From 6b6411e93ac7a8974a9b011bbd77d11349615c47 Mon Sep 17 00:00:00 2001
From: RD WebDesign <github@rdwebdesign.com.br>
Date: Tue, 21 Oct 2025 19:01:14 -0300
Subject: [PATCH 1/2] Disable log flush inside containers

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
---
 src/api/action.c | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/src/api/action.c b/src/api/action.c
index 704369921..00fa16087 100644
--- a/src/api/action.c
+++ b/src/api/action.c
@@ -137,6 +137,30 @@ int api_action_restartDNS(struct ftl_conn *api)
 	return send_json_success(api);
 }
 
+// This function checks if a given PID is running inside a docker container
+static bool is_in_docker(const pid_t pid)
+{
+	char filename[sizeof("/proc/%u/cgroup") + sizeof(int)*3];
+	snprintf(filename, sizeof(filename), "/proc/%d/cgroup", pid);
+
+	FILE *f = fopen(filename, "r");
+	if(f == NULL)
+		return false;
+
+	char buffer[128];
+	while(fgets(buffer, sizeof(buffer), f) != NULL)
+	{
+		if(strstr(buffer, "/docker") != NULL)
+		{
+			fclose(f);
+			return true;
+		}
+	}
+	fclose(f);
+
+	return false;
+}
+
 int api_action_flush_logs(struct ftl_conn *api)
 {
 	if(!config.webserver.api.allow_destructive.v.b)
@@ -145,6 +169,14 @@ int api_action_flush_logs(struct ftl_conn *api)
 		                       "Flushing the logs is not allowed",
 		                       "Check setting webserver.api.allow_destructive");
 
+	// Disable flush_logs endpoint inside containers because the operation needs
+	// FTL restart and this is not possible inside containers
+	if(is_in_docker(getpid()))
+		return send_json_error(api, 403,
+		                       "forbidden",
+		                       "Flushing the logs is not possible in containers",
+		                       "Not enough permissions inside docker containers");
+
 	log_info("Received API request to flush the logs");
 
 	// Flush the logs

From 40f538ba30e57ab51dbdf1f4fadaad04a42913ce Mon Sep 17 00:00:00 2001
From: RD WebDesign <github@rdwebdesign.com.br>
Date: Tue, 21 Oct 2025 19:09:05 -0300
Subject: [PATCH 2/2] Include error 403 for flush_logs endpoint

Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
---
 src/api/docs/content/specs/action.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/api/docs/content/specs/action.yaml b/src/api/docs/content/specs/action.yaml
index 893a42cfe..7d2188b7d 100644
--- a/src/api/docs/content/specs/action.yaml
+++ b/src/api/docs/content/specs/action.yaml
@@ -115,6 +115,13 @@ components:
                   allOf:
                     - $ref: 'common.yaml#/components/errors/unauthorized'
                     - $ref: 'common.yaml#/components/schemas/took'
+          '403':
+            description: Forbidden
+            content:
+              application/json:
+                schema:
+                  allOf:
+                    - $ref: 'action.yaml#/components/errors/forbidden'
     flush_arp:
       post:
         summary: Flush the network table