"Missing Capabilities"

[legionGer]

What installation are you running?

Production (netalertx) 📦

Is there an existing issue for this?

• I have searched the existing open and closed issues and I checked the docs https://docs.netalertx.com/

The issue occurs in the following browsers. Select at least 2.

• Firefox
• Chrome
• Edge
• Safari (unsupported) - PRs welcome
• N/A - This is an issue with the backend

Current Behavior

Hi.

I am currently running into a weird issue when running netalertx as a docker container on an alpine host:

Startup pre-checks
--> data migration.sh 
--> capabilities audit.sh 
══════════════════════════════════════════════════════════════════════════════
🚨 ALERT: Python execution capabilities (NET_RAW/NET_ADMIN) are missing.

    The Python binary in this image has file capabilities (+eip) that
    require these bits in the container's bounding set. Without them,
    the binary will fail to execute (Operation not permitted).

    Restart with: --cap-add=NET_RAW --cap-add=NET_ADMIN
══════════════════════════════════════════════════════════════════════════════
══════════════════════════════════════════════════════════════════════════════
⚠️  WARNING: Reduced functionality (NET_BIND_SERVICE missing).

    Tools like nbtscan cannot bind to privileged ports (UDP 137).
    This will reduce discovery accuracy for legacy devices.

    Consider adding: --cap-add=NET_BIND_SERVICE
══════════════════════════════════════════════════════════════════════════════
Security context: Operational capabilities (CHOWN SETGID SETUID) not granted.
See https://docs.netalertx.com/docker-troubleshooting/missing-capabilities
--> mounts.py 
 Path                     | R | W | Mount | RAMDisk | Performance | DataLoss 
--------------------------+---+---+-------+---------+-------------+----------
 /data                    | ✅| ✅|   ✅  |    ➖   |      ➖     |    ✅     
 /data/db                 | ✅| ✅|   ✅  |    ➖   |      ➖     |    ✅     
 /data/config             | ✅| ✅|   ✅  |    ➖   |      ➖     |    ✅     
 /tmp/run/tmp             | ✅| ✅|   ✅  |    ✅   |      ✅     |    ✅     
 /tmp/api                 | ✅| ✅|   ✅  |    ✅   |      ✅     |    ✅     
 /tmp/log                 | ✅| ✅|   ✅  |    ✅   |      ✅     |    ✅     
 /tmp/run                 | ✅| ✅|   ✅  |    ✅   |      ✅     |    ✅     
 /tmp/nginx/active-config | ✅| ✅|   ✅  |    ✅   |      ✅     |    ✅     
--> first run config.sh 
--> first run db.sh 
--> mandatory folders.sh 
    * Creating DB locked log.
    * Creating Execution queue log.
--> apply conf override.sh 
--> override individual settings.sh 
--> host optimization.sh 
══════════════════════════════════════════════════════════════════════════════
⚠️  WARNING: ARP flux sysctls are not set.

    Expected values:
      net.ipv4.conf.all.arp_ignore=1
      net.ipv4.conf.all.arp_announce=2

    Note: If using 'network_mode: host', setting these via docker-compose sysctls
    requires the NET_ADMIN capability. When granted, these sysctls will
    modify the host namespace. Otherwise, you must configure them directly
    on your host operating system instead.

    Detection accuracy may be reduced until configured.

    See: https://docs.netalertx.com/docker-troubleshooting/arp-flux-sysctls/
══════════════════════════════════════════════════════════════════════════════
--> writable config.sh 
--> nginx config.sh 
--> expected user id match.sh 
--> host mode network.sh 
══════════════════════════════════════════════════════════════════════════════
⚠️  ATTENTION: NetAlertX is not running with --network=host.

    Bridge networking blocks passive discovery (ARP, NBNS, mDNS) and active
    scanning accuracy. Most plugins expect raw access to the LAN through host
    networking and CAP_NET_RAW capabilities.

    Restart the container with:
        docker run --network=host --cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=NET_BIND_SERVICE
    or set "network_mode: host" in docker-compose.yml.

    https://docs.netalertx.com/docker-troubleshooting/network-mode

This is what I am greeted with on each startup.

GNU nano 8.7 docker-compose.yml

services:
  netalertx:
    container_name: netalertx
    image: "ghcr.io/netalertx/netalertx:latest"
    network_mode: "host"
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - NET_RAW
      - NET_BIND_SERVICE
    volumes:
      - /local_data_dir:/data
      - /etc/localtime:/etc/localtime:ro
    environment:
      - PORT=20211
      - TZ=Europe/Berlin
    tmpfs:
      - "/tmp:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"

This is the docker-compose.yml so it should have all required priviliges. Despite throwing these warning on startup, netalertx is working correctly in regards to scans.

