Basic fixes for synology

2026-04-03 00:31:35 -07:00 · 2026-01-08 22:56:15 +00:00
parent e6194564b8
commit 739f17474f
8 changed files with 401 additions and 28 deletions
--- a/install/production-filesystem/entrypoint.d/10-capabilities-audit.sh
+++ b/install/production-filesystem/entrypoint.d/10-capabilities-audit.sh
@@ -12,6 +12,31 @@ YELLOW=$(printf '\033[1;33m')
 GREY=$(printf '\033[90m')
 RESET=$(printf '\033[0m')

+_detect_storage_driver() {
+    mounts_path="/proc/mounts"
+
+    if [ -n "${NETALERTX_PROC_MOUNTS_B64:-}" ]; then
+        mounts_override="/tmp/netalertx_proc_mounts_inline_capcheck"
+        if printf '%s' "${NETALERTX_PROC_MOUNTS_B64}" | base64 -d > "${mounts_override}" 2>/dev/null; then
+            chmod 600 "${mounts_override}" 2>/dev/null || true
+            mounts_path="${mounts_override}"
+        fi
+    elif [ -n "${NETALERTX_PROC_MOUNTS_OVERRIDE:-}" ]; then
+        mounts_path="${NETALERTX_PROC_MOUNTS_OVERRIDE}"
+    fi
+
+    if [ ! -r "${mounts_path}" ]; then
+        echo "other"
+        return
+    fi
+
+    if grep -qE '^[^ ]+ / aufs ' "${mounts_path}" 2>/dev/null; then
+        echo "aufs"
+    else
+        echo "other"
+    fi
+}
+
 # Parse Bounding Set from /proc/self/status
 cap_bnd_hex=$(awk '/CapBnd/ {print $2}' /proc/self/status 2>/dev/null || echo "0")
 # Convert hex to dec (POSIX compliant)
@@ -69,4 +94,23 @@ if [ -n "${missing_admin}" ]; then
    fi
 fi

+storage_driver=$(_detect_storage_driver)
+runtime_uid=$(id -u 2>/dev/null || echo 0)
+
+if [ "${storage_driver}" = "aufs" ] && [ "${runtime_uid}" -ne 0 ]; then
+    printf "%s" "${YELLOW}"
+    cat <<'EOF'
+══════════════════════════════════════════════════════════════════════════════
+⚠️  WARNING: Reduced functionality (AUFS + non-root user).
+
+    AUFS strips Linux file capabilities, so tools like arp-scan, nmap, and
+    nbtscan fail when NetAlertX runs as a non-root PUID.
+
+    Set PUID=0 on AUFS hosts for full functionality:
+    https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/aufs-capabilities.md
+══════════════════════════════════════════════════════════════════════════════
+EOF
+    printf "%s" "${RESET}"
+fi
+
 exit 0
--- a/install/production-filesystem/entrypoint.sh
+++ b/install/production-filesystem/entrypoint.sh
@@ -51,7 +51,8 @@ fi
 # hands control back to this script.
 if [ "${ENTRYPOINT_PRIMED:-0}" != "1" ] && [ "$(id -u)" -eq 0 ] && [ -x "/root-entrypoint.sh" ]; then
    >&2 cat <<'EOF'
-NetAlertX is running as ROOT (UID 0). Prefer setting PUID/PGID to 20211 for better isolation.
+ℹ️  NetAlertX startup: Running privilege check and path priming as ROOT.
+    (On modern systems, privileges will be dropped to PUID after setup)
 EOF
    export ENTRYPOINT_PRIMED=1
    exec /root-entrypoint.sh "$@"
--- a/install/production-filesystem/root-entrypoint.sh
+++ b/install/production-filesystem/root-entrypoint.sh
@@ -23,23 +23,66 @@
 #    - EXEC: Direct entrypoint execution as current user.
 #
 # 2. RUNTIME: ROOT (Container started as user: 0)
-#    A. TARGET: PUID=0 (User requested root)
-#       - Permissions priming skipped (already root).
-#       - EXEC: Direct entrypoint execution as root (with security warning).
-#
-#    B. TARGET: PUID > 0 (User requested privilege drop)
-#       - PRIMING: Attempt chown on /data & /tmp to PUID:PGID.
-#         (Failures logged but non-fatal to support NFS/ReadOnly mounts).
-#       - EXEC: Attempt `su-exec PUID:PGID`.
-#         - Success: Process runs as PUID.
-#         - Failure (Missing CAPS): Fallback to running as root to prevent crash.
-# - If PUID=0, log a warning and run directly.
-# - Otherwise, attempt to prime paths and `su-exec` to PUID:PG
+#    - PRIMING: Always ensure paths exist and chown to requested PUID:PGID
+#      (defaults to 20211). Failures are logged but non-fatal to support
+#      NFS/ReadOnly mounts.
+#    - EXEC: Attempt `su-exec PUID:PGID` (including 0:0) to keep a single
+#      execution path. On failure (missing caps/tool), log and run as root.
+#    - If PUID=0, warn operators that processes remain root-owned.

