Merge pull request #1544 from adamoutler/built-in-tests

Improve built-in test used during system startup - thanks @adamoutler 🙏
2026-03-30 23:03:03 -07:00 · 2026-03-05 06:48:46 +11:00
parent c73ce839f2 b854206599
commit 89811cd133
14 changed files with 265 additions and 165 deletions
--- a/install/docker/docker-compose.dev.yml
+++ b/install/docker/docker-compose.dev.yml
@@ -13,6 +13,9 @@ services:
      - CHOWN
      - SETUID
      - SETGID
+    sysctls:
+      net.ipv4.conf.all.arp_ignore: 1
+      net.ipv4.conf.all.arp_announce: 2
    volumes:
      - type: volume
        source: netalertx_data
--- a/install/docker/docker-compose.yml
+++ b/install/docker/docker-compose.yml
@@ -13,6 +13,9 @@ services:
      - CHOWN
      - SETUID
      - SETGID
+    sysctls:
+      net.ipv4.conf.all.arp_ignore: 1
+      net.ipv4.conf.all.arp_announce: 2
    volumes:
      - type: volume
        source: netalertx_data
--- a/install/production-filesystem/entrypoint.d/36-override-individual-settings.sh
+++ b/install/production-filesystem/entrypoint.d/36-override-individual-settings.sh
@@ -9,28 +9,17 @@ if [ ! -f "${NETALERTX_CONFIG}/app.conf" ]; then
    exit 0
 fi

-# Helper: set or append config key safely
-set_config_value() {
-    _key="$1"
-    _value="$2"
-
-    # Remove newlines just in case
-    _value=$(printf '%s' "$_value" | tr -d '\n\r')
-
-    # Escape sed-sensitive chars
-    _escaped=$(printf '%s\n' "$_value" | sed 's/[\/&]/\\&/g')
-
-    if grep -q "^${_key}=" "${NETALERTX_CONFIG}/app.conf"; then
-        sed -i "s|^${_key}=.*|${_key}=${_escaped}|" "${NETALERTX_CONFIG}/app.conf"
-    else
-        echo "${_key}=${_value}" >> "${NETALERTX_CONFIG}/app.conf"
-    fi
-}
-
-# ------------------------------------------------------------
-# LOADED_PLUGINS override
-# ------------------------------------------------------------
 if [ -n "${LOADED_PLUGINS:-}" ]; then
    echo "[ENV] Applying LOADED_PLUGINS override"
-    set_config_value "LOADED_PLUGINS" "$LOADED_PLUGINS"
+    value=$(printf '%s' "$LOADED_PLUGINS" | tr -d '\n\r')
+    # declare delimiter for sed and escape it along with / and &
+    delim='|'
+    escaped=$(printf '%s\n' "$value" | sed "s/[\/${delim}&]/\\&/g")
+
+    if grep -q '^LOADED_PLUGINS=' "${NETALERTX_CONFIG}/app.conf"; then
+        # use same delimiter when substituting
+        sed -i "s${delim}^LOADED_PLUGINS=.*${delim}LOADED_PLUGINS=${escaped}${delim}" "${NETALERTX_CONFIG}/app.conf"
+    else
+        echo "LOADED_PLUGINS=${value}" >> "${NETALERTX_CONFIG}/app.conf"
+    fi
 fi
--- a/install/production-filesystem/entrypoint.d/37-host-optimization.sh
+++ b/install/production-filesystem/entrypoint.d/37-host-optimization.sh
@@ -1,92 +1,30 @@
 #!/bin/sh

-# 37-host-optimization.sh: Apply and validate network optimizations (ARP flux fix)
+# 37-host-optimization.sh: Detect ARP flux sysctl configuration.
 #
-# This script improves detection accuracy by ensuring proper ARP behavior.
-# It attempts to apply sysctl settings and warns if not possible.
+# This script does not change host/kernel settings.

-# --- Color Codes ---
-RED=$(printf '\033[1;31m')
 YELLOW=$(printf '\033[1;33m')
 RESET=$(printf '\033[0m')

-# --- Skip flag ---
-if [ -n "${SKIP_OPTIMIZATIONS:-}" ]; then
-    exit 0
-fi
-
-# --- Helpers ---
-
-get_sysctl() {
-    sysctl -n "$1" 2>/dev/null || echo "unknown"
-}
-
-set_sysctl_if_needed() {
-    key="$1"
-    expected="$2"
-
-    current="$(get_sysctl "$key")"
-
-    # Already correct
-    if [ "$current" = "$expected" ]; then
-        return 0
-    fi
-
-    # Try to apply
-    if sysctl -w "$key=$expected" >/dev/null 2>&1; then
-        return 0
-    fi
-
-    # Failed
-    return 1
-}
-
-# --- Apply Settings (best effort) ---
-
 failed=0

