Feat: make errors more helpful

.devcontainer/Dockerfile

@@ -72,11 +72,13 @@ ENV LOG_STDOUT=${NETALERTX_LOG}/stdout.log
 ENV LOG_CROND=${NETALERTX_LOG}/crond.log
 
 # System Services configuration files
+ENV ENTRYPOINT_CHECKS=/entrypoint.d
 ENV SYSTEM_SERVICES=/services
 ENV SYSTEM_SERVICES_SCRIPTS=${SYSTEM_SERVICES}/scripts
 ENV SYSTEM_SERVICES_CONFIG=${SYSTEM_SERVICES}/config
 ENV SYSTEM_NGINX_CONFIG=${SYSTEM_SERVICES_CONFIG}/nginx
 ENV SYSTEM_NGINX_CONFIG_FILE=${SYSTEM_NGINX_CONFIG}/nginx.conf
+ENV SYSTEM_SERVICES_ACTIVE_CONFIG=${SYSTEM_NGINX_CONFIG}/conf.active
 ENV SYSTEM_SERVICES_PHP_FOLDER=${SYSTEM_SERVICES_CONFIG}/php
 ENV SYSTEM_SERVICES_PHP_FPM_D=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.d
 ENV SYSTEM_SERVICES_CROND=${SYSTEM_SERVICES_CONFIG}/crond
@@ -85,7 +87,7 @@ ENV SYSTEM_SERVICES_RUN_TMP=${SYSTEM_SERVICES_RUN}/tmp
 ENV SYSTEM_SERVICES_RUN_LOG=${SYSTEM_SERVICES_RUN}/logs
 ENV PHP_FPM_CONFIG_FILE=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.conf
 ENV READ_ONLY_FOLDERS="${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} ${SYSTEM_SERVICES} \
-                       ${SYSTEM_SERVICES_CONFIG}"
+                       ${SYSTEM_SERVICES_CONFIG} ${ENTRYPOINT_CHECKS}"
 ENV READ_WRITE_FOLDERS="${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} \
                        ${NETALERTX_PLUGINS_LOG} ${SYSTEM_SERVICES_RUN} ${SYSTEM_SERVICES_RUN_TMP} \
                        ${SYSTEM_SERVICES_RUN_LOG}"
@@ -184,7 +186,7 @@ RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \
     chmod -R 600 ${READ_WRITE_FOLDERS} && \
     find ${READ_WRITE_FOLDERS} -type d -exec chmod 700 {} + && \
     chown ${READ_ONLY_USER}:${READ_ONLY_GROUP} /entrypoint.sh /opt /opt/venv && \
-    chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/*.sh /app /opt /opt/venv && \
+    chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/*.sh ${SYSTEM_SERVICES_SCRIPTS}/* ${ENTRYPOINT_CHECKS}/* /app /opt /opt/venv && \
     for dir in ${READ_WRITE_FOLDERS}; do \
         install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 "$dir"; \
     done && \

Dockerfile

@@ -69,11 +69,13 @@ ENV LOG_STDOUT=${NETALERTX_LOG}/stdout.log
 ENV LOG_CROND=${NETALERTX_LOG}/crond.log
 
