First run auto configure scan subnets

[adamoutler]

Streamline First Run configuration by auto-configuring all active networks for scanning.

​This update improves the out-of-the-box experience by ensuring all active networks are identified and configured during the initial setup. Currently, arp-scan --localnet defaults to only the first alphabetically ordered interface, which often misses the primary LAN or additional active segments.

​By explicitly setting the --interface and CIDR for every detected network, this change enables a true zero-configuration setup that is fully operational and compatible with all NetAlertX plugins upon first run.

Key Improvements:

• Automatic Interface Mapping: Moves away from a --localnet default to a comprehensive scan of all active networks when networks are online during first run.
• Alphabetical Bias Fix: Prevents the scanner from ignoring relevant networks simply because of their interface naming convention. (This is the default --localnet behavior)
• Plugin Compatibility: Ensures that all NetAlertX plugins have immediate access to the correct network data without manual user intervention.

Future improvements:
It will be possible to implement ICMPv2 with fping as a default scanner allowing complete layer 2 (ARP) and layer 3 (Internet check+Icmp) and layer 7 (name resolution) out of box.

Summary by CodeRabbit

• New Features

  • Automatic network subnet detection during initial setup — the app now seeds scanning targets from active interfaces instead of using the default local-net placeholder.

• Bug Fixes

  • Safer first-run configuration flow with improved creation, preservation and clearer error messaging.

• Tests

  • Added runtime tests that verify dynamic subnet detection and seeded configuration content.

• Documentation

  • Testing guidance updated to run the full test suite by default.

• Chores

  • Network utility (ipcalc) included in the runtime image.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Entrypoint switched to bash and adds dynamic SCAN_SUBNETS detection from active IPv4 interfaces (excluding loopback/container interfaces), injecting results into deployed app.conf during first-run. Tests were added/extended to verify generated SCAN_SUBNETS. Dockerfile and testing guidance were updated (ipcalc added; test guidance rewritten).

Changes

Cohort / File(s)	Summary
First-Run Configuration install/production-filesystem/entrypoint.d/20-first-run-config.sh	Shebang changed to /bin/bash; added get_scan_subnets() to derive SCAN_SUBNETS from active IPv4 interfaces (filtering loopback/docker/veth) and format entries; safer handling of NETALERTX_CONFIG removal; injects generated SCAN_SUBNETS into deployed app.conf via sed during first-run.
Container Tests test/docker_tests/test_container_environment.py	Extended test_missing_app_conf_triggers_seed to read back mounted app.conf and assert SCAN_SUBNETS contains interface entries (not ['--localnet']); added test_first_run_dynamic_subnet to validate dynamic subnet detection on first-run.
Docker Build Dockerfile.debian	Added ipcalc to apt-get install lists in both build and runtime stages to enable IP/network calculations at build and run time.
Testing Guidance .gemini/skills/testing-workflow/SKILL.md	Rewrote testing guidance to make full test suite the default; removed Docker-specific exec examples in favor of container-agnostic shell commands and adjusted instructions for running tests and retrieving runtime artifacts (e.g., API token, app.conf).

Sequence Diagram(s)

sequenceDiagram
    participant Entrypoint
    participant HostNet as "Host Network\n(interfaces)"
    participant File as "app.conf\n(mounted volume)"
    participant Service

    Entrypoint->>HostNet: enumerate active IPv4 interfaces (exclude lo/docker/veth)
    HostNet-->>Entrypoint: list of network/mask + interface
    Entrypoint->>File: deploy default app.conf (seed) if missing
    Entrypoint->>File: inject SCAN_SUBNETS entries (sed replace)
    Entrypoint->>Service: continue startup (start services)
    Service-->>Entrypoint: runtime started

Loading

Poem

🐰 In the startup hush I sniff the nets,
Lines of subnets traced with tiny steps,
I seed the file, then hop away,
Tests peek in to see my play,
A bunny blink — the config sets.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'First run auto configure scan subnets' directly and clearly describes the main change: automatic subnet configuration during first-run setup to detect and configure active networks for scanning.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@install/production-filesystem/entrypoint.d/20-first-run-config.sh`:
- Around line 10-28: The Docker image is missing the ipcalc binary required by
the get_scan_subnets() function; update the runner-stage apk add invocation to
include the iputils package so ipcalc is available at container runtime,
ensuring the first-run script can call ipcalc from get_scan_subnets(); modify
the apk add line in the Dockerfile's runner stage to add iputils alongside the
existing packages and rebuild the image.

In `@test/docker_tests/test_container_environment.py`:
- Around line 966-1004: Update test_first_run_dynamic_subnet to capture the
container run result and add a timeout to the subprocess invocation: call
_run_container(...) and assign its return value to a variable (e.g.,
result_container) and assert its exit status as done in other tests; and when
invoking subprocess.run(...) to read app.conf, pass a sensible timeout argument
(e.g., timeout=30) and keep capture_output=True so the test fails fast and
provides stderr/stdout for debugging if it times out or errors.
- Around line 940-956: The subprocess.run invocation that reads the generated
config (the call assigning check_conf) needs a timeout to avoid hanging: add a
timeout parameter (e.g., timeout=30) to that subprocess.run call. Also ensure
the test fails if the container read fails by asserting check_conf.returncode ==
0 (including check_conf.stderr/stdout in the assertion message for debugging)
before using the regex; then keep the existing regex checks (re.search,
match.group(1), assertions that "interface=" is in val and val !=
"['--localnet']") to validate SCAN_SUBNETS.

🧹 Nitpick comments (2)

install/production-filesystem/entrypoint.d/20-first-run-config.sh (1)

68-72: Consider logging sed failures instead of silently ignoring them.

The ||true on line 72 suppresses any sed errors, which could mask configuration issues. If sed fails, the default SCAN_SUBNETS value remains in the config without any indication.

💡 Suggested improvement for error visibility

     # Inject into the newly deployed config
-    sed -i "s|^SCAN_SUBNETS=.*|SCAN_SUBNETS=$SCAN_LIST|" "${NETALERTX_CONFIG}/app.conf" ||true
+    if ! sed -i "s|^SCAN_SUBNETS=.*|SCAN_SUBNETS=$SCAN_LIST|" "${NETALERTX_CONFIG}/app.conf"; then
+        >&2 echo "WARN: Failed to inject SCAN_SUBNETS, using default config value."
+    fi

test/docker_tests/test_container_environment.py (1)

973-973: Consider using a focused set of mount keys.

Using CONTAINER_TARGETS.keys() includes alias keys (data_db/app_db, data_config/app_config) that map to identical paths, creating redundant mount arguments. While this works, other tests use focused key sets like {"data"} which mounts the parent directory containing both subdirectories.

💡 Simplified mount selection

-    mount_args = _build_volume_args_for_keys(paths, CONTAINER_TARGETS.keys())
+    mount_args = _build_volume_args_for_keys(paths, {"data"})

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.gemini/skills/testing-workflow/SKILL.md:
- Line 3: Update the description string in
.gemini/skills/testing-workflow/SKILL.md by correcting the typo "astandard" to
"standard" so the sentence reads "...single, standard unit tests (fast), full
suites (slow), and handling authentication." Locate the description line
containing "Read before running tests. Detailed instructions for single,
astandard unit tests..." and replace only the misspelled word while preserving
the rest of the text.