Improve startup checks

2025-12-07 09:36:05 -08:00 · 2025-10-30 21:05:24 +00:00
parent 8cb1836777
commit b89a44d0ec
6 changed files with 49 additions and 2 deletions
--- a/install/production-filesystem/entrypoint.d/0-storage-permission.sh
+++ b/install/production-filesystem/entrypoint.d/0-storage-permission.sh
--- a/install/production-filesystem/entrypoint.d/10-mounts.py
+++ b/install/production-filesystem/entrypoint.d/10-mounts.py
@@ -4,6 +4,9 @@ import os
 import sys
 from dataclasses import dataclass

+# if NETALERTX_DEBUG is 1 then exit
+if os.environ.get("NETALERTX_DEBUG") == "1":
+    sys.exit(0)
@dataclass
 class MountCheckResult:
    """Object to track mount status and potential issues."""
--- a/install/production-filesystem/entrypoint.d/30-writable-config.sh
+++ b/install/production-filesystem/entrypoint.d/30-writable-config.sh
--- a/install/production-filesystem/entrypoint.d/90-excessive-capabilities.sh
+++ b/install/production-filesystem/entrypoint.d/90-excessive-capabilities.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+# excessive-capabilities.sh checks that no more than the necessary
+# NET_ADMIN NET_BIND_SERVICE and NET_RAW capabilities are present.
+
+# Get bounding capabilities from /proc/self/status (what can be acquired)
+BND_HEX=$(grep '^CapBnd:' /proc/self/status | awk '{print $2}' | tr -d '\t')
+
+# Convert hex to decimal
+BND_DEC=$(( 16#$BND_HEX ))
+
+# Allowed capabilities: NET_BIND_SERVICE (10), NET_ADMIN (12), NET_RAW (13)
+ALLOWED_DEC=$(( ( 1 << 10 )  | ( 1 << 12 ) | ( 1 << 13 ) ))
+
+# Check for excessive capabilities (any bits set outside allowed)
+EXTRA=$(( BND_DEC & ~ALLOWED_DEC ))
+
+if [ "$EXTRA" -ne 0 ]; then
+    cat <<EOF
+══════════════════════════════════════════════════════════════════════════════
+⚠️  Warning: Excessive capabilities detected (bounding caps: 0x$BND_HEX).
+
+    Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container.
+    Please remove unnecessary capabilities.
+══════════════════════════════════════════════════════════════════════════════
+EOF
+
+fi
--- a/install/production-filesystem/entrypoint.d/95-appliance-integrity.sh
+++ b/install/production-filesystem/entrypoint.d/95-appliance-integrity.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# read-only-mode.sh detects and warns if running read-write on the root filesystem.
+
+# Check if the root filesystem is mounted as read-only
+if ! awk '$2 == "/" && $4 ~ /ro/ {found=1} END {exit !found}' /proc/mounts; then
+    cat <<EOF
+══════════════════════════════════════════════════════════════════════════════
+⚠️  Warning: Container is running as read-write, not in read-only mode.
+
+    Please mount the root filesystem as --read-only or use read-only: true
+    https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md
+══════════════════════════════════════════════════════════════════════════════
+EOF
+
+fi