starred/UpSnap-seriousm4x-4
1
0
Fork 0
mirror of https://github.com/seriousm4x/UpSnap.git synced 2026-03-31 06:24:11 -04:00
Code Issues Packages Projects Releases Wiki Activity

update ping privileged/unprivileged logic (#1586)

Browse Source 
* update ping privileged/unprivileged logic, add entrypoint

Signed-off-by: invario <67800603+invario@users.noreply.github.com>

* Removed entrypoint script, code in GO instead to raise NET_RAW cap

Signed-off-by: invario <67800603+invario@users.noreply.github.com>

* Rewritten to only split pingdevice func into separate GO files

Signed-off-by: invario <67800603+invario@users.noreply.github.com>

* remove runtime check

* readme: cap_net_raw=+p

* clear up

* readme: clearify linux only

* set `privileged = false` on darwin

---------

Signed-off-by: invario <67800603+invario@users.noreply.github.com>
Co-authored-by: Maxi Quoß <maxi@quoss.org>
This commit is contained in:
invario
2026-03-19 06:20:46 -04:00
committed by GitHub
parent 611c4d29c5
commit 1d361e3f8b
8 changed files with 159 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
Dockerfile
View File

@@ -11,7 +11,7 @@ RUN wget https://github.com/seriousm4x/UpSnap/releases/download/${VERSION}/UpSna
chmod +x upsnap &&\ chmod +x upsnap &&\
apk update &&\ apk update &&\
apk add --no-cache libcap &&\ apk add --no-cache libcap &&\
setcap 'cap_net_raw=+ep' ./upsnap setcap 'cap_net_raw=+p' ./upsnap
FROM alpine:3 FROM alpine:3
ARG UPSNAP_HTTP_LISTEN=0.0.0.0:8090 ARG UPSNAP_HTTP_LISTEN=0.0.0.0:8090
@@ -23,4 +23,5 @@ WORKDIR /app
COPY --from=downloader /app/upsnap upsnap COPY --from=downloader /app/upsnap upsnap
HEALTHCHECK --interval=10s \ HEALTHCHECK --interval=10s \
CMD curl -fs "http://${UPSNAP_HTTP_LISTEN}/api/health" || exit 1 CMD curl -fs "http://${UPSNAP_HTTP_LISTEN}/api/health" || exit 1
ENTRYPOINT ["sh", "-c", "./upsnap serve --http ${UPSNAP_HTTP_LISTEN}"] CMD ["serve","--http","${UPSNAP_HTTP_LISTEN}"]
ENTRYPOINT ["/app/upsnap"]

