Closed MunkeyBalls closed 2 years ago
Looks like installing nmap only fixes the error not being thrown. Since I saw no devices being tracked with nmap I tried executing nmap on the running container and got the following:
root@pihole:/# nmap -oX - 192.168.2.1/24 -F --host-timeout 5s
bash: /usr/bin/nmap: Operation not permitted
I looked at the homeassistant docs and tried the following to be able to run nmap without root:
setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap
Still getting the permission errors though.
You can use our option to customize the container. Then the changes you do get applied at every update. It might also be suited as a docker mod if more people might use it. Have a look at how the docker mods are made, if you want to create a mod.
https://blog.linuxserver.io/2019/09/14/customizing-our-containers/
I think we do a setcap for something in this container. I'll see if I find the one we use.
This is what we use on python in the run in /etc/services.d/
setcap 'cap_net_bind_service=+ep' /usr/bin/python3.8
It looks like you are on your pi when executing the command and not inside the container. Is that right?
This is what we use on python in the run in /etc/services.d/
setcap 'cap_net_bind_service=+ep' /usr/bin/python3.8
It looks like you are on your pi when executing the command and not inside the container. Is that right?
Thanks for your response. I'm running the commands from inside the container (using portainer console)
root@pihole:/# setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap
root@pihole:/# setcap -v cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap
/usr/bin/nmap: OK
root@pihole:/# nmap
bash: /usr/bin/nmap: Operation not permitted
root@pihole:/# nmap --privileged -sS 192.168.2.1
bash: /usr/bin/nmap: Operation not permitted
Btw, I just went through the security concerns on here: https://secwiki.org/w/Running_nmap_as_an_unprivileged_user Maybe I should just look for a different way of tracking devices, compromising security of the network doesn't seem like it's worth it.
If you are using the console in portainer you are root already. If you need to test something, you should use command line and exec into the container as the abc user.
I don't know why it's failing when using root.
Did you deploy it in portainer or just using it to monitor containers? You have not filled out the issue template, so please do so.
I tried using docker exec to to run nmap but got the same error. After that I deleted the container, recreated it, and installed nmap again using docker exec
docker exec -it homeassistant /bin/bash
apk add nmap
After doing it like this it's working 👍
For reference, I'm using docker-compose and this is the relevant yaml:
version: '3'
services:
homeassistant:
image: ghcr.io/linuxserver/homeassistant
container_name: homeassistant
network_mode: host
environment:
- PUID=1002
- PGID=1002
- TZ=Europe/Amsterdam
volumes:
- /home/homeassistant/homeassistant:/config
restart: unless-stopped
Thanks again for the help, I've also the custom-cont-init.d folder with script to install it automagically and it's working. However, since this is a default homeassistant component, shouldn't it be included in the image? I'm pretty sure it's installed with the official homeassistant docker. It never worked for me though. They don't give you an out of the box option to not run the container as root and I was using run scripts to circumvent that.
Seems within homeassistant nmap is still not working as it's not return any results on a scan.
To fix this I tried adding the the setcap line to the script
setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap
After adding this I'm getting the Operation not permitted errors again when trying to run it from docker exec. Also now in homeassistant iself I'm getting the following error again
nmap.nmap.PortScannerError: 'nmap program was not found in path. PATH is : /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
I don't get the same errors as you when testing here. I installed nmap and added it to my configuration.yaml as below and it did scan the host I added.
device_tracker:
- platform: nmap_tracker
hosts:
- 192.168.1.10
I had to set the logger to debug to see any info about nmap scanning the host. Is there any where else it shows up easier?
Are you deploying this using compose in portainer or only compose? Those are not the same thing. It's also hard to troubleshoot when you do not provide all the info we ask or in the issue template. We do it for a reason, not just for fun.
Did you install docker from the docker.com or the pi repo?
Setting the logger to debug is probably the easiest way to check. You can also go to the "Developer tools" on the homeassistant UI and see if anything shows up on the states tab (just do a CTRL+F for nmap if you have a lot of entities). The logging is actually the only thing I use portainer for (well, that and deleting the container)
Do any results come up on your test? Because for me it's doing the scan as well, it's just not returning any results.
