Dockerfile.debian building and running

.devcontainer/scripts/setup.sh

@@ -116,8 +116,8 @@ configure_php() {
 start_services() {
     echo "[4/4] Starting services"
 
-    chmod +x /entrypoint.sh
+    sudo chmod +x /entrypoint.sh
-    setsid  bash /entrypoint.sh&
+    setsid bash /entrypoint.sh&
     sleep 1
 }
 

Dockerfile

@@ -3,13 +3,12 @@ FROM alpine:3.22 AS builder
 ARG INSTALL_DIR=/app
 
 ENV PYTHONUNBUFFERED=1
+ENV PATH="/opt/venv/bin:$PATH"
 
 # Install build dependencies
 RUN apk add --no-cache bash shadow python3 python3-dev gcc musl-dev libffi-dev openssl-dev git \
     && python -m venv /opt/venv
 
-# Enable venv
-ENV PATH="/opt/venv/bin:$PATH"
 
 RUN pip install openwrt-luci-rpc asusrouter asyncio aiohttp graphene flask flask-cors unifi-sm-api tplink-omada-client wakeonlan pycryptodome requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython librouteros yattag zeroconf simplejson future six urllib3 httplib2 git+https://github.com/foreign-sub/aiofreepybox.git
 
@@ -63,9 +62,20 @@ ENV SYSTEM_SERVICES_RUN_TMP=${SYSTEM_SERVICES_RUN}/tmp
 ENV SYSTEM_SERVICES_RUN_LOG=${SYSTEM_SERVICES_RUN}/logs
 ENV PHP_FPM_CONFIG_FILE=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.conf
 
+#Python environment
 ENV PYTHONPATH=${NETALERTX_SERVER}
 ENV PYTHONUNBUFFERED=1 
+ENV VIRTUAL_ENV=/opt/venv
+ENV VIRTUAL_ENV_BIN=/opt/venv/bin
 
+# App Environment
+ENV LISTEN_ADDR=0.0.0.0
+ENV PORT=20211
+ENV NETALERTX_DEBUG=0
+ENV VENDORSPATH=/app/back/ieee-oui.txt
+ENV VENDORSPATH_NEWEST=/services/run/tmp/ieee-oui.txt
+ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
+ENV ENVIRONMENT=alpine
 
 RUN apk add --no-cache bash mtr libbsd zip lsblk sudo tzdata curl arp-scan iproute2 \
     iproute2-ss nmap nmap-scripts traceroute nbtscan net-tools net-snmp-tools bind-tools awake \
@@ -80,7 +90,7 @@ RUN apk add --no-cache bash mtr libbsd zip lsblk sudo tzdata curl arp-scan iprou
 
 
 # Install application, copy files, set permissions
-COPY --from=builder --chown=20212:20212 /opt/venv /opt/venv
+COPY --from=builder --chown=20212:20212 ${VIRTUAL_ENV} ${VIRTUAL_ENV}}
 COPY --from=builder /usr/sbin/usermod /usr/sbin/groupmod /usr/sbin/
 COPY --chown=netalertx:netalertx install/production-filesystem/ /
 COPY --chown=netalertx:netalertx --chmod=755 back ${NETALERTX_BACK}
@@ -97,12 +107,12 @@ RUN apk add libcap && \
     setcap cap_net_raw,cap_net_admin+eip /usr/bin/nmap && \
     setcap cap_net_raw,cap_net_admin+eip /usr/bin/arp-scan && \
     setcap cap_net_raw,cap_net_admin+eip /usr/bin/traceroute && \
-    setcap cap_net_raw,cap_net_admin+eip /opt/venv/bin/scapy && \
+    setcap cap_net_raw,cap_net_admin+eip ${VIRTUAL_ENV_BIN}scapy && \
     /bin/sh /build/init-nginx.sh && \
     /bin/sh /build/init-php-fpm.sh && \
     /bin/sh /build/init-crond.sh && \
     /bin/sh /build/init-backend.sh && \
-    chmod 755 ${NETALERTX_BACK}/update_vendors.sh ${NETALERTX_BACK}/cron_script.sh ${NETALERTX_BACK}/speedtest-cli && \
+    chmod 755 ${SYSTEM_SERVICES}/update_vendors.sh ${SYSTEM_SERVICES}/cron_script.sh && \
     rm -rf /build && \
     apk del libcap
 # set netalertx to allow sudoers for any command, no password
@@ -133,7 +143,7 @@ RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_
     chmod 700 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} ${NETALERTX_PLUGINS_LOG} ${SYSTEM_SERVICES_RUN_TMP} && \
     chown readonly:readonly /entrypoint.sh && \
     install -d -o netalertx -g netalertx -m 700 ${SYSTEM_SERVICES_RUN} ${SYSTEM_SERVICES_RUN_TMP} ${SYSTEM_SERVICES_RUN_LOG} && \
-    chmod 005 /entrypoint.sh ${NETALERTX_BACK}/update_vendors.sh ${NETALERTX_BACK}/cron_script.sh ${NETALERTX_BACK}/speedtest-cli 
+    chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/update_vendors.sh ${SYSTEM_SERVICES}/cron_script.sh ${SYSTEM_SERVICES}/speedtest-cli 
 