+PROC_MOUNTS_PATH="/proc/mounts"
+PROC_MOUNTS_OVERRIDE_REASON=""

+if [ -n "${NETALERTX_PROC_MOUNTS_B64:-}" ]; then
+    PROC_MOUNTS_INLINE_PATH="/tmp/netalertx_proc_mounts_inline"
+    if printf '%s' "${NETALERTX_PROC_MOUNTS_B64}" | base64 -d > "${PROC_MOUNTS_INLINE_PATH}" 2>/dev/null; then
+        chmod 600 "${PROC_MOUNTS_INLINE_PATH}" 2>/dev/null || true
+        PROC_MOUNTS_PATH="${PROC_MOUNTS_INLINE_PATH}"
+        PROC_MOUNTS_OVERRIDE_REASON="inline"
+    else
+        >&2 printf 'Warning: Failed to decode NETALERTX_PROC_MOUNTS_B64; continuing with %s.\n' "${PROC_MOUNTS_PATH}"
+    fi
+elif [ -n "${NETALERTX_PROC_MOUNTS_OVERRIDE:-}" ]; then
+    PROC_MOUNTS_PATH="${NETALERTX_PROC_MOUNTS_OVERRIDE}"
+    PROC_MOUNTS_OVERRIDE_REASON="file"
+fi
+
+if [ "${PROC_MOUNTS_OVERRIDE_REASON}" = "inline" ]; then
+    >&2 echo "Note: Using inline /proc/mounts override for storage-driver detection."
+elif [ "${PROC_MOUNTS_PATH}" != "/proc/mounts" ]; then
+    >&2 printf 'Note: Using override for /proc/mounts at %s\n' "${PROC_MOUNTS_PATH}"
+fi
+
+# Detect AUFS storage driver; emit warnings so operators can take corrective action
+_detect_storage_driver() {
+    local mounts_path="${PROC_MOUNTS_PATH}"
+    if [ ! -r "${mounts_path}" ]; then
+        >&2 printf 'Note: Unable to read %s; assuming non-AUFS storage.\n' "${mounts_path}"
+        echo "other"
+        return
+    fi
+    # Check mounts file to detect if root filesystem uses aufs
+    if grep -qE '^[^ ]+ / aufs ' "${mounts_path}" 2>/dev/null; then
+        echo "aufs"
+    else
+        echo "other"
+    fi
+}
+
+STORAGE_DRIVER="$(_detect_storage_driver)"
 PUID="${PUID:-${NETALERTX_UID:-20211}}"
 PGID="${PGID:-${NETALERTX_GID:-20211}}"

+if [ "${STORAGE_DRIVER}" = "aufs" ]; then
+    >&2 cat <<'EOF'
+⚠️  WARNING: Legacy AUFS storage driver detected.
+    AUFS strips file capabilities (setcap) during image extraction which breaks
+    layer-2 scanners (arp-scan, etc.) when running as non-root.
+    Action: set PUID=0 (root) on AUFS hosts or migrate to a supported driver.
+    Details: https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/aufs-capabilities.md
+EOF
+fi
+
 RED=$(printf '\033[1;31m')
 RESET=$(printf '\033[0m')

@@ -130,11 +173,6 @@ if [ "$(id -u)" -ne 0 ]; then
    exec /entrypoint.sh "$@"
 fi

-if [ "${PUID}" -eq 0 ]; then
-    >&2 echo "WARNING: Running as root (PUID=0). Prefer a non-root PUID."
-    exec /entrypoint.sh "$@"
-fi
-
 _prime_paths() {
    runtime_root="${NETALERTX_RUNTIME_BASE:-/tmp}"
    paths="/tmp ${NETALERTX_DATA:-/data} ${NETALERTX_CONFIG:-/data/config} ${NETALERTX_DB:-/data/db} ${NETALERTX_LOG:-${runtime_root}/log} ${NETALERTX_PLUGINS_LOG:-${runtime_root}/log/plugins} ${NETALERTX_API:-${runtime_root}/api} ${SYSTEM_SERVICES_RUN:-${runtime_root}/run} ${SYSTEM_SERVICES_RUN_TMP:-${runtime_root}/run/tmp} ${SYSTEM_SERVICES_RUN_LOG:-${runtime_root}/run/logs} ${SYSTEM_SERVICES_ACTIVE_CONFIG:-${runtime_root}/nginx/active-config} ${runtime_root}/nginx"
@@ -154,6 +192,10 @@ _prime_paths() {
 }
 _prime_paths

+if [ "${PUID}" -eq 0 ]; then
+    >&2 echo "ℹ️  Running as root (PUID=0). Paths will be owned by root."
+fi
+
 unset NETALERTX_PRIVDROP_FAILED
 if ! su-exec "${PUID}:${PGID}" /entrypoint.sh "$@"; then
    rc=$?