Update docs

2026-03-05 15:49:12 -05:00 · 2026-03-02 19:43:38 +00:00
parent c1d53ff93f
commit 8ab9d9f395
3 changed files with 51 additions and 0 deletions
--- a/docs/DOCKER_COMPOSE.md
+++ b/docs/DOCKER_COMPOSE.md
@@ -30,6 +30,9 @@ services:
      - CHOWN                                       # Required for root-entrypoint to chown /data + /tmp before dropping privileges
      - SETUID                                      # Required for root-entrypoint to switch to non-root user
      - SETGID                                      # Required for root-entrypoint to switch to non-root group
+    sysctls:                                        # ARP flux mitigation (reduces duplicate/ambiguous ARP behavior on host networking)
+      net.ipv4.conf.all.arp_ignore: 1
+      net.ipv4.conf.all.arp_announce: 2

    volumes:
      - type: volume                                # Persistent Docker-managed named volume for config + database
--- a/docs/docker-troubleshooting/arp-flux-sysctls.md
+++ b/docs/docker-troubleshooting/arp-flux-sysctls.md
@@ -0,0 +1,47 @@
+# ARP Flux Sysctls Not Set
+
+## Issue Description
+
+NetAlertX detected that ARP flux protection sysctls are not set as expected:
+
+- `net.ipv4.conf.all.arp_ignore=1`
+- `net.ipv4.conf.all.arp_announce=2`
+
+## Security Ramifications
+
+This is not a direct container breakout risk, but detection quality can degrade:
+
+- Incorrect IP/MAC associations
+- Device state flapping
+- Unreliable topology or presence data
+
+## Why You're Seeing This Issue
+
+The running environment does not provide the expected kernel sysctl values. This is common in Docker setups where sysctls were not explicitly configured.
+
+## How to Correct the Issue
+
+Set these sysctls at container runtime.
+
+- In `docker-compose.yml` (preferred):
+  ```yaml
+  services:
+    netalertx:
+      sysctls:
+        net.ipv4.conf.all.arp_ignore: 1
+        net.ipv4.conf.all.arp_announce: 2
+  ```
+
+- For `docker run`:
+  ```bash
+  docker run \
+    --sysctl net.ipv4.conf.all.arp_ignore=1 \
+    --sysctl net.ipv4.conf.all.arp_announce=2 \
+    jokob-sk/netalertx:latest
+  ```
+
+## Additional Resources
+
+For broader Docker Compose guidance, see:
+
+- [DOCKER_COMPOSE.md](https://docs.netalertx.com/DOCKER_COMPOSE)
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -20,6 +20,7 @@ nav:
        - Docker Updates: UPDATES.md
        - Docker Maintenance: DOCKER_MAINTENANCE.md
      - Docker Startup Troubleshooting:
+        - ARP flux sysctls: docker-troubleshooting/arp-flux-sysctls.md
        - Aufs capabilities: docker-troubleshooting/aufs-capabilities.md
        - Excessive capabilities: docker-troubleshooting/excessive-capabilities.md
        - File permissions: docker-troubleshooting/file-permissions.md