @@ def test_root_then_user_20211_transition() -> None: ) combined_output = (user_result.output or "") + (user_result.stderr or "") + print(combined_output) # DO NOT REMOVE OR MODIFY - MANDATORY LOGGING FOR DEBUGGING & CI. assert user_result.returncode == 0, combined_output assert "permission denied" not in combined_output.lower() assert "configuration issues detected" not in combined_output.lower() @@ -663,7 +665,7 @@ def _run_container( stdout=subprocess.PIPE, # MUST capture stdout for test assertions and debugging stderr=subprocess.PIPE, # MUST capture stderr for test assertions and debugging text=True, - timeout=max(SUBPROCESS_TIMEOUT_SECONDS, sleep_seconds + 30), + timeout=max(SUBPROCESS_TIMEOUT_SECONDS, sleep_seconds), check=False, ) @@ -886,37 +888,6 @@ def test_missing_capabilities_triggers_warning(tmp_path: pathlib.Path) -> None: ) -def test_running_as_root_is_blocked(tmp_path: pathlib.Path) -> None: - """Test running as root user - simulates insecure container execution. - - 6. Running as Root User: Simulates running container as root (UID 0) instead of - dedicated netalertx user. Warning about security risks, special permission fix mode. - Expected: Warning about security risks, guidance to use UID 20211. - - Sample message: "NetAlertX is running as ROOT" - """ - paths = _setup_mount_tree(tmp_path, "run_as_root") - volumes = _build_volume_args_for_keys(paths, {"data", "nginx_conf"}) - result = _run_container( - "run-as-root", - volumes, - user="0", - ) - _assert_contains(result, "NetAlertX is running as ROOT", result.args) - _assert_contains_any( - result, - [ - "Permissions fixed for read-write paths.", - "Permissions prepared for PUID=", - "Permissions prepared", - ], - result.args, - ) - assert ( - result.returncode == 0 - ) # container warns but continues running, then terminated by test framework - - def test_missing_host_network_warns(tmp_path: pathlib.Path) -> None: # No output assertion, just returncode check """Test missing host networking - simulates running without host network mode. @@ -1386,19 +1357,7 @@ def test_restrictive_permissions_handling(tmp_path: pathlib.Path) -> None: keys = {"data", "app_db", "app_config", "app_log", "app_api", "services_run", "nginx_conf"} volumes = _build_volume_args_for_keys(paths, keys) - # Case 1: Running as non-root (default) - Should fail to write - # We disable host network/userns to avoid potential hangs in devcontainer environment - result = _run_container( - "restrictive-perms-user", - volumes, - user="20211:20211", - sleep_seconds=5, - network_mode=None, - userns_mode=None - ) - assert result.returncode != 0 or "Permission denied" in result.output or "Unable to write" in result.output - - # Case 2: Running as root - Should trigger the fix script + # Run as root by default to exercise permission-fix path explicitly. result_root = _run_container( "restrictive-perms-root", volumes, @@ -1408,17 +1367,17 @@ def test_restrictive_permissions_handling(tmp_path: pathlib.Path) -> None: userns_mode=None ) + # Ensure root-based startup succeeds without permission errors before verification. + assert result_root.returncode == 0 + assert "permission denied" not in result_root.output.lower() + assert "unable to write" not in result_root.output.lower() + _assert_contains(result_root, "NetAlertX is running as ROOT", result_root.args) - _assert_contains_any( - result_root, - ["Permissions fixed for read-write paths", "Permissions prepared for PUID=", "Permissions prepared"], - result_root.args, - ) check_cmd = [ "docker", "run", "--rm", "--entrypoint", "/bin/sh", - "--user", "20211:20211", + "--user", "0:0", IMAGE, "-c", "ls -ldn /data/db && touch /data/db/test_write_after_fix" ] @@ -1433,6 +1392,13 @@ def test_restrictive_permissions_handling(tmp_path: pathlib.Path) -> None: timeout=SUBPROCESS_TIMEOUT_SECONDS, ) + # MANDATORY LOGGING: capture the follow-up verification command output for CI debugging. + print("\n--- PERM FIX CHECK CMD ---\n", " ".join(check_cmd), "\n--- END CHECK CMD ---\n") + print("--- PERM FIX CHECK STDOUT ---") + print(check_result.stdout or "") + print("--- PERM FIX CHECK STDERR ---") + print(check_result.stderr or "") + if check_result.returncode != 0: print(f"Check command failed. Cmd: {check_cmd}") print(f"Stderr: {check_result.stderr}") diff --git a/test/docker_tests/test_docker_compose_scenarios.py b/test/docker_tests/test_docker_compose_scenarios.py index f1d4a56e..f405f358 100644 --- a/test/docker_tests/test_docker_compose_scenarios.py +++ b/test/docker_tests/test_docker_compose_scenarios.py @@ -76,8 +76,8 @@ CONTAINER_PATHS = { TMPFS_ROOT = "/tmp:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime" DEFAULT_HTTP_PORT = int(os.environ.get("NETALERTX_DEFAULT_HTTP_PORT", "20211")) -COMPOSE_PORT_WAIT_TIMEOUT = int(os.environ.get("NETALERTX_COMPOSE_PORT_WAIT_TIMEOUT", "180")) -COMPOSE_SETTLE_WAIT_SECONDS = int(os.environ.get("NETALERTX_COMPOSE_SETTLE_WAIT", "15")) +COMPOSE_PORT_WAIT_TIMEOUT = "30" +COMPOSE_SETTLE_WAIT_SECONDS = "20" PREFERRED_CUSTOM_PORTS = (22111, 22112) HOST_ADDR_ENV = os.environ.get("NETALERTX_HOST_ADDRS", "") @@ -696,29 +696,60 @@ def test_custom_port_with_unwritable_nginx_config_compose() -> None: compose_file = CONFIG_DIR / "mount-tests" / "docker-compose.mount-test.active_config_unwritable.yml" http_port = _select_custom_ports() graphql_port = _select_custom_ports({http_port}) + LAST_PORT_SUCCESSES.pop(http_port, None) + project_name = "netalertx-custom-port" + + def _wait_for_unwritable_failure() -> None: + deadline = time.time() + 45 + while time.time() < deadline: + ps_cmd = [ + "docker", + "compose", + "-f", + str(compose_file), + "-p", + project_name, + "ps", + "--format", + "{{.Name}} {{.State}}", + ] + ps_proc = subprocess.run( + ps_cmd, + capture_output=True, + text=True, + timeout=5, + check=False, + ) + ps_output = (ps_proc.stdout or "") + (ps_proc.stderr or "") + print("[unwritable-nginx ps poll]", ps_output.strip() or "") + if "exited" in ps_output.lower() or "dead" in ps_output.lower(): + return + time.sleep(2) + raise TimeoutError("netalertx-custom-port container did not exit within 45 seconds") + result = _run_docker_compose( compose_file, - "netalertx-custom-port", + project_name, env_vars={ "PORT": str(http_port), "GRAPHQL_PORT": str(graphql_port), - "NETALERTX_CHECK_ONLY": "1", + # Run full startup to validate nginx config generation on tmpfs. + "NETALERTX_CHECK_ONLY": "0", }, - timeout=60, - detached=False, + timeout=8, + detached=True, + post_up=_wait_for_unwritable_failure, ) # MANDATORY LOGGING - DO NOT REMOVE (see file header for reasoning) - print("\n[compose output]", result.output) - - full_output = (result.output or "") + (result.stdout or "") + (result.stderr or "") + full_output = ANSI_ESCAPE.sub("", result.output) lowered_output = full_output.lower() + print("\n[compose output unwritable-nginx]", full_output) - assert "unable to write" in lowered_output or "nginx" in lowered_output or "chown" in lowered_output - assert "chown" in lowered_output or "permission" in lowered_output - # The container may succeed (with warnings) or fail depending on the chown behavior - # The important thing is that the warnings are shown - assert "missing-capabilities" in lowered_output or "permission" in lowered_output + # Container should exit due to inability to write nginx config and custom port. + assert result.returncode == 1 + assert "unable to write to /tmp/nginx/active-config/netalertx.conf" in lowered_output + assert "mv: can't create '/tmp/nginx/active-config/nginx.conf'" in lowered_output def test_host_network_compose(tmp_path: pathlib.Path) -> None: @@ -791,7 +822,7 @@ def test_normal_startup_no_warnings_compose(tmp_path: pathlib.Path) -> None: default_result = _run_docker_compose( default_compose_file, default_project, - timeout=60, + timeout=8, detached=True, post_up=_make_port_check_hook(default_ports), ) @@ -847,7 +878,7 @@ def test_normal_startup_no_warnings_compose(tmp_path: pathlib.Path) -> None: custom_result = _run_docker_compose( custom_compose_file, custom_project, - timeout=60, + timeout=8, detached=True, post_up=_make_port_check_hook(custom_ports), ) diff --git a/test/docker_tests/test_mount_diagnostics_pytest.py b/test/docker_tests/test_mount_diagnostics_pytest.py index cb0613b9..8a81c022 100644 --- a/test/docker_tests/test_mount_diagnostics_pytest.py +++ b/test/docker_tests/test_mount_diagnostics_pytest.py @@ -354,22 +354,22 @@ def create_test_scenarios() -> List[TestScenario]: # These are intentionally not part of the full matrix to avoid runtime bloat. scenarios.extend( [ - TestScenario( + TestScenario( # Will no longer fail due to the root-entrypoint fix name="data_noread", path_var="NETALERTX_DATA", container_path="/data", is_persistent=True, docker_compose="docker-compose.mount-test.data_noread.yml", - expected_issues=["table_issues", "warning_message"], + expected_issues=[], expected_exit_code=0, ), - TestScenario( + TestScenario( # Will no longer fail due to the root-entrypoint fix name="db_noread", path_var="NETALERTX_DB", container_path="/data/db", is_persistent=True, docker_compose="docker-compose.mount-test.db_noread.yml", - expected_issues=["table_issues", "warning_message"], + expected_issues=[], expected_exit_code=0, ), TestScenario( @@ -437,6 +437,18 @@ def validate_scenario_table_output(output: str, test_scenario: TestScenario) -> """Validate the diagnostic table for scenarios that should report issues.""" if not test_scenario.expected_issues: + if test_scenario.name in ("data_noread", "db_noread"): + # Cannot fix chmod 0300 (write-only) when running as user; expect R=❌, W=✅, dataloss=✅ + assert_table_row( + output, + test_scenario.container_path, + readable=False, + writeable=True, + mount=True, + ramdisk=None, + performance=None, + dataloss=True, + ) return try: @@ -663,8 +675,10 @@ def test_mount_diagnostic(netalertx_test_image, test_scenario): # Always surface diagnostic output for visibility print("\n[diagnostic output from startup logs]\n", diagnostic_output) + # Always validate the table output, even when expected_issues is empty. + validate_scenario_table_output(diagnostic_output, test_scenario) + if test_scenario.expected_issues: - validate_scenario_table_output(diagnostic_output, test_scenario) assert_has_troubleshooting_url(diagnostic_output) assert "⚠️" in diagnostic_output, ( f"Issue scenario {test_scenario.name} should include a warning symbol in startup logs"