Expected Behavior

To not show the warning when the priviliges are set and apparently working.

Steps To Reproduce

With this docker-compose run netalertx on a current alpine distro.

Relevant app.conf settings

docker-compose.yml

services:
  netalertx:
    container_name: netalertx
    image: "ghcr.io/netalertx/netalertx:latest"
    network_mode: "host"
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - NET_RAW
      - NET_BIND_SERVICE
    volumes:
      - /local_data_dir:/data
      - /etc/localtime:/etc/localtime:ro
    environment:
      - PORT=20211
      - TZ=Europe/Berlin
    tmpfs:
      - "/tmp:uid=20211,gid=20211,mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"

Debug or Trace enabled

• I have read and followed the steps in the wiki link above and provided the required debug logs and the log section covers the time when the issue occurs.

Relevant app.log section

  PASTE LOG HERE. Using the triple backticks preserves format.

Docker Logs

_   _      _    ___  _           _  __   __
| \ | |    | |  / _ \| |         | | \ \ / /
|  \| | ___| |_/ /_\ \ | ___ _ __| |_ \ V /
| .   |/ _ \ __|  _  | |/ _ \  __| __|/   \
| |\  |  __/ |_| | | | |  __/ |  | |_/ /^\ \
\_| \_/\___|\__\_| |_/_|\___|_|   \__\/   \/
   Network intruder and presence detector.
   https://netalertx.com


Startup pre-checks
--> data migration.sh 
--> capabilities audit.sh 
══════════════════════════════════════════════════════════════════════════════
🚨 ALERT: Python execution capabilities (NET_RAW/NET_ADMIN) are missing.

    The Python binary in this image has file capabilities (+eip) that
    require these bits in the container's bounding set. Without them,
    the binary will fail to execute (Operation not permitted).

    Restart with: --cap-add=NET_RAW --cap-add=NET_ADMIN
══════════════════════════════════════════════════════════════════════════════
══════════════════════════════════════════════════════════════════════════════
⚠️  WARNING: Reduced functionality (NET_BIND_SERVICE missing).

    Tools like nbtscan cannot bind to privileged ports (UDP 137).
    This will reduce discovery accuracy for legacy devices.

    Consider adding: --cap-add=NET_BIND_SERVICE
══════════════════════════════════════════════════════════════════════════════
Security context: Operational capabilities (CHOWN SETGID SETUID) not granted.
See https://docs.netalertx.com/docker-troubleshooting/missing-capabilities
--> mounts.py 
 Path                     | R | W | Mount | RAMDisk | Performance | DataLoss 
--------------------------+---+---+-------+---------+-------------+----------
 /data                    | ✅| ✅|   ✅  |    ➖   |      ➖     |    ✅     
 /data/db                 | ✅| ✅|   ✅  |    ➖   |      ➖     |    ✅     
 /data/config             | ✅| ✅|   ✅  |    ➖   |      ➖     |    ✅     
 /tmp/run/tmp             | ✅| ✅|   ✅  |    ✅   |      ✅     |    ✅     
 /tmp/api                 | ✅| ✅|   ✅  |    ✅   |      ✅     |    ✅     
 /tmp/log                 | ✅| ✅|   ✅  |    ✅   |      ✅     |    ✅     
 /tmp/run                 | ✅| ✅|   ✅  |    ✅   |      ✅     |    ✅     
 /tmp/nginx/active-config | ✅| ✅|   ✅  |    ✅   |      ✅     |    ✅     
--> first run config.sh 
--> first run db.sh 
--> mandatory folders.sh 
    * Creating DB locked log.
    * Creating Execution queue log.
--> apply conf override.sh 
--> override individual settings.sh 
--> host optimization.sh 
══════════════════════════════════════════════════════════════════════════════
⚠️  WARNING: ARP flux sysctls are not set.

    Expected values:
      net.ipv4.conf.all.arp_ignore=1
      net.ipv4.conf.all.arp_announce=2

    Note: If using 'network_mode: host', setting these via docker-compose sysctls
    requires the NET_ADMIN capability. When granted, these sysctls will
    modify the host namespace. Otherwise, you must configure them directly
    on your host operating system instead.

    Detection accuracy may be reduced until configured.