 #
 # remove sudo and alpine installers pacakges

Dockerfile.debian

@@ -4,13 +4,68 @@ FROM debian:bookworm-slim
 ENV USER=pi USER_ID=1000 USER_GID=1000 PORT=20211 
 #TZ=Europe/London
 
+# NetAlertX app directories
+ENV INSTALL_DIR=/app
+ENV NETALERTX_APP=${INSTALL_DIR}
+ENV NETALERTX_CONFIG=${NETALERTX_APP}/config
+ENV NETALERTX_FRONT=${NETALERTX_APP}/front
+ENV NETALERTX_SERVER=${NETALERTX_APP}/server
+ENV NETALERTX_API=${NETALERTX_APP}/api
+ENV NETALERTX_DB=${NETALERTX_APP}/db
+ENV NETALERTX_DB_FILE=${NETALERTX_DB}/app.db
+ENV NETALERTX_BACK=${NETALERTX_APP}/back
+ENV NETALERTX_LOG=${NETALERTX_APP}/log
+ENV NETALERTX_PLUGINS_LOG=${NETALERTX_LOG}/plugins
+
+# NetAlertX log files
+ENV LOG_IP_CHANGES=${NETALERTX_LOG}/IP_changes.log
+ENV LOG_APP=${NETALERTX_LOG}/app.log
+ENV LOG_APP_FRONT=${NETALERTX_LOG}/app_front.log
+ENV LOG_REPORT_OUTPUT_TXT=${NETALERTX_LOG}/report_output.txt
+ENV LOG_DB_IS_LOCKED=${NETALERTX_LOG}/db_is_locked.log
+ENV LOG_REPORT_OUTPUT_HTML=${NETALERTX_LOG}/report_output.html
+ENV LOG_STDERR=${NETALERTX_LOG}/stderr.log
+ENV LOG_APP_PHP_ERRORS=${NETALERTX_LOG}/app.php_errors.log
+ENV LOG_EXECUTION_QUEUE=${NETALERTX_LOG}/execution_queue.log
+ENV LOG_REPORT_OUTPUT_JSON=${NETALERTX_LOG}/report_output.json
+ENV LOG_STDOUT=${NETALERTX_LOG}/stdout.log
+ENV LOG_CROND=${NETALERTX_LOG}/crond.log
+
+# System Services configuration files
+ENV SYSTEM_SERVICES=/services
+ENV SYSTEM_SERVICES_CONFIG=${SYSTEM_SERVICES}/config
+ENV SYSTEM_NGINIX_CONFIG=${SYSTEM_SERVICES_CONFIG}/nginx
+ENV SYSTEM_NGINX_CONFIG_FILE=${SYSTEM_NGINIX_CONFIG}/nginx.conf
+ENV NETALERTX_CONFIG_FILE=${NETALERTX_CONFIG}/app.conf
+ENV SYSTEM_SERVICES_PHP_FOLDER=${SYSTEM_SERVICES_CONFIG}/php
+ENV SYSTEM_SERVICES_PHP_FPM_D=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.d
+ENV SYSTEM_SERVICES_CROND=${SYSTEM_SERVICES_CONFIG}/crond
+ENV SYSTEM_SERVICES_RUN=${SYSTEM_SERVICES}/run
+ENV SYSTEM_SERVICES_RUN_TMP=${SYSTEM_SERVICES_RUN}/tmp
+ENV SYSTEM_SERVICES_RUN_LOG=${SYSTEM_SERVICES_RUN}/logs
+ENV PHP_FPM_CONFIG_FILE=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.conf
+
+#Python environment
+ENV PYTHONPATH=${NETALERTX_SERVER}
+ENV PYTHONUNBUFFERED=1 
+ENV VIRTUAL_ENV=/opt/venv
+ENV VIRTUAL_ENV_BIN=/opt/venv/bin
+ENV PATH="${VIRTUAL_ENV}/bin:${PATH}:/services"
+ENV VENDORSPATH=/app/back/ieee-oui.txt
+ENV VENDORSPATH_NEWEST=/services/run/tmp/ieee-oui.txt
+
+
+# App Environment
+ENV LISTEN_ADDR=0.0.0.0
+ENV PORT=20211
+ENV NETALERTX_DEBUG=0
+
+#Container environment
+ENV ENVIRONMENT=debian
+
 # Todo, figure out why using a workdir instead of full paths don't work
 # Todo, do we still need all these packages? I can already see sudo which isn't needed
 
