Network capabilities such as "--cap-add=NET_ADMIN" are ignored when deploying a stack in swarm mode with a (version 3)
- Is it possible to start Packetbeat in docker swarm mode? Will be grateful if anyone could share a compose file
- In docker swarm mode, how can traffic be captured from the host system
- Should Packetbeat run as a global service in a docker swarm mode cluster or should it only be constraint to a master node?
I think this is more a question about docker swarm. To capture traffic from host network Packetbeat needs access to host network namespace and to be granted with network admin capabilities. I think that running containers in host network is allowed in swarm, but not sure about giving it capabilities or running it as full privileged, in a quick search it seems that these features are missing by now (see these issues about capabilities and about privileged).
As a workaround to these limitations, you can try to deploy packetbeat in your nodes directly using other configuration management options.
Regarding the deployment options, you'd need to have it deployed in the nodes where you want to capture traffic, if you want to capture traffic from all nodes it'd need to be deployed as a global service, if not, it could be deployed only in the nodes where you want to capture traffic from.
Thanks @jsoriano for a quick response. This is what I have already tired but the service still does not start and I get this error
task: non-zero exit (1)
- Stack service was started with root privileges in hope that it would have all permissions it needed on each swarm cluster node
- Stack service ran in global mode
- Stack service ran in host network as you suggested
Here is the compose file that I have been trying to stack deploy:
- source: pb_config
Here is my packetbeat config file:
#============================== Network device ================================
#================================== Flows =====================================
#========================== Transaction protocols =============================
- type: http
ports: [80, 8080, 5000]
- type: tls
#=========================== Monitored processes ==============================
- process: pgsql
#================================ Processors ===================================
fields: ["cpu.user", "cpu.system"]
# The following example drops the events that have the HTTP response code 200:
# The following example enriches each event with metadata from the cloud provider about the host machine.
- add_cloud_metadata: ~
- add_locale: ~
#-------------------------- Elasticsearch output -------------------------------
#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index.
# Loading the dashboards is disabled by default and can be enabled either by setting the options here, or by using the `-setup` CLI flag.
I am really hoping to hear from anyone who actually has tried running Packetbeat successfully in docker swarm mode
Take into account that running a container as root doesn't imply that it has all capabilities, you can check the list of capabilities granted by default in docker documentation,
NET_ADMIN is not one of them and is needed by Packetbeat.
If there is no way to run privileged containers in docker swarm then I doubt that Packetbeat can be run there But this is more a question for docker swarm.
Please keep us posted with your discoveries
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.