2021-05-31 10:16:55 DEBUG (SyncWorker_11) [homeassistant.components.nmap_tracker.device_tracker] Scanner initialized
2021-05-31 10:16:55 DEBUG (SyncWorker_3) [homeassistant.components.nmap_tracker.device_tracker] Scanning
2021-05-31 10:16:59 DEBUG (SyncWorker_3) [homeassistant.components.nmap_tracker.device_tracker] nmap scan successful
2021-05-31 10:16:59 DEBUG (SyncWorker_3) [homeassistant.components.nmap_tracker.device_tracker] Nmap last results []
Using the same configuration.yaml as yours btw (with an IP from my own subnet of course). The odd thing is, using the docker exec method it seems to work fine. I do notice in the result the following however: "Failed to resolve "nmap", but other than that the result looks fine.
root@pihole:/# nmap nmap -oX - 192.168.2.1 -F --host-timeout 5s
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.80 scan initiated Mon May 31 10:21:14 2021 as: nmap -oX - -F --host-timeout 5s nmap 192.168.2.1 -->
<nmaprun scanner="nmap" args="nmap -oX - -F --host-timeout 5s nmap 192.168.2.1" start="1622449274" startstr="Mon May 31 10:21:14 2021" version="7.80" xmloutputversion="1.04">
<scaninfo type="syn" protocol="tcp" numservices="100" services="7,9,13,21-23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157"/>
<verbose level="0"/>
<debugging level="0"/>
Failed to resolve "nmap".
<host starttime="1622449274" endtime="1622449276"><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.2.1" addrtype="ipv4"/>
<address addr="XX:XX:XX:XX:XX:C9" addrtype="mac"/>
<hostnames>
<hostname name="awesome-o.lan" type="PTR"/>
</hostnames>
<ports><extraports state="filtered" count="96">
<extrareasons reason="no-responses" count="96"/>
</extraports>
<port protocol="tcp" portid="135"><state state="open" reason="syn-ack" reason_ttl="128"/><service name="msrpc" method="table" conf="3"/></port>
<port protocol="tcp" portid="139"><state state="open" reason="syn-ack" reason_ttl="128"/><service name="netbios-ssn" method="table" conf="3"/></port>
<port protocol="tcp" portid="445"><state state="open" reason="syn-ack" reason_ttl="128"/><service name="microsoft-ds" method="table" conf="3"/></port>
<port protocol="tcp" portid="5357"><state state="open" reason="syn-ack" reason_ttl="128"/><service name="wsdapi" method="table" conf="3"/></port>
</ports>
<times srtt="349" rttvar="1678" to="100000"/>
</host>
<runstats><finished time="1622449276" timestr="Mon May 31 10:21:16 2021" elapsed="2.58" summary="Nmap done at Mon May 31 10:21:16 2021; 1 IP address (1 host up) scanned in 2.58 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>
root@pihole:/#
Sorry for not having the correct template. I created the issue as a feature request which uses a different template. Here's hopefully the correct template, let me know if I'm still missing anything.
device_tracker:
- platform: nmap_tracker
hosts:
- 192.168.2.1
OS:
Description: Raspbian GNU/Linux 10 (buster)
Release: 10
Codename: buster
CPU architecture:
Raspberry PI 3b+
How docker service was installed:
It's been a few years since I've installed it, I thought it was via install script.. But unsure now since it shows up with
dpkg -l | grep docker-ce
ii docker-ce 5:20.10.6~3-0~raspbian-buster armhf Docker: the open-source application container engine
ii docker-ce-cli 5:20.10.6~3-0~raspbian-buster armhf Docker CLI: the open-source application container engine
Here's the version info if it's any use:
Client: Docker Engine - Community
Version: 20.10.6
API version: 1.41
Go version: go1.13.15
Git commit: 370c289
Built: Fri Apr 9 22:46:18 2021
OS/Arch: linux/arm
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.6
API version: 1.41 (minimum version 1.12)
Go version: go1.13.15
Git commit: 8728dd2
Built: Fri Apr 9 22:44:17 2021
OS/Arch: linux/arm
Experimental: false
containerd:
Version: 1.4.4
GitCommit: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
runc:
Version: 1.0.0-rc93
GitCommit: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
docker-init:
Version: 0.19.0
GitCommit: de40ad0
docker-compose -f /home/homeassistant/homeassistant/docker/docker-compose.yaml up -d
compose-yaml
version: '3'
services:
homeassistant:
image: ghcr.io/linuxserver/homeassistant
container_name: homeassistant
network_mode: host
environment:
- PUID=1002
- PGID=1002
- TZ=Europe/Amsterdam
volumes:
- /home/homeassistant/homeassistant:/config
restart: unless-stopped
init.d script:
#!/bin/bash
apk update
echo "**** installing nmap ****"
apk add --no-cache nmap
echo "**** installing python2 ****"
apk add --no-cache python2
#echo "**** setcap nmap ****"
#setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...