-set_sysctl_if_needed net.ipv4.conf.all.arp_ignore 1 || failed=1
-set_sysctl_if_needed net.ipv4.conf.all.arp_announce 2 || failed=1
-set_sysctl_if_needed net.ipv4.conf.default.arp_ignore 1 || failed=1
-set_sysctl_if_needed net.ipv4.conf.default.arp_announce 2 || failed=1
+[ "$(sysctl -n net.ipv4.conf.all.arp_ignore 2>/dev/null || echo unknown)" = "1" ] || failed=1
+[ "$(sysctl -n net.ipv4.conf.all.arp_announce 2>/dev/null || echo unknown)" = "2" ] || failed=1

-# --- Validate final state ---
-
-all_ignore="$(get_sysctl net.ipv4.conf.all.arp_ignore)"
-all_announce="$(get_sysctl net.ipv4.conf.all.arp_announce)"
-
-# --- Warning Output ---
-
-if [ "$all_ignore" != "1" ] || [ "$all_announce" != "2" ]; then
+if [ "$failed" -eq 1 ]; then
    >&2 printf "%s" "${YELLOW}"
-    >&2 cat <<EOF
+    >&2 cat <<'EOF'
 ══════════════════════════════════════════════════════════════════════════════
-⚠️  ATTENTION: ARP flux protection not enabled.
-
-    NetAlertX relies on ARP for device detection. Your system currently allows
-    ARP replies from incorrect interfaces (ARP flux), which may result in:
-
-      • False devices being detected
-      • IP/MAC mismatches
-      • Flapping device states
-      • Incorrect network topology
-
-    This is common when running in Docker or multi-interface environments.
-
-    ──────────────────────────────────────────────────────────────────────────
-    Recommended fix (Docker Compose):
-
-    sysctls:
-      net.ipv4.conf.all.arp_ignore: 1
-      net.ipv4.conf.all.arp_announce: 2
-
-    ──────────────────────────────────────────────────────────────────────────
-    Alternatively, apply on the host:
+⚠️  WARNING: ARP flux sysctls are not set.

+    Expected values:
      net.ipv4.conf.all.arp_ignore=1
      net.ipv4.conf.all.arp_announce=2

-    Detection accuracy may be reduced until this is configured.
+    Detection accuracy may be reduced until configured.
+
+    See: https://docs.netalertx.com/docker-troubleshooting/arp-flux-sysctls/
 ══════════════════════════════════════════════════════════════════════════════
 EOF
    >&2 printf "%s" "${RESET}"
--- a/install/production-filesystem/entrypoint.sh
+++ b/install/production-filesystem/entrypoint.sh
@@ -86,10 +86,11 @@ for script in "${ENTRYPOINT_CHECKS}"/*; do
    fi
    script_name=$(basename "$script" | sed 's/^[0-9]*-//;s/\.(sh|py)$//;s/-/ /g')
    echo "--> ${script_name} "
-	if [ -n "${SKIP_STARTUP_CHECKS:-}" ] && echo "${SKIP_STARTUP_CHECKS}" | grep -q "\b${script_name}\b"; then
-    printf "%sskip%s\n" "${GREY}" "${RESET}"
-		continue
-	fi
+    if [ -n "${SKIP_STARTUP_CHECKS:-}" ] &&
+       printf '%s' "${SKIP_STARTUP_CHECKS}" | grep -wFq -- "${script_name}"; then
+        printf "%sskip%s\n" "${GREY}" "${RESET}"
+        continue
+    fi

    "$script"
    NETALERTX_DOCKER_ERROR_CHECK=$?
--- a/install/production-filesystem/services/healthcheck.sh
+++ b/install/production-filesystem/services/healthcheck.sh
@@ -48,11 +48,13 @@ else
    log_error "python /app/server is not running"
 fi

-# 5. Check port 20211 is open and contains "netalertx"
-if curl -sf --max-time 10 "http://localhost:${PORT:-20211}" | grep -i "netalertx" > /dev/null; then
-    log_success "Port ${PORT:-20211} is responding and contains 'netalertx'"
+# 5. Check port 20211 is open
+CHECK_ADDR="${LISTEN_ADDR:-127.0.0.1}"
+[ "${CHECK_ADDR}" == "0.0.0.0" ] && CHECK_ADDR="127.0.0.1"
+if timeout 10 bash -c "</dev/tcp/${CHECK_ADDR}/${PORT:-20211}" 2>/dev/null; then
+    log_success "Port ${PORT:-20211} is responding"
 else
-    log_error "Port ${PORT:-20211} is not responding or doesn't contain 'netalertx'"
+    log_error "Port ${PORT:-20211} is not responding"
 fi

 # NOTE: GRAPHQL_PORT might not be set and is initailized as a setting with a default value in the container. It can also be initialized via APP_CONF_OVERRIDE 
@@ -71,4 +73,4 @@ else
    echo "[HEALTHCHECK] ❌ One or more health checks failed"
 fi

-exit $EXIT_CODE
+exit $EXIT_CODE