-RUN apt-get update 
-RUN apt-get install sudo -y 
-
-ARG INSTALL_DIR=/app
 
 # create pi user and group
 # add root and www-data to pi group so they can r/w files and db
@@ -24,30 +79,48 @@ RUN groupadd --gid "${USER_GID}" "${USER}" && \
     usermod -a -G ${USER_GID} root && \
     usermod -a -G ${USER_GID} www-data
 
+COPY --chmod=775 --chown=${USER_ID}:${USER_GID} install/production-filesystem/ /    
 COPY --chmod=775 --chown=${USER_ID}:${USER_GID} . ${INSTALL_DIR}/
 
 
 # ❗ IMPORTANT - if you modify this file modify the /install/install_dependecies.debian.sh file as well ❗ 
+RUN apt update && apt-get install -y \
+    tini snmp ca-certificates curl libwww-perl arp-scan sudo gettext-base \
+    nginx-light php php-cgi php-fpm php-sqlite3 php-curl sqlite3 dnsutils net-tools  \
+    python3 python3-dev iproute2 nmap python3-pip zip systemctl usbutils traceroute nbtscan openrc \
+    busybox nginx nginx-core mtr python3-venv
+
+# While php8.3 is in debian bookworm repos, php-fpm is not included so we need to add sury.org repo
+# (Ondřej Surý maintains php packages for debian. This is temp until debian includes php-fpm in their
+# repos. Likely it will be in Debian Trixie.).  This keeps the image up-to-date with the alpine version.
+RUN apt-get install -y --no-install-recommends \
+       apt-transport-https \
+       ca-certificates \
+       lsb-release \
+       wget \
+    wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \
+    echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list && \
+    apt-get update && \
+    apt-get install -y php8.3-fpm php8.3-cli php8.3-sqlite3 php8.3-common && \
+    ln -s /usr/sbin/php-fpm8.3 /usr/sbin/php-fpm83 # make it compatible with alpine version
+
+# Configure php-fpm
+RUN chmod -R 755 /services && \
+    adduser netalertx && \
+    sed -i 's/^;listen.mode = .*/listen.mode = 0666/' ${SYSTEM_SERVICES_PHP_FPM_D}/www.conf && \
+    echo "user = netalertx\ngroup = netalertx" >> /services/config/php/php-fpm.d/www.conf
 
