Skip to content
Buy Now

Docker

6 min read Updated April 18, 2026 Sn1per Pro 2026
Documentation/Docker

Sn1per Professional 2026 can run inside a Docker container on any Docker-capable host. The recommended workflow starts a Kali base container and runs your license’s activation.sh inside it — the same installer used on bare metal.

Why --privileged is required

Sn1per Pro runs a broad offensive toolchain: nmap (raw sockets, SYN / OS-fingerprint), masscan, hping3, nuclei (Go JIT), the Metasploit Framework, and more. On bare metal the installer ships a systemd drop-in at /etc/systemd/system/apache2.service.d/sniper-override.conf that disables Kali’s Apache hardening — Protect*=false, Restrict*=false, MemoryDenyWriteExecute=false, empty SystemCallFilter= — because those restrictions block the scan tools.

Inside Docker, --privileged is the equivalent switch. It grants the container:

  • The full Linux capability set (NET_ADMIN, NET_RAW, SYS_ADMIN, SYS_PTRACE, …)
  • An unrestricted seccomp profile (nuclei JIT’s mprotect(PROT_EXEC|PROT_WRITE), keyctl, unusual ptrace variants)
  • No AppArmor docker-default restrictions (mount, writes to /sys, raw device access)
  • Access to host devices

This is appropriate for an offensive-security tool but worth flagging in your deployment plan.

If you must run with narrower privileges (known-limited feature set), the closest safe alternative is:

docker run -dit --name sn1per-pro -p 1337:1337 
  --cap-add=NET_ADMIN --cap-add=NET_RAW --cap-add=SYS_PTRACE --cap-add=SYS_ADMIN 
  --security-opt seccomp=unconfined --security-opt apparmor=unconfined 
  kalilinux/kali-rolling

Expect some advanced tooling (certain Metasploit post modules, a subset of nuclei templates) to still fail. File a support ticket with the exact error if you hit one.

# 1. Start a Kali base container with port 1337 published and elevated privileges
docker run -dit --name sn1per-pro -p 1337:1337 --privileged kalilinux/kali-rolling

# 2. Open a shell in the container
docker exec -it sn1per-pro bash

# 3. Install curl + sudo (kali-rolling:latest is minimal), then run the activation URL
apt update && apt install -y curl sudo
curl https://sn1persecurity.com/pro/10.0/<your-license-hash>/activation.sh | bash

The installer runs exactly as it would on bare metal — installs Apache / PHP / PostgreSQL / Metasploit / nuclei / the scan engine, configures digest auth, and generates the admin password. Takes 10–20 minutes.

After installation completes, the Pro UI is available on your Docker host at https://localhost:1337. Retrieve the admin password:

docker exec sn1per-pro cat /usr/share/sniper/pro/data/.admin-password

Port mapping

By default the installer binds Apache to port 1337 inside the container. Map it to any free port on the host:

# Host 1337 -> container 1337 (recommended, matches license-email docs)
-p 1337:1337

# Host 1338 -> container 1337 (if the host already runs something on 1337)
-p 1338:1337

# Bind to a specific interface only
-p 127.0.0.1:1337:1337

Volume mounts

Persisting scan data across container rebuilds is strongly recommended. Useful mounts:

Scan loot (required for persistence)

-v sn1per-loot:/usr/share/sniper/loot

Workspaces, scan history, screenshots, and findings all live under this tree. Without a volume mount, all scan data is destroyed when the container is removed.

Scan engine config overrides

-v /host/path/sniper.conf:/usr/share/sniper/sniper.conf

Mount your own sniper.conf to customize AI / RAG / Burp / notification settings without editing inside the container.

Admin password visibility

-v sn1per-config:/usr/share/sniper/pro/data

Lets you read the generated admin password from the host:

docker volume inspect sn1per-config | grep Mountpoint
# then: sudo cat <that-path>/.admin-password

docker compose

A minimal compose service for Sn1per Pro with persistent volumes:

services:
  sn1per-pro:
    image: kalilinux/kali-rolling:latest
    container_name: sn1per-pro
    privileged: true
    ports:
      - "1337:1337"
    volumes:
      - sn1per-loot:/usr/share/sniper/loot
      - sn1per-config:/usr/share/sniper/pro/data
    restart: unless-stopped
    # First-run activation is a manual step — see below.
    command: ["sleep", "infinity"]
    healthcheck:
      test: ["CMD-SHELL", "curl -k -f --silent --max-time 5 -o /dev/null https://127.0.0.1:1337/ || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 120s

volumes:
  sn1per-loot:
  sn1per-config:

First-run activation (one-time per container creation):

docker compose up -d sn1per-pro
docker compose exec sn1per-pro bash -c 
  'apt update && apt install -y curl sudo && curl https://sn1persecurity.com/pro/10.0/<your-license-hash>/activation.sh | bash'

From then on docker compose up -d / down / restart / stop / start work normally and the installed stack persists inside the container + volumes.

Container management

# Lifecycle
docker stop sn1per-pro
docker start sn1per-pro
docker restart sn1per-pro
docker rm    sn1per-pro           # remove (stop first)

# Introspection
docker logs sn1per-pro            # Apache + install logs
docker exec -it sn1per-pro bash   # interactive shell
docker exec sn1per-pro systemctl status apache2

# Retrieve admin password
docker exec sn1per-pro cat /usr/share/sniper/pro/data/.admin-password

# Run a scan from the host
docker exec sn1per-pro sniper -t target.com -m normal

# Copy loot out to the host
docker cp sn1per-pro:/usr/share/sniper/loot ./sn1per-loot-backup

License activation notes

The activation URL binds your license to the container’s machine ID on first install. When you rebuild the image or recreate the container, the machine ID changes and you must de-register the old instance first (see Installation → De-registration) before activating on the new container.

If you plan to recreate the container often (CI, ephemeral testing), email [email protected] to discuss long-running license arrangements.

Troubleshooting

Container exits immediately after docker run

The base kalilinux/kali-rolling image’s default entrypoint is bash, which exits when not attached to a TTY. Use -dit (detached + interactive + TTY) as shown above, or explicitly run sleep infinity as the command.

Activation fails with connection refused

Make sure the container can reach the public internet:

docker exec sn1per-pro curl -v https://sn1persecurity.com

Check your host’s Docker network settings and any egress firewalls.

curl: not found when running the activation script

Install it first: apt update && apt install -y curl sudo. kalilinux/kali-rolling:latest is intentionally minimal.

Port 1337 already in use on the host

ss -lntp | grep 1337       # find the holder
docker run ... -p 1338:1337 ...   # or publish to a different host port

Nmap SYN scan hangs or returns only closed ports

--privileged is not set (or was silently dropped by your orchestrator). Verify:

docker inspect sn1per-pro --format '{{.HostConfig.Privileged}}'
# expect: true

Apache says “AH00558: Could not reliably determine the server’s fully qualified domain name”

Harmless. Cosmetic warning only.

Container disk usage grows unexpectedly

Scan loot under /usr/share/sniper/loot/ is the main consumer. Either use a host bind mount (so the data is outside the container) or periodically clean old workspaces via the Pro web UI’s Delete Workspace action.

More help

See Installation → Troubleshooting for non-Docker-specific issues, or email [email protected] with:

  • Your license key
  • The output of docker inspect sn1per-pro
  • The last 200 lines of docker logs sn1per-pro

Something missing, unclear, or out-of-date?

Email the team