docs: Clarify ARP flux sysctl limitations with host networking

[MrMeatikins]

Fixes #1546.

Description

This PR addresses the issue where the sysctls configuration block for ARP flux mitigation causes errors on modern Docker engines when using network_mode: host.

Changes:

• Updated the 37-host-optimization.sh warning to explicitly advise setting sysctls on the host OS when using host networking.
• Added a new section to docs/docker-troubleshooting/arp-flux-sysctls.md describing the different requirements for standard bridged networking vs. host networking.
• Added inline comments to the baseline docker-compose.yml (DOCKER_COMPOSE.md equivalent) to prevent users from applying the sysctls block incorrectly in host network mode.

Summary by CodeRabbit

• Documentation
  • Improved Docker networking docs with enhanced guidance on ARP flux mitigation across multiple network configurations
  • Added separate configuration options and practical examples for bridge and host network modes, including docker-compose and docker run examples
  • Expanded troubleshooting with clear steps for permission-related errors and remedies (e.g., capability requirements)
  • Extended runtime warning text to clarify host-mode/sysctl implications for users

[coderabbitai]

📝 Walkthrough

Walkthrough

Documentation updates clarifying ARP flux mitigation configuration, specifically addressing incompatibility of applying ARP sysctls in host network mode and providing separate guidance for Docker (bridge) vs host-level approaches, plus expanded runtime warning text explaining NET_ADMIN implications.

Changes

Cohort / File(s)	Summary
ARP Flux Docs docs/DOCKER_COMPOSE.md, docs/docker-troubleshooting/arp-flux-sysctls.md	Inserted ARP FLUX MITIGATION guidance: docker-compose/docker run sysctls examples for standard bridge networking, notes on network_mode: host limitations, and host-level sysctl fallback with persistence instructions. Added permissions/NET_ADMIN notes and examples.
Entrypoint Warning install/production-filesystem/entrypoint.d/37-host-optimization.sh	Extended the ARP flux warning message to explain that network_mode: host requires NET_ADMIN for docker-compose sysctls to take effect; otherwise apply sysctls on the host OS.

Poem

🐰 I hopped through docs by moonlight,

arp whispers hid from sight,
Two clear paths now on the page,
Bridge for containers, host for the cage,
NET_ADMIN notes for wiser flight.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: documentation clarification about ARP flux sysctl limitations specific to host networking mode.
Linked Issues check	✅ Passed	The pull request addresses all coding-related requirements from issue #1546: clarifying sysctl behavior in host network mode, providing guidance on application methods, and explaining when to apply settings on the host OS.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to addressing issue #1546: documentation updates, inline comments, and warning clarification about ARP flux sysctls with host networking. No unrelated modifications present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/DOCKER_COMPOSE.md`:
- Around line 33-43: The documentation block incorrectly states that sysctl
overrides are blocked when using network_mode: host and instructs removal of the
sysctls block; update the text to reflect the actual behavior: keep the sysctls
(net.ipv4.conf.all.arp_ignore and net.ipv4.conf.all.arp_announce) when using
network_mode (NETALERTX_NETWORK_MODE) with host networking and ensure the note
explains that these sysctls require appropriate privileges (e.g.,
NET_ADMIN/capabilities) to be applied to the host namespace — only instruct
users to remove or apply sysctls when they explicitly lack those privileges or
when they prefer to configure on the Host OS via sudo sysctl -w.

In `@docs/docker-troubleshooting/arp-flux-sysctls.md`:
- Around line 49-65: Update the "Option B: Via Host OS (Required for
`network_mode: host`)" section to acknowledge that `sysctls` can be applied when
`network_mode: host` if the container is granted the `NET_ADMIN` capability (as
used in the repository's docker-compose.yml, install/docker/docker-compose.yml,
and install/docker/docker-compose.dev.yml), and remove the absolute statement
that `runc`/modern Docker always disallows `net.*` sysctls in host namespaces;
either reword to explain the correct pattern (host networking + cap_add:
NET_ADMIN + sysctls) or split into two cases (without NET_ADMIN: must set on
host, with NET_ADMIN: allowed in compose), keeping the examples and the guidance
on removing sysctls from compose only for the no-NET_ADMIN case.

