Lack of Network Capabilities (NET_RAW)

tempario

PROOP

3 months ago

Hello all,

I'm facing an issue on a docker image which I can not ping external or internal IPs. I would like to know if you guys, by default, grant the NET_RAW capability to the container or pod's security context.

Seems it is missing and then avoiding to create raw sockets required for ping.

`# ping 1.1.1.1
bash: /usr/bin/ping: Operation not permitted

12 Replies

brody

EMPLOYEE

3 months ago

Containers are not started with that capability

tempario

PROOP

3 months ago

Is it a modification that I can handle at my side?

brody

EMPLOYEE

3 months ago

No, it's a limitation we hold.

You can always do a software defined ping, I know there are few libraries that provide this functionality.

phin

EMPLOYEE

3 months ago

The new version of iputils ping uses ICMP datagram sockets so it should work even without the net_raw capability

phin

EMPLOYEE

3 months ago

On aptitude it's iputils-ping

tempario

PROOP

3 months ago

Thanks @Brody gonna figure out an wait to tackle it considering it is a 3rd party image we are deploy at Railway.

tempario

PROOP

3 months ago

Thanks @Phineas gonna research on that too, thanks for the tip

phin

EMPLOYEE

3 months ago

Np. If you're building from deb/ubuntu base image, you should just be able to add apt install iputils-ping to the dockerfile.

tempario

PROOP

3 months ago

Thanks again

phin

EMPLOYEE

3 months ago

(or RAILPACK_DEPLOY_APT_PACKAGES=iputils-ping) if you're using railpack

tempario

PROOP

3 months ago

Gonna try

tempario

PROOP

3 months ago

Let you all know later today