 # System Services configuration files
+ENV ENTRYPOINT_CHECKS=/entrypoint.d
 ENV SYSTEM_SERVICES=/services
 ENV SYSTEM_SERVICES_SCRIPTS=${SYSTEM_SERVICES}/scripts
 ENV SYSTEM_SERVICES_CONFIG=${SYSTEM_SERVICES}/config
 ENV SYSTEM_NGINX_CONFIG=${SYSTEM_SERVICES_CONFIG}/nginx
 ENV SYSTEM_NGINX_CONFIG_FILE=${SYSTEM_NGINX_CONFIG}/nginx.conf
+ENV SYSTEM_SERVICES_ACTIVE_CONFIG=${SYSTEM_NGINX_CONFIG}/conf.active
 ENV SYSTEM_SERVICES_PHP_FOLDER=${SYSTEM_SERVICES_CONFIG}/php
 ENV SYSTEM_SERVICES_PHP_FPM_D=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.d
 ENV SYSTEM_SERVICES_CROND=${SYSTEM_SERVICES_CONFIG}/crond
@@ -82,7 +84,7 @@ ENV SYSTEM_SERVICES_RUN_TMP=${SYSTEM_SERVICES_RUN}/tmp
 ENV SYSTEM_SERVICES_RUN_LOG=${SYSTEM_SERVICES_RUN}/logs
 ENV PHP_FPM_CONFIG_FILE=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.conf
 ENV READ_ONLY_FOLDERS="${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} ${SYSTEM_SERVICES} \
-                       ${SYSTEM_SERVICES_CONFIG}"
+                       ${SYSTEM_SERVICES_CONFIG} ${ENTRYPOINT_CHECKS}"
 ENV READ_WRITE_FOLDERS="${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} \
                        ${NETALERTX_PLUGINS_LOG} ${SYSTEM_SERVICES_RUN} ${SYSTEM_SERVICES_RUN_TMP} \
                        ${SYSTEM_SERVICES_RUN_LOG}"
@@ -181,7 +183,7 @@ RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \
     chmod -R 600 ${READ_WRITE_FOLDERS} && \
     find ${READ_WRITE_FOLDERS} -type d -exec chmod 700 {} + && \
     chown ${READ_ONLY_USER}:${READ_ONLY_GROUP} /entrypoint.sh /opt /opt/venv && \
-    chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/*.sh /app /opt /opt/venv && \
+    chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/*.sh ${SYSTEM_SERVICES_SCRIPTS}/* ${ENTRYPOINT_CHECKS}/* /app /opt /opt/venv && \
     for dir in ${READ_WRITE_FOLDERS}; do \
         install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 "$dir"; \
     done && \

docs/docker-troubleshooting/excessive-capabilities.md

@@ -0,0 +1,32 @@
+# Excessive Capabilities
+
+## Issue Description
+
+Excessive Linux capabilities are detected beyond the necessary NET_ADMIN, NET_BIND_SERVICE, and NET_RAW. This may indicate overly permissive container configuration.
+
+## Security Ramifications
+
+While the detected capabilities might not directly harm operation, running with more privileges than necessary increases the attack surface. If the container is compromised, additional capabilities could allow broader system access or privilege escalation.
+
+## Why You're Seeing This Issue
+
+This occurs when your Docker configuration grants more capabilities than required for network monitoring. The application only needs specific network-related capabilities for proper function.
+
+## How to Correct the Issue
+
+Limit capabilities to only those required:
+
+- In docker-compose.yml, specify only needed caps:
+  ```yaml
+  cap_add:
+    - NET_RAW
+    - NET_ADMIN
+    - NET_BIND_SERVICE
+  ```
+- Remove any unnecessary `--cap-add` flags from docker run commands
+
+## Additional Resources
+
+Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
+
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)

docs/docker-troubleshooting/file-permissions.md

@@ -0,0 +1,27 @@
+# File Permission Issues
+
+## Issue Description
+
+NetAlertX cannot read from or write to critical configuration and database files. This prevents the application from saving data, logs, or configuration changes.
+
+## Security Ramifications
+
+Incorrect file permissions can expose sensitive configuration data or database contents to unauthorized access. Network monitoring tools handle sensitive information about devices on your network, and improper permissions could lead to information disclosure.
+
+## Why You're Seeing This Issue
+
+This occurs when the mounted volumes for configuration and database files don't have proper ownership or permissions set for the netalertx user (UID 20211). The container expects these files to be accessible by the service account, not root or other users.
+
+## How to Correct the Issue
+
+Fix permissions on the host system for the mounted directories:
+
+- Ensure the config and database directories are owned by the netalertx user: `chown -R 20211:20211 /path/to/config /path/to/db`
+- Set appropriate permissions: `chmod -R 755 /path/to/config /path/to/db` for directories, `chmod 644` for files
+- Alternatively, restart the container with root privileges temporarily to allow automatic permission fixing, then switch back to the default user
+
+## Additional Resources
+
+Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
+
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)

