Improve startup checks

2025-12-06 17:15:38 -08:00 · 2025-10-30 21:05:24 +00:00
parent 8cb1836777
commit b89a44d0ec
6 changed files with 49 additions and 2 deletions
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -72,11 +72,13 @@ ENV LOG_STDOUT=${NETALERTX_LOG}/stdout.log
 ENV LOG_CROND=${NETALERTX_LOG}/crond.log

 # System Services configuration files
+ENV ENTRYPOINT_CHECKS=/entrypoint.d
 ENV SYSTEM_SERVICES=/services
 ENV SYSTEM_SERVICES_SCRIPTS=${SYSTEM_SERVICES}/scripts
 ENV SYSTEM_SERVICES_CONFIG=${SYSTEM_SERVICES}/config
 ENV SYSTEM_NGINX_CONFIG=${SYSTEM_SERVICES_CONFIG}/nginx
 ENV SYSTEM_NGINX_CONFIG_FILE=${SYSTEM_NGINX_CONFIG}/nginx.conf
+ENV SYSTEM_SERVICES_ACTIVE_CONFIG=${SYSTEM_NGINX_CONFIG}/conf.active
 ENV SYSTEM_SERVICES_PHP_FOLDER=${SYSTEM_SERVICES_CONFIG}/php
 ENV SYSTEM_SERVICES_PHP_FPM_D=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.d
 ENV SYSTEM_SERVICES_CROND=${SYSTEM_SERVICES_CONFIG}/crond
@@ -85,7 +87,7 @@ ENV SYSTEM_SERVICES_RUN_TMP=${SYSTEM_SERVICES_RUN}/tmp
 ENV SYSTEM_SERVICES_RUN_LOG=${SYSTEM_SERVICES_RUN}/logs
 ENV PHP_FPM_CONFIG_FILE=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.conf
 ENV READ_ONLY_FOLDERS="${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} ${SYSTEM_SERVICES} \
-                       ${SYSTEM_SERVICES_CONFIG}"
+                       ${SYSTEM_SERVICES_CONFIG} ${ENTRYPOINT_CHECKS}"
 ENV READ_WRITE_FOLDERS="${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} \
                       ${NETALERTX_PLUGINS_LOG} ${SYSTEM_SERVICES_RUN} ${SYSTEM_SERVICES_RUN_TMP} \
                       ${SYSTEM_SERVICES_RUN_LOG}"
@@ -184,7 +186,7 @@ RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \
    chmod -R 600 ${READ_WRITE_FOLDERS} && \
    find ${READ_WRITE_FOLDERS} -type d -exec chmod 700 {} + && \
    chown ${READ_ONLY_USER}:${READ_ONLY_GROUP} /entrypoint.sh /opt /opt/venv && \
-    chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/*.sh /app /opt /opt/venv && \
+    chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/*.sh ${ENTRYPOINT_CHECKS}/* /app /opt /opt/venv && \
    for dir in ${READ_WRITE_FOLDERS}; do \
        install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 "$dir"; \
    done && \
--- a/install/production-filesystem/entrypoint.d/0-storage-permission.sh
+++ b/install/production-filesystem/entrypoint.d/0-storage-permission.sh
--- a/install/production-filesystem/entrypoint.d/10-mounts.py
+++ b/install/production-filesystem/entrypoint.d/10-mounts.py
@@ -4,6 +4,9 @@ import os
 import sys
 from dataclasses import dataclass

+# if NETALERTX_DEBUG is 1 then exit
+if os.environ.get("NETALERTX_DEBUG") == "1":
+    sys.exit(0)
@dataclass
 class MountCheckResult:
    """Object to track mount status and potential issues."""
--- a/install/production-filesystem/entrypoint.d/30-writable-config.sh
+++ b/install/production-filesystem/entrypoint.d/30-writable-config.sh
--- a/install/production-filesystem/entrypoint.d/90-excessive-capabilities.sh
+++ b/install/production-filesystem/entrypoint.d/90-excessive-capabilities.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+# excessive-capabilities.sh checks that no more than the necessary
+# NET_ADMIN NET_BIND_SERVICE and NET_RAW capabilities are present.
+
+# Get bounding capabilities from /proc/self/status (what can be acquired)
+BND_HEX=$(grep '^CapBnd:' /proc/self/status | awk '{print $2}' | tr -d '\t')
+
+# Convert hex to decimal
+BND_DEC=$(( 16#$BND_HEX ))
+
+# Allowed capabilities: NET_BIND_SERVICE (10), NET_ADMIN (12), NET_RAW (13)
+ALLOWED_DEC=$(( ( 1 << 10 )  | ( 1 << 12 ) | ( 1 << 13 ) ))
+
+# Check for excessive capabilities (any bits set outside allowed)
+EXTRA=$(( BND_DEC & ~ALLOWED_DEC ))
+
+if [ "$EXTRA" -ne 0 ]; then
+    cat <<EOF
+══════════════════════════════════════════════════════════════════════════════
+⚠️  Warning: Excessive capabilities detected (bounding caps: 0x$BND_HEX).
+
+    Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container.
+    Please remove unnecessary capabilities.
+══════════════════════════════════════════════════════════════════════════════
+EOF
+
+fi
--- a/install/production-filesystem/entrypoint.d/95-appliance-integrity.sh
+++ b/install/production-filesystem/entrypoint.d/95-appliance-integrity.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# read-only-mode.sh detects and warns if running read-write on the root filesystem.
+
+# Check if the root filesystem is mounted as read-only
+if ! awk '$2 == "/" && $4 ~ /ro/ {found=1} END {exit !found}' /proc/mounts; then
+    cat <<EOF
+══════════════════════════════════════════════════════════════════════════════
+⚠️  Warning: Container is running as read-write, not in read-only mode.
+
+    Please mount the root filesystem as --read-only or use read-only: true
+    https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md
+══════════════════════════════════════════════════════════════════════════════
+EOF
+
+fi