Trying to run heplify as non-root, with cap_add in a container

[TheQue42]

Hi,

My attempts at running heplify in a non-root docker container, adding capabilities with:

cap_add:
  - CAP_NET_ADMIN
  - CAP_NET_RAW
  - CAP_BPF
  - CAP_SYS_ADMIN

in docker-compose.

But I just get: Critical: setting af_packet handle: operation not permitted

Any pointers?

[TheQue42]

It seems the binary will need RUN setcap cap_net_raw,cap_net_admin=eip heplify in the dockerfile, for the capabilities to be used when starting. Is this something that could be added to the default image build?

[lmangani]

@TheQue42 absolutely, feel free to open a PR with the proposed changes and we'll go from there

[TheQue42]

I'd love to, but since the "RUN setcap" command cant be run in the "FROM scratch" image you use now, we'd have to change the empty base image into a "real" image that contains setcap.

And I am not sure I am the one to decide which you want?

[lmangani]

heplify will run fine in any image, the scratch choice was purely related to size and proving the static build.
Feel free to switch to alpine or any other viable image and we'll go from there.

[TheQue42]

Seems like this works.

https://github.com/TheQue42/heplify/blob/master/docker/heplify/Dockerfile

I'll continue tomorrow :-)

[lmangani]

It looks promising! let us know if you notice any other issues before we make this the new standard

[TheQue42]

Super! My docker-compose with:

  heplify:
    image: sipcapture/heplify:latest
    user: 1000:1000
    cap_add:
      - CAP_NET_ADMIN
      - CAP_NET_RAW
    profiles:
      - homer
    command:
      ./heplify -e -hs ${HOMER_DST}:9060 -m SIP -dd -zf -l info
    network_mode: host
    restart: unless-stopped
    depends_on:
      - xyz

Will now work fine!