4
README.md
View File

@@ -61,10 +61,10 @@ Just download the latest binary from the [release page](https://github.com/serio
sudo ./upsnap serve --http=0.0.0.0:8090 sudo ./upsnap serve --http=0.0.0.0:8090
``` ```
### Non-root: ### Non-root on linux only:
```bash ```bash
sudo setcap cap_net_raw=+ep ./upsnap # only once after downloading sudo setcap cap_net_raw=+p ./upsnap # only once after downloading to allow for pinging devices
./upsnap serve --http=0.0.0.0:8090 ./upsnap serve --http=0.0.0.0:8090
``` ```

53
backend/networking/ping.go
View File

@@ -4,14 +4,8 @@ import (
"errors" "errors"
"net" "net"
"os" "os"
"os/exec"
"runtime"
"strconv"
"syscall" "syscall"
"time" "time"
"github.com/pocketbase/pocketbase/core"
probing "github.com/prometheus-community/pro-bing"
) )
func isNoRouteOrDownError(err error) bool { func isNoRouteOrDownError(err error) bool {
@@ -26,53 +20,6 @@ func isNoRouteOrDownError(err error) bool {
return syscallErr.Err == syscall.EHOSTUNREACH || syscallErr.Err == syscall.EHOSTDOWN return syscallErr.Err == syscall.EHOSTUNREACH || syscallErr.Err == syscall.EHOSTDOWN
} }
func PingDevice(device *core.Record) (bool, error) {
ping_cmd := device.GetString("ping_cmd")
if ping_cmd == "" {
pinger, err := probing.NewPinger(device.GetString("ip"))
if err != nil {
return false, err
}
pinger.Count = 1
pinger.Timeout = 500 * time.Millisecond
privileged := isRoot()
privilegedEnv := os.Getenv("UPSNAP_PING_PRIVILEGED")
if privilegedEnv != "" {
privileged, err = strconv.ParseBool(privilegedEnv)
if err != nil {
privileged = false
}
}
pinger.SetPrivileged(privileged)
err = pinger.Run()
if err != nil {
if isNoRouteOrDownError(err) {
return false, nil
}
return false, err
}
stats := pinger.Statistics()
return stats.PacketLoss == 0, nil
} else {
var shell string
var shell_arg string
if runtime.GOOS == "windows" {
shell = "cmd"
shell_arg = "/C"
} else {
shell = "/bin/sh"
shell_arg = "-c"
}
cmd := exec.Command(shell, shell_arg, ping_cmd)
err := cmd.Run()
return err == nil, err
}
}
func CheckPort(host string, port string) (bool, error) { func CheckPort(host string, port string) (bool, error) {
timeout := 500 * time.Millisecond timeout := 500 * time.Millisecond
conn, err := net.DialTimeout("tcp", net.JoinHostPort(host, port), timeout) conn, err := net.DialTimeout("tcp", net.JoinHostPort(host, port), timeout)

79
backend/networking/pingdevice_linux.go Normal file
View File

@@ -0,0 +1,79 @@
//go:build linux
package networking
import (
"fmt"
"os"
"os/exec"
"strconv"
"time"
"github.com/pocketbase/pocketbase/core"
probing "github.com/prometheus-community/pro-bing"
"kernel.org/pub/linux/libs/security/libcap/cap"
)
func PingDevice(device *core.Record) (bool, error) {
ping_cmd := device.GetString("ping_cmd")
if ping_cmd == "" {
pinger, err := probing.NewPinger(device.GetString("ip"))
if err != nil {
return false, err
}
pinger.Count = 1
pinger.Timeout = 500 * time.Millisecond
privileged := true
privilegedEnv := os.Getenv("UPSNAP_PING_PRIVILEGED")
if privilegedEnv != "" {
privileged, err = strconv.ParseBool(privilegedEnv)
if err != nil {
privileged = false
}
}
if privileged {
orig := cap.GetProc()
defer orig.SetProc() // restore original caps on exit.
c, err := orig.Dup()
if err != nil {
return false, fmt.Errorf("Failed to dup existing capabilities: %v", err)
}
if on, _ := c.GetFlag(cap.Permitted, cap.NET_RAW); !on {
return false, fmt.Errorf("Privileged ping selected but NET_RAW capability not permitted")
}
if err := c.SetFlag(cap.Effective, true, cap.NET_RAW); err != nil {
return false, fmt.Errorf("unable to set NET_RAW capability")
}
if err := c.SetProc(); err != nil {
return false, fmt.Errorf("unable to raise NET_RAW capability")
}
}
pinger.SetPrivileged(privileged)
err = pinger.Run()
if err != nil {
if isNoRouteOrDownError(err) {
return false, nil
}
return false, err
}
stats := pinger.Statistics()
return stats.PacketLoss == 0, nil
} else {
var shell string
var shell_arg string
shell = "/bin/sh"
shell_arg = "-c"
cmd := exec.Command(shell, shell_arg, ping_cmd)
