Failure when trying to set feature via ioctl

While starting Suricata 5.0.2 on Docker container I am getting error below. I am wondering what are implications of this error. Does it affect Suricata in any way?

[180] 30/9/2020 -- 17:18:10 - (suricata.c:1084) <Notice> (LogVersion) -- This is Suricata version 5.0.2 RELEASE running in SYSTEM mode
[180] 30/9/2020 -- 17:18:11 - (util-ioctl.c:324) <Warning> (SetEthtoolValue) -- [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'eth0': Operation not permitted (1)
[180] 30/9/2020 -- 17:18:11 - (util-ioctl.c:324) <Warning> (SetEthtoolValue) -- [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'eth0': Operation not permitted (1)
[180] 30/9/2020 -- 17:18:11 - (util-ioctl.c:324) <Warning> (SetEthtoolValue) -- [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'eth0': Operation not permitted (1)
[180] 30/9/2020 -- 17:18:11 - (util-ioctl.c:324) <Warning> (SetEthtoolValue) -- [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to set feature via ioctl for 'eth0': Operation not permitted (1)
[180] 30/9/2020 -- 17:18:11 - (tm-threads.c:2170) <Notice> (TmThreadWaitOnThreadInit) -- all 8 packet processing threads, 4 management threads initialized, engine started.

Hi. Suricata wants to use ethtool to change options in the NIC driver.
That can not be done in a Docker container depending on how you run it.
I’m not sure what privileges you need, but I’m guessing CAP_NET_ADMIN.
I have ran Suricata just fine as a Docker container without those errors, but I’m don’t know what all the consequences could be.
Checksum offloading is one thing I know Suricata wants to toggle.
You might want to worry about the Docker capabilities if you want to run Suricata in a high performance environment.

1 Like

Hi,

Thanks for quick reply.

Suricata is used only as IDS. Suricata binary is ran in non-privileged Docker container as non privileged user with cap_net_raw+eip capabilities. Does it create an impact on what Suricata can detect?

Thanks
Zilvinas

Suricata might not be able to do full accurate detection and/or tracking and reassembly of TCP if certain offloads are still enabled. You can also disable them manually on the interface using the ethtool command.

1 Like