Zeek container startup is slow when using HDD and non-default UID/GID

[H-Dynamite]

Describe the bug

I have customized some zeek plugins and placed them under /Malcolm/zeek/custom. Every time I modify the monitored network card, I need to restart the zeek live container using the docker compose stop zeek-live and docker compose up -d zeek-live commands.

But after restarting the zeek live container, it has been unhealthy for a long time. After entering the container, check the process ps -ef, I found that the process chown -R zeek:zeek /opt/zeek has been running continuously, stuck for almost 20 minutes.

My purpose is to modify the packet capture port. The configuration of the packet capture port is written when the container is first created. Currently, I can only regenerate 'zeek-live' through this method to make it effective.

To Reproduce
Steps to reproduce the behavior:

1. I'm not sure if it has anything to do with my custom Zeek component
2. Modify the PCAP_IFACE variable in pcap-capture.env
3. docker compose stop zeek live
4. docker compose up - d zeek live

Expected behavior
After modifying the packet capture port, zeek live should be able to start quickly

**Screenshots and/or Logs **
If applicable, attach screenshots or container logs (e.g., the relevant bits of ./scripts/logs) to help explain your problem.

Malcolm Version:

• Version 25.02.0

How are you running Malcolm?

• ISO installed (on VM or dedicated hardware)
• via Docker on Linux
• via Docker on Microsoft Windows
• via Docker on macOS
• via Kubernetes (please provide platform details: e.g., on-prem K3s, Amazon AWS EKS, Microsoft Azure AKS, etc.)
• other (please describe)

Additional context
Add any other context about the problem here.

[H-Dynamite]

I have repeatedly used command inspection and found that chown runs slowly. It seems that this chown logic is executed every time a container is created. Is there any way to optimize it, or is there another way to avoid this

[mmguero]

So what you've discovered is that as part of Malcolm's containers' startup, certain files/directories need to be chowned to be owned by the non-root user that the Zeek processes will be run as.

If it so happens that the UID/GID on the host (specified in process.env) match the defaults the Zeek container was built with (which is 1000/1000) then it won't have to do the chown and will be much faster. Unfortunately, if the UID/GID on the host to which Malcolm will be mapped is something else (e.g., 1001/1001) then there's really not a way to avoid the chown.

Normally it's not that slow though, I run Malcolm on a machine that uses different UID/GID (1001/1001) and it doesn't take nearly that long. However, I am using pretty fast storage for the storage device Linux is using for the container overlays (NVMe or fast SSD). What kind of storage is on the system we're talking about? Is it a rotational drive or something?

The only way I could see to avoid the chown completely would be to rebuild the Zeek container (e.g., ./scripts/build.sh zeek) and change the default UID/GID to be the ones you'll be running as.

[H-Dynamite]

I am using a mechanical hard drive, and it is indeed very slow. Is there any way to optimize it? When creating Docker images, can we allocate permissions in advance to avoid having to reassign permissions every time we create them

[mmguero]

The way to set those permissions up in advance is to build the Zeek image with the default UID/GID set to what it's going to be at runtime. So, essentially:

1. If you're not already working from a Malcolm repository working copy (assuming you're using the latest Malcolm release):
   • git clone -b v25.08.0 https://github.com/cisagov/Malcolm
2. Identify the UID/GID you'll be running Malcolm as on the system (id -u and id -g) and edit ./Dockerfiles/zeek.Dockerfile and put those values in there for DEFAULT_UID and DEFAULT_GID. Those are also the values that would have been put into ./config/process.env when you ran configure
3. Build the zeek container: ./scripts/build.sh zeek (this will take probably 30+ minutes)
4. When you run docker images now you should see your new zeek container, which should match the image: value for the zeek and zeek-live containers in your docker-compose.yml.
5. Now, when Malcolm runs, it will not need to do the length chown on your rotational drive, as the UID/GID used when the container was build assigning the initial permissions will match those in process.env.