docs/docker-troubleshooting/incorrect-user.md

@@ -0,0 +1,28 @@
+# Incorrect Container User
+
+## Issue Description
+
+NetAlertX is running as UID:GID other than the expected 20211:20211. This bypasses hardened permissions, file ownership, and runtime isolation safeguards.
+
+## Security Ramifications
+
+The application is designed with security hardening that depends on running under a dedicated, non-privileged service account. Using a different user account can silently fail future upgrades and removes crucial isolation between the container and host system.
+
+## Why You're Seeing This Issue
+
+This occurs when you override the container's default user with custom `user:` directives in docker-compose.yml or `--user` flags in docker run commands. The container expects to run as the netalertx user for proper security isolation.
+
+## How to Correct the Issue
+
+Restore the container to the default user:
+
+- Remove any `user:` overrides from docker-compose.yml
+- Avoid `--user` flags in docker run commands
+- Allow the container to run with its default UID:GID 20211:20211
+- Recreate the container so volume ownership is reset automatically
+
+## Additional Resources
+
+Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
+
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)

docs/docker-troubleshooting/missing-capabilities.md

@@ -0,0 +1,32 @@
+# Missing Network Capabilities
+
+## Issue Description
+
+Raw network capabilities (NET_RAW, NET_ADMIN, NET_BIND_SERVICE) are missing. Tools that rely on these capabilities (e.g., nmap -sS, arp-scan, nbtscan) will not function.
+
+## Security Ramifications
+
+Network scanning and monitoring requires low-level network access that these capabilities provide. Without them, the application cannot perform essential functions like ARP scanning, port scanning, or passive network discovery, severely limiting its effectiveness.
+
+## Why You're Seeing This Issue
+
+This occurs when the container doesn't have the necessary Linux capabilities granted. Docker containers run with limited capabilities by default, and network monitoring tools need elevated network privileges.
+
+## How to Correct the Issue
+
+Add the required capabilities to your container:
+
+- In docker-compose.yml:
+  ```yaml
+  cap_add:
+    - NET_RAW
+    - NET_ADMIN
+    - NET_BIND_SERVICE
+  ```
+- For docker run: `--cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=NET_BIND_SERVICE`
+
+## Additional Resources
+
+Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
+
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)

docs/docker-troubleshooting/mount-configuration-issues.md

@@ -0,0 +1,36 @@
+# Mount Configuration Issues
+
+## Issue Description
+
+NetAlertX has detected configuration issues with your Docker volume mounts. These may include write permission problems, data loss risks, or performance concerns marked with ❌ in the table.
+
+## Security Ramifications
+
+Improper mount configurations can lead to data loss, performance degradation, or security vulnerabilities. For persistent data (database and configuration), using non-persistent storage like tmpfs can result in complete data loss on container restart. For temporary data, using persistent storage may unnecessarily expose sensitive logs or cache data.
+
+## Why You're Seeing This Issue
+
+This occurs when your Docker Compose or run configuration doesn't properly map host directories to container paths, or when the mounted volumes have incorrect permissions. The application requires specific paths to be writable for operation, and some paths should use persistent storage while others should be temporary.
+
+## How to Correct the Issue
+
+Review and correct your volume mounts in docker-compose.yml:
+
+- Ensure `${NETALERTX_DB}` and `${NETALERTX_CONFIG}` use persistent host directories
+- Ensure `${NETALERTX_API}`, `${NETALERTX_LOG}` have appropriate permissions
+- Avoid mounting sensitive paths to non-persistent filesystems like tmpfs for critical data
+- Use bind mounts with proper ownership (netalertx user: 20211:20211)
+
+Example volume configuration:
+```yaml
+volumes:
+  - ./data/db:/app/db
+  - ./data/config:/app/config
+  - ./data/log:/app/log
+```
+
+## Additional Resources
+
+Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
+
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)

docs/docker-troubleshooting/network-mode.md

@@ -0,0 +1,27 @@
+# Network Mode Configuration
+
+## Issue Description
+
+NetAlertX is not running with `--network=host`. Bridge networking blocks passive discovery (ARP, NBNS, mDNS) and active scanning accuracy.
+
+## Security Ramifications
+
+Host networking is required for comprehensive network monitoring. Bridge mode isolates the container from raw network access needed for ARP scanning, passive discovery protocols, and accurate device detection. Without host networking, the application cannot fully monitor your network.
+
+## Why You're Seeing This Issue
+
+This occurs when your Docker configuration uses bridge networking instead of host networking. Network monitoring requires direct access to the host's network interfaces to perform passive discovery and active scanning.
+
+## How to Correct the Issue
+
+Enable host networking mode:
+
+- In docker-compose.yml, add: `network_mode: host`
+- For docker run, use: `--network=host`
+- Ensure the container has required capabilities: `--cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=NET_BIND_SERVICE`
+
+## Additional Resources
+
+Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
+
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)