 
-RUN apt-get install -y \
+    # Setup virtual python environment and use pip3 to install packages
-    tini snmp ca-certificates curl libwww-perl arp-scan perl apt-utils cron sudo \
+RUN python3 -m venv ${VIRTUAL_ENV} 
-    nginx-light php php-cgi php-fpm php-sqlite3 php-curl sqlite3 dnsutils net-tools php-openssl \
-    python3 python3-dev iproute2 nmap python3-pip zip systemctl usbutils traceroute nbtscan avahi avahi-tools openrc dbus
     
-# Alternate dependencies
-RUN apt-get install nginx nginx-core mtr php-fpm php8.2-fpm php-cli php8.2 php8.2-sqlite3 -y
-RUN phpenmod -v 8.2 sqlite3 
 
-# Setup virtual python environment and use pip3 to install packages
+RUN /bin/bash -c "source ${VIRTUAL_ENV_BIN}/activate && update-alternatives --install /usr/bin/python python /usr/bin/python3 10 && pip3 install openwrt-luci-rpc asusrouter asyncio aiohttp graphene flask flask-cors unifi-sm-api tplink-omada-client wakeonlan pycryptodome requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython librouteros yattag "
-RUN apt-get install -y python3-venv
-RUN python3 -m venv myenv
-
-RUN /bin/bash -c "source myenv/bin/activate && update-alternatives --install /usr/bin/python python /usr/bin/python3 10 && pip3 install openwrt-luci-rpc asusrouter asyncio aiohttp graphene flask flask-cors unifi-sm-api tplink-omada-client wakeonlan pycryptodome requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython librouteros yattag "
 
 # Create a buildtimestamp.txt to later check if a new version was released
 RUN date +%s > ${INSTALL_DIR}/front/buildtimestamp.txt
 
-CMD ["${INSTALL_DIR}/install/start.debian.sh"]
+CMD ["/bin/bash"]
+#, "/entrypoint.sh"]
 
 

front/php/server/speedtestcli.php

@@ -10,8 +10,8 @@ require dirname(__FILE__).'/../server/init.php';
 // check if authenticated
 require_once  $_SERVER['DOCUMENT_ROOT'] . '/php/templates/security.php';
 
-exec('../../../back/speedtest-cli --secure --simple', $output);
+//exec('speedtest-cli --secure --simple', $output);
-
+exec('PATH=/usr/bin/:/usr/local/bin:/opt/venv/bin speedtest-cli --secure --simple', $output);
 echo '<h4>'. lang('Speedtest_Results') .'</h4>';
 echo '<pre style="border: none;">'; 
 foreach($output as $line){

front/plugins/vendor_update/script.py

@@ -61,7 +61,7 @@ def update_vendor_database():
 
     # Update vendors DB (iab oui)
     mylog('verbose', ['    Updating vendors DB (iab & oui)'])    
-    update_args = ['sh', applicationPath + '/back/update_vendors.sh']
+    update_args = ['sh', applicationPath + '/services/update_vendors.sh']
 
     # Execute command     
     try:

install/debian12/install_dependencies.debian12.sh

@@ -14,7 +14,7 @@ fi
 
 # Install dependencies
 apt-get install -y \
-    tini snmp ca-certificates curl libwww-perl arp-scan perl apt-utils cron sudo \
+    tini snmp ca-certificates curl libwww-perl arp-scan perl apt-utils cron sudo gettext-base \
     nginx-light php php-cgi php-fpm php-sqlite3 php-curl sqlite3 dnsutils net-tools \
     python3 python3-dev iproute2 nmap python3-pip zip usbutils traceroute nbtscan avahi-daemon avahi-utils openrc build-essential git
 
@@ -24,8 +24,8 @@ sudo phpenmod -v 8.2 sqlite3
 
 # setup virtual python environment so we can use pip3 to install packages
 apt-get install python3-venv -y
-python3 -m venv myenv
+python3 -m venv /opt/venv
-source myenv/bin/activate
+source /opt/venv/bin/activate
 
 update-alternatives --install /usr/bin/python python /usr/bin/python3 10
 

install/debian12/start.debian12.sh

@@ -102,10 +102,10 @@ else
   echo "The file ieee-oui.txt does not exist. Running update_vendors..."
 
