Skip to main content
Super User

Return to Answer

Add example for using ping in unprivileged ubuntu container
Source Link
Sascha S.
Sascha S.
  • 71
  • 4

EDIT:

When using the official ubuntu image and installeing ping on it afterwards, you also need to run setcap cap_net_raw+p /usr/bin/ping inside said container. Otherwise the permission check within the container itself (defining the execution context) will not allow you to execute ping as the required capability will not be part of the effective capabilities.

$ podman run --rm -it ubuntu:22.04
Resolved "ubuntu" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/ubuntu:22.04...
Getting image source signatures
Copying blob cf92e523b49e skipped: already exists  
Copying config 216c552ea5 done  
Writing manifest to image destination
Storing signatures
root@af1a4b5052e9:/# apt-get update && apt-get install -y iputils-ping && apt-get clean autoclean && apt-get -y autoremove
### Skipped apt output ###
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@af1a4b5052e9:/# ping -c 3 stackoverflow.com
bash: /usr/bin/ping: Operation not permitted
root@30d9c3c936fc:/# sysctl 'net.ipv4.ping_group_range'             
net.ipv4.ping_group_range = 0   0
root@af1a4b5052e9:/# setcap cap_net_raw+p /usr/bin/ping
root@af1a4b5052e9:/# ping -c 3 stackoverflow.com
PING stackoverflow.com (151.101.193.69) 56(84) bytes of data.
64 bytes from 151.101.193.69 (151.101.193.69): icmp_seq=1 ttl=255 time=8.61 ms
64 bytes from 151.101.193.69 (151.101.193.69): icmp_seq=2 ttl=255 time=8.67 ms
64 bytes from 151.101.193.69 (151.101.193.69): icmp_seq=3 ttl=255 time=8.86 ms

--- stackoverflow.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 8.609/8.713/8.857/0.105 ms
root@af1a4b5052e9:/#

It is quite likely, that the other images you tried either include the right net.ipv4.ping_group_range already or have executed something like setcap cap_net_raw+p /usr/bin/ping before publishing the image.

Feel free to use getcap $(which ping) to list the capabilities other images might have set on ping.

cap_net_raw+ep means:
For the capability net_raw add (+) effective (e) and permitted (p).

I suggest having a look at https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities for a primer regarding capabilities if you are eager to learn more.

EDIT:

When using the official ubuntu image and installeing ping on it afterwards, you also need to run setcap cap_net_raw+p /usr/bin/ping inside said container. Otherwise the permission check within the container itself (defining the execution context) will not allow you to execute ping as the required capability will not be part of the effective capabilities.

$ podman run --rm -it ubuntu:22.04
Resolved "ubuntu" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/ubuntu:22.04...
Getting image source signatures
Copying blob cf92e523b49e skipped: already exists  
Copying config 216c552ea5 done  
Writing manifest to image destination
Storing signatures
root@af1a4b5052e9:/# apt-get update && apt-get install -y iputils-ping && apt-get clean autoclean && apt-get -y autoremove
### Skipped apt output ###
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@af1a4b5052e9:/# ping -c 3 stackoverflow.com
bash: /usr/bin/ping: Operation not permitted
root@30d9c3c936fc:/# sysctl 'net.ipv4.ping_group_range'             
net.ipv4.ping_group_range = 0   0
root@af1a4b5052e9:/# setcap cap_net_raw+p /usr/bin/ping
root@af1a4b5052e9:/# ping -c 3 stackoverflow.com
PING stackoverflow.com (151.101.193.69) 56(84) bytes of data.
64 bytes from 151.101.193.69 (151.101.193.69): icmp_seq=1 ttl=255 time=8.61 ms
64 bytes from 151.101.193.69 (151.101.193.69): icmp_seq=2 ttl=255 time=8.67 ms
64 bytes from 151.101.193.69 (151.101.193.69): icmp_seq=3 ttl=255 time=8.86 ms

--- stackoverflow.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 8.609/8.713/8.857/0.105 ms
root@af1a4b5052e9:/#

It is quite likely, that the other images you tried either include the right net.ipv4.ping_group_range already or have executed something like setcap cap_net_raw+p /usr/bin/ping before publishing the image.

Feel free to use getcap $(which ping) to list the capabilities other images might have set on ping.

cap_net_raw+ep means:
For the capability net_raw add (+) effective (e) and permitted (p).

I suggest having a look at https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities for a primer regarding capabilities if you are eager to learn more.

Source Link
Sascha S.
Sascha S.
  • 71
  • 4

As you certainly know, containers make use of certain kernel features. Most prominently this includes kernel namespaces and resource groups.

To interact with the network, you usually interact with the kernel through syscals. When you try executing syscalls, the kernel checks whether you have permission to perform these syscalls. This check considers which user you currently use (calling user), which user executes the program (executing user) and which capabilities are granted in the execution context.

As you can see in this GitHub issue (https://github.com/mviereck/dockerfile-x11docker-deepin/issues/19), ping requires the NET_RAW capability. Check https://security.stackexchange.com/a/128988 as to what this means. You might also want to read https://superuser.com/a/1702188/1737591 on a similar question. This also helps explain why it works as expected with alpine but not with the ubuntu image.

With the --privileged Flag, you basically have a shorthand for including this CAP_NET_RAW among many other permissions. You should instead be able to execute the container with the --cap-add=NET_RAW flag in order to limit the capabilities to a minimum.

I do not know where these errors might get logged but I'd check dmesg and the system's syslogs first.