Advice about net.ipv4.conf.all.arp_announce #1546
Description
What installation are you running?
Production (netalertx) 📦
Did I research?
- I have searched the docs https://docs.netalertx.com/
- I have searched the existing open and closed issues
- I confirm my SCAN_SUBNETS is configured and tested as per https://docs.netalertx.com/SUBNETS
The issue occurs in the following browsers. Select at least 2.
- Firefox
- Chrome
- Other (unsupported) - PRs welcome
- N/A - This is an issue with the backend
Hey there,
just upgraded to 26.3.7, and while checking the container logs at startup, just saw the warning about "ARP flux sysctls not set"
(which I'm pretty sure wasn't present in 26.2.6 before update)
NetAlertX seems to be working fine, but I looked up the issue, and added the recommended sysctls section in my docker compose file.
But this led to an error preventing it from starting :
Failed to deploy a stack: compose up operation failed: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: sysctl "net.ipv4.conf.all.arp_announce" not allowed in host network namespace: unknown
(googling for this, I found some info saying it wasn't compatible with host network mode, but not sure if this applies here, not being a docker guru)
Is there something else I should do ? Or is it just OK to let it run without these settings and live with the warning ?
The container is running in host network mode, docker (+ portainer) in ubuntu server on bare-metal.
NB : not using any .env file, so $var references in yml are simply defaulting.
docker-compose.yml
services:
netalertx:
container_name: netalertx
image: ghcr.io/netalertx/netalertx:latest
read_only: true # Make the container filesystem read-only
network_mode: host # Use host networking for ARP scanning and other services
cap_drop: # Drop all capabilities for enhanced security
- ALL
cap_add: # Add only the necessary capabilities
- NET_ADMIN # Required for scanning with arp-scan, nmap, nbtscan, traceroute, and zero-conf
- NET_RAW # Required for raw socket operations with arp-scan, nmap, nbtscan, traceroute and zero-conf
- NET_BIND_SERVICE # Required to bind to privileged ports with nbtscan
- CHOWN # Required for root-entrypoint to chown /data + /tmp before dropping privileges
- SETUID # Required for root-entrypoint to switch to non-root user
- SETGID # Required for root-entrypoint to switch to non-root group
sysctls: # ARP flux mitigation (reduces duplicate/ambiguous ARP behavior on host networking)
net.ipv4.conf.all.arp_ignore: 1
net.ipv4.conf.all.arp_announce: 2
volumes:
- /var/lib/docker/files/netalertx/data:/data
- /etc/localtime:/etc/localtime:ro
tmpfs:
- "/tmp:uid=${NETALERTX_UID:-20211},gid=${NETALERTX_GID:-20211},mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
environment:
PUID: ${NETALERTX_UID:-20211} # Runtime UID after priming
PGID: ${NETALERTX_GID:-20211} # Runtime GID after priming
mem_limit: 2048m # Maximum memory usage
mem_reservation: 1024m # Soft memory limit
cpu_shares: 512 # Relative CPU weight for CPU contention scenarios
pids_limit: 512 # Limit the number of processes/threads to prevent fork bombs
logging:
options:
max-size: "10m" # Rotate log files after they reach 10MB
max-file: "3" # Keep a maximum of 3 log files
restart: unless-stoppedapp.log
No response
Debug enabled
- I have read and followed the steps in the wiki link above and provided the required debug logs and the log section covers the time when the issue occurs.