Lack of Network Capabilities (NET_RAW)

tempario

PROOP

11 days ago

Hello all,

I'm facing an issue on a docker image which I can not ping external or internal IPs. I would like to know if you guys, by default, grant the NET_RAW capability to the container or pod's security context.

Seems it is missing and then avoiding to create raw sockets required for ping.

`# ping 1.1.1.1
bash: /usr/bin/ping: Operation not permitted

12 Replies

brody

EMPLOYEE

11 days ago

Containers are not started with that capability

tempario

PROOP

11 days ago

Is it a modification that I can handle at my side?

brody

EMPLOYEE

11 days ago

No, it's a limitation we hold.

You can always do a software defined ping, I know there are few libraries that provide this functionality.

phin

EMPLOYEE

11 days ago

The new version of iputils ping uses ICMP datagram sockets so it should work even without the net_raw capability

phin

EMPLOYEE

11 days ago

On aptitude it's iputils-ping

tempario

PROOP

11 days ago

Thanks @Brody gonna figure out an wait to tackle it considering it is a 3rd party image we are deploy at Railway.

tempario

PROOP

11 days ago

Thanks @Phineas gonna research on that too, thanks for the tip

phin

EMPLOYEE

11 days ago

Np. If you're building from deb/ubuntu base image, you should just be able to add apt install iputils-ping to the dockerfile.

tempario

PROOP

11 days ago

Thanks again

phin

EMPLOYEE

11 days ago

(or RAILPACK_DEPLOY_APT_PACKAGES=iputils-ping) if you're using railpack

tempario

PROOP

11 days ago

Gonna try

tempario

PROOP

11 days ago

Let you all know later today