    See: https://docs.netalertx.com/docker-troubleshooting/arp-flux-sysctls/
══════════════════════════════════════════════════════════════════════════════
--> writable config.sh 
--> nginx config.sh 
--> expected user id match.sh 
--> host mode network.sh 
══════════════════════════════════════════════════════════════════════════════
⚠️  ATTENTION: NetAlertX is not running with --network=host.

    Bridge networking blocks passive discovery (ARP, NBNS, mDNS) and active
    scanning accuracy. Most plugins expect raw access to the LAN through host
    networking and CAP_NET_RAW capabilities.

    Restart the container with:
        docker run --network=host --cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=NET_BIND_SERVICE
    or set "network_mode: host" in docker-compose.yml.

    https://docs.netalertx.com/docker-troubleshooting/network-mode
══════════════════════════════════════════════════════════════════════════════
--> excessive capabilities.sh 
══════════════════════════════════════════════════════════════════════════════
⚠️  Warning: Excessive capabilities detected (bounding caps: 0x00000000a80435fb).

    Only CHOWN, SETGID, SETUID, NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are
    required in this container. Please remove unnecessary capabilities.

    https://docs.netalertx.com/docker-troubleshooting/excessive-capabilities
══════════════════════════════════════════════════════════════════════════════
--> appliance integrity.sh 
══════════════════════════════════════════════════════════════════════════════
⚠️  Warning: Container is running as read-write, not in read-only mode.

    Please mount the root filesystem as --read-only or use read_only: true
    https://docs.netalertx.com/docker-troubleshooting/read-only-filesystem
══════════════════════════════════════════════════════════════════════════════
--> ports available.sh 
Starting supercronic --quiet "/services/config/cron/crontab" >>"/tmp/log/cron.log" 2>&1 &
Starting /usr/sbin/php-fpm83 -y "/services/config/php/php-fpm.conf" -F (tee stderr to app.php_errors.log)
Starting /usr/sbin/nginx -p "/tmp/run/" -c "/tmp/nginx/active-config/nginx.conf" -g "error_log stderr; error_log /tmp/log/nginx-error.log; daemon off;" &
Starting python3  -m server > /tmp/log/stdout.log 2> >(tee /tmp/log/stderr.log >&2)
Successfully updated IEEE OUI database (113727 entries)

[jokob-sk]

Thanks for the report. From memory this can't be detected with 100% accuracy, so if the app is working you can ignore the messages. Also, please check the linked docs in the message to get more context.

@adamoutler can you please confirm?

[adamoutler]

Thanks for the ping @jokob-sk. The only thing that can't be 100% detected is the host-mode network. We can't be sure if we have access to the host or not so we make a guess based on the docker network. That said, it looks like there are a combination of factors here.

I'd like to know what system this is. What is the host you are running this on? It appears to be both constraining and modifying your commands. Lets do a breakdown of the individual errors and warnings presented.

1. Capabilities Warnings (Missing & Excessive)

• "🚨 ALERT: Python execution capabilities (NET_RAW/NET_ADMIN) are missing." and "⚠️ WARNING: Reduced functionality (NET_BIND_SERVICE missing)."
  Even though these are in the cap_add of your docker-compose.yml, the container's startup scripts (10-capabilities-audit.sh) are reporting them as missing. This means something on your host system (e.g., AppArmor, seccomp profiles, or a strict Docker daemon configuration) is actively stripping or overriding these capabilities. The container is asking for them, but the host is refusing to grant them to the bounding set.
• "⚠️ Warning: Excessive capabilities detected..."
  Your docker-compose.yml is missing a cap_drop: - ALL directive. Because the default capabilities aren't dropped before adding the required ones, the excessive capabilities check correctly fires.

2. Network Mode Warning

• "⚠️ ATTENTION: NetAlertX is not running with --network=host."
  As mentioned, this is a heuristic guess. If your host's actual IP/MAC subnet overlaps with typical Docker bridge patterns, this will trigger a false positive.
  Remediation: You can silence this specific warning by adding the following environment variable to your docker-compose.yml:

  environment:
    - SKIP_STARTUP_CHECKS="host mode network"

3. ARP Flux

• "⚠️ WARNING: ARP flux sysctls are not set."
  This is a host-level system misconfiguration. You must correct the sysctls (net.ipv4.conf.all.arp_ignore=1 and net.ipv4.conf.all.arp_announce=2) directly on your host operating system as root, per the linked documentation.

4. Read-Only Filesystem

• "⚠️ Warning: Container is running as read-write, not in read-only mode."
  The script correctly warns that the container is running as read-write. Your docker-compose.yml is missing the read_only: true directive, which triggers this appliance integrity check.