EDIT:
When using the official ubuntu image and installeing ping on it afterwards, you also need to run setcap cap_net_raw+p /usr/bin/ping
inside said container. Otherwise the permission check within the container itself (defining the execution context) will not allow you to execute ping as the required capability will not be part of the effective capabilities.
$ podman run --rm -it ubuntu:22.04
Resolved "ubuntu" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/ubuntu:22.04...
Getting image source signatures
Copying blob cf92e523b49e skipped: already exists
Copying config 216c552ea5 done
Writing manifest to image destination
Storing signatures
root@af1a4b5052e9:/# apt-get update && apt-get install -y iputils-ping && apt-get clean autoclean && apt-get -y autoremove
### Skipped apt output ###
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@af1a4b5052e9:/# ping -c 3 stackoverflow.com
bash: /usr/bin/ping: Operation not permitted
root@30d9c3c936fc:/# sysctl 'net.ipv4.ping_group_range'
net.ipv4.ping_group_range = 0 0
root@af1a4b5052e9:/# setcap cap_net_raw+p /usr/bin/ping
root@af1a4b5052e9:/# ping -c 3 stackoverflow.com
PING stackoverflow.com (151.101.193.69) 56(84) bytes of data.
64 bytes from 151.101.193.69 (151.101.193.69): icmp_seq=1 ttl=255 time=8.61 ms
64 bytes from 151.101.193.69 (151.101.193.69): icmp_seq=2 ttl=255 time=8.67 ms
64 bytes from 151.101.193.69 (151.101.193.69): icmp_seq=3 ttl=255 time=8.86 ms
--- stackoverflow.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 8.609/8.713/8.857/0.105 ms
root@af1a4b5052e9:/#
It is quite likely, that the other images you tried either include the right net.ipv4.ping_group_range
already or have executed something like setcap cap_net_raw+p /usr/bin/ping
before publishing the image.
Feel free to use getcap $(which ping)
to list the capabilities other images might have set on ping.
cap_net_raw+ep
means:
For the capability net_raw
add (+
) effective (e
) and permitted (p
).
I suggest having a look at https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities for a primer regarding capabilities if you are eager to learn more.