The packetbeat docker image normally requires that the flag --cap-add=NET_ADMIN be passed in order to capture packets. This is understandable and expected when packet capture is actually being performed, however the docker command fails if that permission is not provided even for the help and setup sub-commands:
/usr/local/bin/docker-entrypoint: line 13: /usr/share/packetbeat/packetbeat: Operation not permitted
Is there any way to execute the setup command without providing the docker container with elevated privileges? I want to perform the setup in a cluster with limited access and don't want to give the container these permissions where it should not be necessary.
You can build a dedicated docker image to just run setup on top of your Packetbeat image of choice.
What's preventing you from running setup without CAP_NET_ADMIN is the file capabilities on the packetbeat executable. You can build an image that required lowered permissions with a Dockerfile like this:
FROM docker.elastic.co/beats/packetbeat:7.6.1
USER root
RUN setcap -r /usr/share/packetbeat/packetbeat
USER packetbeat
This is my output:
test$ cat Dockerfile
FROM docker.elastic.co/beats/packetbeat:7.6.1
USER root
RUN setcap -r /usr/share/packetbeat/packetbeat
USER packetbeat
test$ docker build . -t packetbeat_setup
Sending build context to Docker daemon 2.048kB
Step 1/4 : FROM docker.elastic.co/beats/packetbeat:7.6.1
---> dd12ef9983ca
Step 2/4 : USER root
---> Using cache
---> b8728e46cc14
Step 3/4 : RUN setcap -r /usr/share/packetbeat/packetbeat
---> Using cache
---> b916d58c634f
Step 4/4 : USER packetbeat
---> Using cache
---> 903ef61fe13e
Successfully built 903ef61fe13e
Successfully tagged packetbeat_setup:latest
test$
test$ docker run packetbeat_setup setup
Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch http://elasticsearch:9200: Get http://elasticsearch:9200: lookup elasticsearch on 192.168.65.1:53: no such host]
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.