sysctl: Enable ping(8) inside rootless Podman containers

debarshiray · poettering · commit 90ce7627dfe8 · 2019-07-24T16:41:45.000+02:00
This makes ping(8) work without CAP_NET_ADMIN and CAP_NET_RAW because those aren't effective inside rootless Podman containers. It's quite useful when using OSTree based operating systems like Fedora Silverblue, where development environments are often set up using rootless Podman containers with helpers like Toolbox [1]. Not having a basic network utility like ping(8) work inside the development environment can be inconvenient. See: https://lwn.net/Articles/422330/ http://man7.org/linux/man-pages/man7/icmp.7.html containers/podman#1550 The upper limit of the range of group identifiers is set to 2147483647, which is 2^31-1. Values greater than that get rejected by the kernel because of this definition in linux/include/net/ping.h: #define GID_T_MAX (((gid_t)~0U) >> 1) That's not so bad because values between 2^31 and 2^32-1 are reserved on systemd-based systems anyway [2]. [1] https://github.com/debarshiray/toolbox [2] https://systemd.io/UIDS-GIDS.html#summary
diff --git a/NEWS b/NEWS
@@ -2,6 +2,12 @@ systemd System and Service Manager
 
 CHANGES WITH 243 in spe:
 
+        * Enable unprivileged programs, neither setuid nor having file
+          capabilities, to send ICMP Echo requests by turning on the
+          net.ipv4.ping_group_range parameter of the Linux kernel for all
+          groups. If this is not desirable, then it can be disabled by setting
+          the parameter to "1 0".
+
         * Previously, filters defined with SystemCallFilter= would have the
           effect that an calling an offending system call would terminate the
           calling thread. This behaviour never made much sense, since killing
diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
@@ -30,6 +30,14 @@ net.ipv4.conf.all.accept_source_route = 0
 # Promote secondary addresses when the primary address is removed
 net.ipv4.conf.all.promote_secondaries = 1
 
+# ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
+# The upper limit is set to 2^31-1. Values greater than that get rejected by
+# the kernel because of this definition in linux/include/net/ping.h:
+#   #define GID_T_MAX (((gid_t)~0U) >> 1)
+# That's not so bad because values between 2^31 and 2^32-1 are reserved on
+# systemd-based systems anyway: https://systemd.io/UIDS-GIDS.html#summary
+net.ipv4.ping_group_range = 0 2147483647
+
 # Fair Queue CoDel packet scheduler to fight bufferbloat
 net.core.default_qdisc = fq_codel
 
