Lack of Network Capabilities (NET_RAW)
tempario
PROOP

11 days ago

Hello all,

I'm facing an issue on a docker image which I can not ping external or internal IPs. I would like to know if you guys, by default, grant the NET_RAW capability to the container or pod's security context.

Seems it is missing and then avoiding to create raw sockets required for ping.

`# ping 1.1.1.1
bash: /usr/bin/ping: Operation not permitted

12 Replies

brody
EMPLOYEE

11 days ago

Containers are not started with that capability


tempario
PROOP

11 days ago

Is it a modification that I can handle at my side?


brody
EMPLOYEE

11 days ago

No, it's a limitation we hold.

You can always do a software defined ping, I know there are few libraries that provide this functionality.


phin
EMPLOYEE

11 days ago

The new version of iputils ping uses ICMP datagram sockets so it should work even without the net_raw capability


phin
EMPLOYEE

11 days ago

On aptitude it's iputils-ping


tempario
PROOP

11 days ago

Thanks @Brody gonna figure out an wait to tackle it considering it is a 3rd party image we are deploy at Railway.


tempario
PROOP

11 days ago

Thanks @Phineas gonna research on that too, thanks for the tip


phin
EMPLOYEE

11 days ago

Np. If you're building from deb/ubuntu base image, you should just be able to add apt install iputils-ping to the dockerfile.


tempario
PROOP

11 days ago

Thanks again


phin
EMPLOYEE

11 days ago

(or RAILPACK_DEPLOY_APT_PACKAGES=iputils-ping) if you're using railpack


tempario
PROOP

11 days ago

Gonna try


tempario
PROOP

11 days ago

Let you all know later today


Loading...