[BUG] maltrail in docker stops after some time, container keeps running

[simonszu]

Describe the bug
I have an issue where i start the maltrail container, and maltrail starts up fine. But after some time, it is apparently stopping for unknown reasons (problem 1), but the container is still up and running, since apparently maltrail is not its main process, so the container engine has no was to see that the container is faulty (problem 2).

How To Reproduce
Steps to reproduce the behavior:

1. Start maltrail docker container
2. Wait some time
3. Maltrail WebUI is not reachable any more, the container is still running

Expected behavior
Either:

• maltrail does not simply stop without explanation
  Or:
• if maltrail stops, the whole container stops and can be recognized as crashed by the container engine

Logs

[o] 'https://zeustracker.abuse.ch/blocklist.php?download=compromised'
 [o] '(custom)'
 [o] '(static)'
 [o] 'https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1'
 [o] 'https://github.com/JR0driguezB/malware_configs'
 [o] 'https://urlhaus.abuse.ch/downloads/text/'
 [o] 'http://tracker.viriback.com/dump.php'
 [o] 'https://zeustracker.abuse.ch/monitor.php?filter=all'
 [o] 'https://zeustracker.abuse.ch/blocklist.php?download=compromised'
 [o] '(custom)'
 [o] '(static)'
[i] post-processing trails (this might take a while)...
[i] update finished
[i] trails stored to '/root/.maltrail/trails.csv'
[?] in case of any problems with packet capture on virtual interface 'any', please put all monitoring interfaces to promiscuous mode manually (e.g. 'sudo ifconfig eth0 promisc')
[i] opening interface 'any'
[i] setting capture filter 'ip or ip6'
[^] running...
[i] cleaning up...

[*] ending @ 01:02:01 /2025-07-17/

The [i] cleaning up... is the only log message emitted by maltrail regarding the stop event. I have no idea why it stops.

Environment:

• Device: Linux on a mini PC
• OS: Debian Bookworm Linux
• Type of Maltrail installation: docker
• Problematic Maltrail component: server, web-interface
• Maltrail version: latest Docker image (wbsouza/maltrail:latest) as of today

[stamparm]

wbsouza/maltrail is not official docker image. please use instructions from https://github.com/stamparm/maltrail/?tab=readme-ov-file#quick-start

[MikhailKasimov]

@simonszu Try to run official Maltrail in Docker -- yesterday it got various improvements, see: #19323

[simonszu]

OK, thanks, i'll try that. Just out of curiosity, is there a reason why you don't build an publish a complete image on release? Downloading and building myself is no big deal, but i am a lazy person, thats why i searched for most-recent-as-possible images on Docker hub.
If needed, i'll create a PR with some Github Actions to automatically build and publish a Docker image on release.

[MikhailKasimov]

Hello!

Just out of curiosity, is there a reason why you don't build an publish a complete image on release?

Docker wasn't in focus yet -- there were just too episodic questions about Maltrail in Docker due all this time. Hence, onone even touched this question. And looks like just the last week brings the most visible activity about Maltrail in Docker, I mean improvements from @ki9us in #19323 (thank you words are flying to him).

If needed, i'll create a PR with some Github Actions to automatically build and publish a Docker image on release.

If doable, that would be good and would be thankful for that.

[ki9us]

the container is still up and running, since apparently maltrail is not its main process

@simonszu I changed the Dockerfile and documentation so you can use [COMMAND]/command: to specify either server or sensor as CMD. See if this fixes it for you. (If you're running both sensor and server, run both containers).

[MikhailKasimov]

https://github.com/stamparm/maltrail/actions/runs/16597385029/workflow

[MikhailKasimov]

Looks like everything works OK:

Thank you! :)

[simonszu]

Cool. However, i still have to update the documentation so that it refers to the github built package ;)