In `@install/production-filesystem/entrypoint.d/37-host-optimization.sh`:
- Around line 25-26: Update the note to remove the absolute prohibition and
state that sysctl behavior with network_mode: host is capability- and
version-dependent: when a service grants NET_ADMIN, sysctls such as
net.ipv4.conf.all.arp_ignore and net.ipv4.conf.all.arp_announce may be accepted
and will modify the host namespace in practice, whereas other sysctls or older
Docker/Compose versions may still reject them; reword the line to reflect this
conditional behavior and recommend documenting the need for NET_ADMIN and
testing on target Docker/Compose versions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: faa5be3c-6b60-4353-acb2-a437a78a1f1c

📥 Commits

Reviewing files that changed from the base of the PR and between a60ec9e and 93fc126.

📒 Files selected for processing (3)

• docs/DOCKER_COMPOSE.md
• docs/docker-troubleshooting/arp-flux-sysctls.md
• install/production-filesystem/entrypoint.d/37-host-optimization.sh

[coderabbitai]

🧹 Nitpick comments (1)

docs/docker-troubleshooting/arp-flux-sysctls.md (1)

24-27: Clarify that Option A modifies the host namespace when using host networking.

When using network_mode: host with NET_ADMIN, the sysctls configured in the container runtime will modify the host's network namespace directly, not an isolated container namespace. This is an important detail for users to understand the scope of impact. The entrypoint script (37-host-optimization.sh) explicitly notes: "When granted, these sysctls will modify the host namespace."

Consider adding a sentence after line 26 to clarify this behavior, such as:

Note: When using network_mode: host, these sysctls will modify the host's network namespace directly.

Based on learnings: "When a Docker Compose service uses network_mode: host and also has NET_ADMIN capability, sysctls like net.ipv4.conf.all.arp_ignore and net.ipv4.conf.all.arp_announce are accepted in practice (not rejected) and modify the host's network namespace directly."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/docker-troubleshooting/arp-flux-sysctls.md` around lines 24 - 27, The
doc's Option A text needs an explicit warning that when using network_mode: host
together with the NET_ADMIN capability the container-set sysctls will modify the
host network namespace; update the "Option A: Via Docker (Standard Bridge
Networking or `network_mode: host` with `NET_ADMIN`)" paragraph to add a
sentence after the existing line (after the sentence starting "If you are using
standard bridged networking...") stating: "Note: when using `network_mode: host`
with `NET_ADMIN`, sysctls configured at container runtime (e.g.,
net.ipv4.conf.all.arp_ignore, net.ipv4.conf.all.arp_announce) will be applied to
the host's network namespace directly." Also reference the entrypoint script
37-host-optimization.sh if helpful.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@docs/docker-troubleshooting/arp-flux-sysctls.md`:
- Around line 24-27: The doc's Option A text needs an explicit warning that when
using network_mode: host together with the NET_ADMIN capability the
container-set sysctls will modify the host network namespace; update the "Option
A: Via Docker (Standard Bridge Networking or `network_mode: host` with
`NET_ADMIN`)" paragraph to add a sentence after the existing line (after the
sentence starting "If you are using standard bridged networking...") stating:
"Note: when using `network_mode: host` with `NET_ADMIN`, sysctls configured at
container runtime (e.g., net.ipv4.conf.all.arp_ignore,
net.ipv4.conf.all.arp_announce) will be applied to the host's network namespace
directly." Also reference the entrypoint script 37-host-optimization.sh if
helpful.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b86a3715-bfed-4a6e-b3e7-228ccecaf54f

📥 Commits

Reviewing files that changed from the base of the PR and between 93fc126 and df3ca50.

📒 Files selected for processing (3)

• docs/DOCKER_COMPOSE.md
• docs/docker-troubleshooting/arp-flux-sysctls.md
• install/production-filesystem/entrypoint.d/37-host-optimization.sh

🚧 Files skipped from review as they are similar to previous changes (2)

• install/production-filesystem/entrypoint.d/37-host-optimization.sh
• docs/DOCKER_COMPOSE.md

[jokob-sk]

Can we merge this or are you still working on it @adamoutler ?

[adamoutler]

Good to go.

[jokob-sk]

Thanks @adamoutler !