docs/docker-troubleshooting/nginx-configuration-mount.md

@@ -0,0 +1,36 @@
+# Nginx Configuration Mount Issues
+
+## Issue Description
+
+You've configured a custom port for NetAlertX, but the required nginx configuration mount is missing or not writable. Without this mount, the container cannot apply your port changes and will fall back to the default port 20211.
+
+## Security Ramifications
+
+Running in read-only mode (as recommended) prevents the container from modifying its own nginx configuration. Without a writable mount, custom port configurations cannot be applied, potentially exposing the service on unintended ports or requiring fallback to defaults.
+
+## Why You're Seeing This Issue
+
+This occurs when you set a custom PORT environment variable (other than 20211) but haven't provided a writable mount for nginx configuration. The container needs to write custom nginx config files when running in read-only mode.
+
+## How to Correct the Issue
+
+If you want to use a custom port, create a bind mount for the nginx configuration:
+
+- Create a directory on your host: `mkdir -p /path/to/nginx-config`
+- Add to your docker-compose.yml:
+  ```yaml
+  volumes:
+    - /path/to/nginx-config:/app/system/services/active/config
+  environment:
+    - PORT=your_custom_port
+  ```
+- Ensure it's owned by the netalertx user: `chown -R 20211:20211 /path/to/nginx-config`
+- Set permissions: `chmod -R 700 /path/to/nginx-config`
+
+If you don't need a custom port, simply omit the PORT environment variable and the container will use 20211 by default.
+
+## Additional Resources
+
+Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
+
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)

docs/docker-troubleshooting/port-conflicts.md

@@ -0,0 +1,86 @@
+# Port Conflicts
+
+## Issue Description
+
+The configured application port (default 20211) or GraphQL API port (default 20212) is already in use by another service. This commonly occurs when you already have another NetAlertX instance running.
+
+## Security Ramifications
+
+Port conflicts prevent the application from starting properly, leaving network monitoring services unavailable. Running multiple instances on the same ports can also create configuration confusion and potential security issues if services are inadvertently exposed.
+
+## Why You're Seeing This Issue
+
+This error typically occurs when:
+
+- **You already have NetAlertX running** - Another Docker container or devcontainer instance is using the default ports 20211 and 20212
+- **Port conflicts with other services** - Other applications on your system are using these ports
+- **Configuration error** - Both PORT and GRAPHQL_PORT environment variables are set to the same value
+
+## How to Correct the Issue
+
+### Check for Existing NetAlertX Instances
+
+First, check if you already have NetAlertX running:
+
+```bash
+# Check for running NetAlertX containers
+docker ps | grep netalertx
+
+# Check for devcontainer processes
+ps aux | grep netalertx
+
+# Check what services are using the ports
+netstat -tlnp | grep :20211
+netstat -tlnp | grep :20212
+```
+
+### Stop Conflicting Instances
+
+If you find another NetAlertX instance:
+
+```bash
+# Stop specific container
+docker stop <container_name>
+
+# Stop all NetAlertX containers
+docker stop $(docker ps -q --filter ancestor=jokob-sk/netalertx)
+
+# Stop devcontainer services
+# Use VS Code command palette: "Dev Containers: Rebuild Container"
+```
+
+### Configure Different Ports
+
+If you need multiple instances, configure unique ports:
+
+```yaml
+environment:
+  - PORT=20211          # Main application port
+  - GRAPHQL_PORT=20212  # GraphQL API port
+```
+
+For a second instance, use different ports:
+
+```yaml
+environment:
+  - PORT=20213          # Different main port
+  - GRAPHQL_PORT=20214  # Different API port
+```
+
+### Alternative: Use Different Container Names
+
+When running multiple instances, use unique container names:
+
+```yaml
+services:
+  netalertx-primary:
+    # ... existing config
+  netalertx-secondary:
+    # ... config with different ports
+```
+
+## Additional Resources
+
+Docker Compose setup can be complex. We recommend starting with the default docker-compose.yml as a base and modifying it incrementally.
+
+For detailed Docker Compose configuration guidance, see: [DOCKER_COMPOSE.md](https://github.com/jokob-sk/NetAlertX/blob/main/docs/DOCKER_COMPOSE.md)