-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/
Brought to you by linuxserver.io
-------------------------------------
To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------
User uid: 1002
User gid: 1002
-------------------------------------
[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 50-config: executing...
[cont-init.d] 50-config: exited 0.
[cont-init.d] 60-usb-gid: executing...
[cont-init.d] 60-usb-gid: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] files found in /config/custom-cont-init.d executing
[custom-init] apk_add.sh: executing...
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/armv7/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/armv7/APKINDEX.tar.gz
v3.12.7-42-gfd8036e2fa [http://dl-cdn.alpinelinux.org/alpine/v3.12/main]
v3.12.7-39-gea624ba3b7 [http://dl-cdn.alpinelinux.org/alpine/v3.12/community]
OK: 12350 distinct packages available
**** installing nmap ****
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/armv7/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/armv7/APKINDEX.tar.gz
(1/4) Installing lua5.3-libs (5.3.5-r6)
(2/4) Installing libpcap (1.9.1-r2)
(3/4) Installing libssh2 (1.9.0-r1)
(4/4) Installing nmap (7.80-r2)
Executing busybox-1.31.1-r20.trigger
OK: 131 MiB in 141 packages
**** installing python2 ****
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/armv7/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/armv7/APKINDEX.tar.gz
(1/1) Installing python2 (2.7.18-r0)
Executing busybox-1.31.1-r20.trigger
OK: 167 MiB in 142 packages
[custom-init] apk_add.sh: exited 0
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
2021-05-31 10:16:55 DEBUG (SyncWorker_11) [homeassistant.components.nmap_tracker.device_tracker] Scanner initialized
2021-05-31 10:16:55 DEBUG (SyncWorker_3) [homeassistant.components.nmap_tracker.device_tracker] Scanning
2021-05-31 10:16:59 DEBUG (SyncWorker_3) [homeassistant.components.nmap_tracker.device_tracker] nmap scan successful
2021-05-31 10:16:59 DEBUG (SyncWorker_3) [homeassistant.components.nmap_tracker.device_tracker] Nmap last results []
Thanks again for taking the time to look into this, really appreciate it.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
So just to stick my oar in here. Without adding any special caps, or python2, just nmap plus the device_tracker configuration.yml entry it works for me:
2021-08-18 19:57:06 DEBUG (SyncWorker_0) [homeassistant.components.nmap_tracker.device_tracker] Scanner initialized
2021-08-18 19:57:06 DEBUG (SyncWorker_3) [homeassistant.components.nmap_tracker.device_tracker] Scanning
2021-08-18 19:57:07 DEBUG (SyncWorker_3) [homeassistant.components.nmap_tracker.device_tracker] nmap scan successful
2021-08-18 19:57:07 DEBUG (SyncWorker_3) [homeassistant.components.nmap_tracker.device_tracker] Nmap last results [Device(mac='00:00:00:00:00:00', name='docker.domain.local', ip='192.168.0.100', last_update=datetime.datetime(2021, 8, 18, 19, 57, 7, 41438, tzinfo=backports.zoneinfo.ZoneInfo(key='Europe/London')))]
This is using our latest image on aarch64, host networking.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Desired Behavior
Nmap tracker component working
Current Behavior
An error is thrown because nmap is currently not being installed in the dockerfile
nmap.nmap.PortScannerError: 'nmap program was not found in path. PATH is : /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
Alternatives Considered
Executing the following command on the running docker container fixes the problem:
apk add nmap
Although this works i'll have to repeat this with every update, it would be great if it could be included in the docker image since it's a standard hass component.
PS: Thanks for adding homeassistant to your library of great docker images. Switched over from the official docker as soon as I saw it was available, especially since this one works non-root out of the box.
Steps to Reproduce
Environment
OS:
CPU architecture:
How docker service was installed:
It's been a few years since I've installed it, I thought it was via install script.. But unsure now since it shows up with
Here's the version info if it's any use:
Command used to create docker container (run/create/compose/screenshot)
compose-yaml
init.d script:
Docker logs