Suricata v7 add sys_nice cap

theflakes · April 4, 2024, 5:33pm

Is there a way to add sys_nice cap in order to run Suricata v7 via Vyos config?

Running latest Vyos 1.5 rolling.

thanks

L0crian · April 4, 2024, 7:08pm

If you don’t mind building the VyOS package yourself, you just need to add them as config options to the /interface-definitions/container.xml.in in the vyos/vyos-1x repository.

I built it as a quick test and it works fine:

vyos@vyos# show container name zt1 cap-add | commands
set cap-add 'net-admin'
set cap-add 'sys-admin'
set cap-add 'sys-nice'

vyos@vyos# sudo podman container inspect zt1 | jq '.[0].HostConfig.CapAdd'
[
  "CAP_NET_ADMIN",
  "CAP_SYS_ADMIN",
  "CAP_SYS_NICE"
]

If you don’t want to mess with that, you can edit this file locally on your installed VyOS to expose the configuration item:
/opt/vyatta/share/vyatta-cfg/templates/container/name/node.tag/cap-add/node.def

theflakes · April 5, 2024, 11:02pm

Created a pull request to have this included in rolling at some point. Thanks for the help!

L0crian · April 5, 2024, 11:46pm

No problem! I added a comment to your PR asking if you can update the completionHelp list and add a valueHelp element.