mirror/NetAlertX
1
0
Fork 0
mirror of https://github.com/jokob-sk/NetAlertX.git synced 2026-02-26 20:26:02 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
fe226597944b1db1320ede039b94de835a22eb51
NetAlertX/docs/docker-troubleshooting/missing-capabilities.md
jokob-sk 5eaeffca04 DOCS: new URL https://docs.netalertx.com/ 
Signed-off-by: jokob-sk <jokob.sk@gmail.com>
2026-01-13 20:16:43 +11:00

50 lines
2.0 KiB
Markdown
Raw Blame History

# Missing Network Capabilities
## Issue Description
Raw network capabilities (NET_RAW, NET_ADMIN, NET_BIND_SERVICE) are missing. Tools that rely on these capabilities (e.g., nmap -sS, arp-scan, nbtscan) will not function.
## Security Ramifications
Network scanning and monitoring requires low-level network access that these capabilities provide. Without them, the application cannot perform essential functions like ARP scanning, port scanning, or passive network discovery, severely limiting its effectiveness.
## Why You're Seeing This Issue
This occurs when the container doesn't have the necessary Linux capabilities granted. Docker containers run with limited capabilities by default, and network monitoring tools need elevated network privileges.
## How to Correct the Issue
Add the required capabilities to your container:
- In docker-compose.yml:
```yaml
cap_add:
- NET_RAW
- NET_ADMIN
- NET_BIND_SERVICE
```
- For docker run: `--cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=NET_BIND_SERVICE`
## Additional Resources
Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://docs.netalertx.com/DOCKER_COMPOSE)
## CAP_CHOWN required when cap_drop: [ALL]
When you start NetAlertX with `cap_drop: [ALL]`, the container loses `CAP_CHOWN`. The root priming step needs `CAP_CHOWN` to adjust ownership of `/data` and `/tmp` before dropping privileges to `PUID:PGID`. Without it, startup fails with a fatal `failed to chown` message and exits.
To fix:
- Add `CHOWN` back in `cap_add` when you also set `cap_drop: [ALL]`:
```yaml
cap_drop:
- ALL
cap_add:
- CHOWN
```
- Or pre-chown the mounted host paths to your target `PUID:PGID` so the priming step does not need the capability.
If you harden capabilities further, expect priming to fail until you restore the minimum set needed for ownership changes.
Reference in New Issue View Git Blame Copy Permalink