err := cmd.Run()
return err == nil, err
}
}

65
backend/networking/pingdevice_other.go Normal file
View File

@@ -0,0 +1,65 @@
//go:build !linux
package networking
import (
"os"
"os/exec"
"runtime"
"strconv"
"time"
"github.com/pocketbase/pocketbase/core"
probing "github.com/prometheus-community/pro-bing"
)
func PingDevice(device *core.Record) (bool, error) {
ping_cmd := device.GetString("ping_cmd")
if ping_cmd == "" {
pinger, err := probing.NewPinger(device.GetString("ip"))
if err != nil {
return false, err
}
pinger.Count = 1
pinger.Timeout = 500 * time.Millisecond
privileged := true // default to privileged ping, required by Windows
if runtime.GOOS == "darwin" {
// macOS pings will fail when using privileged ping as non root, but works with non-privileged.
privileged = false
}
privilegedEnv := os.Getenv("UPSNAP_PING_PRIVILEGED")
if privilegedEnv != "" {
privileged, err = strconv.ParseBool(privilegedEnv)
if err != nil {
privileged = false
}
}
pinger.SetPrivileged(privileged)
err = pinger.Run()
if err != nil {
if isNoRouteOrDownError(err) {
return false, nil
}
return false, err
}
stats := pinger.Statistics()
return stats.PacketLoss == 0, nil
} else {
var shell string
var shell_arg string
if runtime.GOOS == "windows" {
shell = "cmd"
shell_arg = "/C"
} else {
shell = "/bin/sh"
shell_arg = "-c"
}
cmd := exec.Command(shell, shell_arg, ping_cmd)
err := cmd.Run()
return err == nil, err
}
}

9
backend/networking/root.go
View File

@@ -1,9 +0,0 @@
//go:build !windows
package networking
import "os"
func isRoot() bool {
return os.Geteuid() == 0
}

16
backend/networking/root_windows.go
View File

@@ -1,16 +0,0 @@
//go:build windows
package networking
import "golang.org/x/sys/windows"
func isRoot() bool {
var sid *windows.SID
sid, err := windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid)
if err != nil {
return false
}
token := windows.GetCurrentProcessToken()
isAdmin, err := token.IsMember(sid)
return err == nil && isAdmin
}

12
docker-compose.yml
View File

@@ -1,8 +1,12 @@
services: services:
upsnap: upsnap:
cap_add:
- NET_RAW # NET_RAW is required for privileged ping
cap_drop:
- ALL
container_name: upsnap container_name: upsnap
image: ghcr.io/seriousm4x/upsnap:5 # images are also available on docker hub: seriousm4x/upsnap:5 image: ghcr.io/seriousm4x/upsnap:5 # images are also available on docker hub: seriousm4x/upsnap:5
network_mode: host network_mode: host # host is required for WOL magic packets
restart: unless-stopped restart: unless-stopped
volumes: volumes:
- ./data:/app/pb_data - ./data:/app/pb_data
@@ -14,8 +18,12 @@ services:
# - UPSNAP_INTERVAL=*/10 * * * * * # Sets the interval in which the devices are pinged # - UPSNAP_INTERVAL=*/10 * * * * * # Sets the interval in which the devices are pinged
# - UPSNAP_SCAN_RANGE=192.168.1.0/24 # Scan range is used for device discovery on local network # - UPSNAP_SCAN_RANGE=192.168.1.0/24 # Scan range is used for device discovery on local network
# - UPSNAP_SCAN_TIMEOUT=500ms # Scan timeout is nmap's --host-timeout value to wait for devices (https://nmap.org/book/man-performance.html) # - UPSNAP_SCAN_TIMEOUT=500ms # Scan timeout is nmap's --host-timeout value to wait for devices (https://nmap.org/book/man-performance.html)
# - UPSNAP_PING_PRIVILEGED=true # Set to false if non-root user and no NET_RAW capability *requires host setting net.ipv4.ping_group_range="0 2147483647" # - UPSNAP_PING_PRIVILEGED=true # Default is true. Set to false for unprivileged ping
# For Linux hosts, unprivileged pings REQUIRES the host to set 'sysctl net.ipv4.ping_group_range="0 2147483647"'
# or another suitable value to grant the group access to send ping and WOL magic packets.
# - UPSNAP_WEBSITE_TITLE=Custom name # Custom website title # - UPSNAP_WEBSITE_TITLE=Custom name # Custom website title
# security_opt:
# - no-new-privileges=true
# # dns is used for name resolution during network scan # # dns is used for name resolution during network scan
# dns: # dns:
# - 192.18.0.1 # - 192.18.0.1