   # Run the update_vendors.sh script
-  if [ -f "${INSTALL_PATH}/back/update_vendors.sh" ]; then
+  if [ -f "${SYSTEM_SERVICES}/update_vendors.sh" ]; then
-    "${INSTALL_PATH}/back/update_vendors.sh"
+    "${SYSTEM_SERVICES}/update_vendors.sh"
   else
-    echo "update_vendors.sh script not found in $INSTALL_DIR."    
+    echo "update_vendors.sh script not found in $SYSTEM_SERVICES."    
   fi
 fi
 
@@ -175,7 +175,7 @@ nginx -t || { echo "[INSTALL] nginx config test failed"; exit 1; }
 # sudo systemctl restart nginx
 
 #  Activate the virtual python environment
-source myenv/bin/activate
+source /opt/venv/bin/activate
 
 echo "[INSTALL] 🚀 Starting app - navigate to your <server IP>:${PORT}"
 

install/production-filesystem/entrypoint.sh

@@ -2,7 +2,7 @@
 
 set -u
 
-/services/capcheck.sh
+bash /services/capcheck.sh
 
 SERVICES=""
 FAILED_NAME=""
@@ -59,13 +59,17 @@ on_signal() {
     handle_exit
 }
 
+/services/update_vendors.sh &
+
 trap on_signal INT TERM
 
 [ ! -d "${NETALERTX_PLUGINS_LOG}" ] && mkdir -p "${NETALERTX_PLUGINS_LOG}"
 [ ! -f "${LOG_DB_IS_LOCKED}" ] && touch "${LOG_DB_IS_LOCKED}"
 [ ! -f "${LOG_EXECUTION_QUEUE}" ] && touch "${LOG_EXECUTION_QUEUE}"
 
-add_service "/services/start-crond.sh" "crond"
+if [ "${ENVIRONMENT:-}" ] && [ "${ENVIRONMENT:-}" != "debian" ]; then
+    add_service "/services/start-crond.sh" "crond"
+fi
 add_service "/services/start-php-fpm.sh" "php-fpm"
 add_service "/services/start-nginx.sh" "nginx"
 add_service "/services/start-backend.sh" "backend"
@@ -79,7 +83,8 @@ if [ "${NETALERTX_DEBUG:-0}" -eq 1 ]; then
 fi
 
 
-# This is the default action
+# If any service fails, we will shut down all others and exit with the same status.
+# This improves reliability in production environments by reinitializing the entire stack if one service fails.
 while [ -n "${SERVICES}" ]; do
     for entry in ${SERVICES}; do
         pid="${entry%%:*}"

install/production-filesystem/services/config/crond/netalertx

@@ -1,2 +1,4 @@
-# Schedule cron jobs
+# Every minute check for cron jobs
-* * * * * /app/back/cron_script.sh
+* * * * * /services/cron_script.sh
+# Update vendors 4x/d
+0 */6 * * * /services/update_vendors.sh

install/production-filesystem/services/cron_script.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+export INSTALL_DIR=/app
+
+
+
+# Check if there are any entries with cron_restart_backend
+if grep -q "cron_restart_backend" "${LOG_EXECUTION_QUEUE}"; then
+  # Restart python application using s6
+  killall python3
+  /services/start-backend.sh &
+  echo 'done'
+
+  # Remove all lines containing cron_restart_backend from the log file
+  sed -i '/cron_restart_backend/d' "${LOG_EXECUTION_QUEUE}"
+fi

install/production-filesystem/services/start-nginx.sh

@@ -32,8 +32,12 @@ while $(ps ax | grep -v -e "grep" -e "nginx.sh" | grep nginx >/dev/null); do
 	sleep 0.2
 done
 
