I have the latest zeek (5.1.1) inside a docker container. Container was built based on the Dockerfile from the Zeek sources. I have an entrypoint shell script that starts Zeek using: /sbin/runuser -l zeek -c ‘/usr/local/zeek/bin/zeekctl deploy’. This fails as the workers won’t start with the following error: fatal error: problem with interface af_packet:pcap0 (yes we renamed alll capture interfaces to pcap0, pcap1 to identify them easily and to siimplify the configuration of various applications).
This looks like a permission error, however, when I start the container interactively with bash as entrypoint and I copy/paste the exact command from the entrypoint shell script, everything works just fine.
BTW: the entrypoint script ends with a ‘sleep infinity’ otherwise the container exits immediately because zeekctl starts everything in the background.
So: if the container is started like this: docker run --rm -it --name zeek --cap-add net_raw --net=host --entrypoint=/bin/bash , it works;
if I start it with -d (and not -it) and my default entrypoint script, it won’t work.
The zeek binary inside the container also had the right capability added.
Anyone any idea?
Thank you very much in advance.
Welcome! The “problem with interface” error message should include a reason in parentheses, I presume it actually confirms that it’s a permission problem?
What happens when you use
docker run -it but give it your entrypoint script as command? Another thing you could try is to examine your environment in both scenarios, to look for clues.
af_packet:pcap0 is the string you actually used as interface, try
af_packet::pcap0 with two colons.
The former will use the libpcap packet source and pass
af_packet:pcap0 as interface name (likely erring), while the latter will use the
af_packet packet source and use
pcap0 as interface name.
the single colon instead of the double colon is simply my typo because the zeek-sensor runs in a separate environment and copy/paste is a challenge
However, I found my mistake: it has to do with the Linux capability cap_net_raw that was set on the zeek (and capstats) binary. Somewhere in the docker-entrypoint file there is a chown -R zeek:zeek for the entire zeek-tree in case you give your container seperate user and/or group id’s. After the chown all capabilities are lost, wich is completely understandable from a security point of view.
So thanks for the suggestions. Christian suggestion to simply start my docker-entrypoint interactively pointed me in the right direction.
Have a nice weekend!