-if ! envsubst '${LISTEN_ADDR} ${PORT}'< "${SYSTEM_NGINX_CONFIG_TEMPLATE}" > "${SYSTEM_NGINX_CONFIG_FILE}" 2>/dev/null; then
+TEMP_CONFIG_FILE=$(mktemp "${TMP_DIR}/netalertx.conf.XXXXXX")
-    echo "Note: Unable to write to ${SYSTEM_NGINX_CONFIG_FILE}. Using default configuration."
+if envsubst '${LISTEN_ADDR} ${PORT}' < "${SYSTEM_NGINX_CONFIG_TEMPLATE}" > "${TEMP_CONFIG_FILE}" 2>/dev/null; then
+	mv "${TEMP_CONFIG_FILE}" "${SYSTEM_NGINX_CONFIG_FILE}"
+else
+	echo "Note: Unable to write to ${SYSTEM_NGINX_CONFIG_FILE}. Using default configuration."
+	rm -f "${TEMP_CONFIG_FILE}"
 fi
 
 trap cleanup EXIT

install/production-filesystem/services/update_vendors.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+# ------------------------------------------------------------------------------
+#  NetAlertX
+#  Open Source Network Guard / WIFI & LAN intrusion detector 
+#
+#  update_vendors.sh - Back module. IEEE Vendors db update
+# ------------------------------------------------------------------------------
+#  Puche 2021 / 2022+ jokob             jokob@duck.com                GNU GPLv3
+# ------------------------------------------------------------------------------
+
+# ----------------------------------------------------------------------
+#  Main directories to update:
+#    /usr/share/arp-scan
+# ----------------------------------------------------------------------
+
+# Download the file using wget to stdout and process it
+wget -q "http://standards-oui.ieee.org/oui/oui.txt" -O /dev/stdout | \
+    sed -E 's/ *\(base 16\)//' | \
+    awk -F' ' '{printf "%s\t%s\n", $1, substr($0, index($0, $2))}' | \
+    sort | \
+    awk '{$1=$1; print}' | \
+    sort -u | \
+    awk -F' ' '{printf "%s\t%s\n", $1, substr($0, index($0, $2))}' \
+    > /services/run/tmp/ieee-oui.txt
+

install/ubuntu24/install.sh

@@ -243,10 +243,10 @@ else
   echo "[INSTALL] The file ieee-oui.txt does not exist. Running update_vendors..."
 
   # Run the update_vendors.sh script
-  if [ -f "${INSTALL_DIR}/back/update_vendors.sh" ]; then
+  if [ -f "${SYSTEM_SERVICES}/update_vendors.sh" ]; then
-    "${INSTALL_DIR}/back/update_vendors.sh"
+    "${SYSTEM_SERVICES}/update_vendors.sh"
   else
-    echo "[INSTALL] update_vendors.sh script not found in ${INSTALL_DIR}."    
+    echo "[INSTALL] update_vendors.sh script not found in ${SYSTEM_SERVICES}."    
   fi
 fi
 

server/const.py

@@ -1,8 +1,11 @@
 """ CONSTANTS for NetAlertX """
+import os
 
 #===============================================================================
 # PATHS
 #===============================================================================
+
+
 applicationPath = '/app'
 dbFileName      = 'app.db'
 confFileName    = 'app.conf'
@@ -17,8 +20,8 @@ reportTemplatesPath = applicationPath + '/front/report_templates/'
 fullConfFolder      = applicationPath + '/config'
 fullConfPath        = applicationPath + confPath
 fullDbPath          = applicationPath + dbPath
-vendorsPath         = '/usr/share/arp-scan/ieee-oui.txt'
+vendorsPath         = os.getenv('VENDORSPATH', '/usr/share/arp-scan/ieee-oui.txt')
-vendorsPathNewest   = '/usr/share/arp-scan/ieee-oui_all_filtered.txt'
+vendorsPathNewest   = os.getenv('VENDORSPATH_NEWEST', '/usr/share/arp-scan/ieee-oui_all_filtered.txt')
 
 default_tz          = 'Europe/Berlin'