Bug 2037807

Summary: Unprivileged users can't send ICMP echo requests
Product: Red Hat Enterprise Linux 8 Reporter: Jan Macku <jamacku>
Component: systemdAssignee: Jan Macku <jamacku>
Status: CLOSED ERRATA QA Contact: Frantisek Sumsal <fsumsal>
Severity: high Docs Contact:
Priority: unspecified    
Version: ---CC: alex.iribarren, apevec, bernd.wahlen, bstinson, carl, eminguez, fsumsal, h1k6zn2m, igor.raits, jcall, jhughes, jwboyer, leonfauster, mark, mharri, ngompa13, pasik, pasteur, paulds, pzatko, riehecky, rkishner, shige, smooney, steve.traylen, sverrel, systemd-maint-list, wshi, xavier, xiliang
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: systemd-239-57.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 15:25:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2030107, 2051329    

Comment 1 Plumber Bot 2022-01-07 09:10:25 UTC 
fix merged to github master branch -> https://github.com/redhat-plumbers/systemd-rhel8/pull/246
Comment 3 Jan Macku 2022-01-13 15:55:21 UTC 
*** Bug 2040385 has been marked as a duplicate of this bug. ***
Comment 9 Josh Boyer 2022-01-18 22:05:36 UTC 
For those interested in this issue on CentOS Stream 8, the build is still under test and not eligible due to an unrelated internal infrastructure issue.  We're working to resolve that soon.
Comment 10 smooney 2022-01-19 23:56:37 UTC 
looking at the centos build in koji it failed on one test cases


155/298 test-procfs-util                          FAIL             0.32s   killed by signal 6 SIGABRT
>>> MALLOC_PERTURB_=200 SYSTEMD_KBD_MODEL_MAP=/builddir/build/BUILD/systemd-239/src/locale/kbd-model-map SYSTEMD_LANGUAGE_FALLBACK_MAP=/builddir/build/BUILD/systemd-239/src/locale/language-fallback-map PATH=/builddir/build/BUILD/systemd-239/x86_64-redhat-linux-gnu:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin /builddir/build/BUILD/systemd-239/x86_64-redhat-linux-gnu/test-procfs-util
――――――――――――――――――――――――――――――――――――― ✀  ―――――――――――――――――――――――――――――――――――――
stderr:
Current system CPU time: 5month 4w 4h 23min 16.380000s
Current memory usage: 34.6G
Current number of tasks: 681
kernel.pid_max: 40960
kernel.threads-max: 1030309
Limit of tasks: 40959
Reducing limit by one to 40958…
procfs_tasks_set_limit: Permission denied
Assertion 'r >= 0 ? w == v - 1 : w == v' failed at ../src/test/test-procfs-util.c:59, function main(). Aborting.
――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――

https://koji.mbox.centos.org/koji/taskinfo?taskID=334490 

Is that the infra issue you were referring too?
Comment 11 Brian Stinson 2022-01-20 03:16:22 UTC 
(In reply to smooney from comment #10)


This is a different issue we're running into on the CentOS Stream builders. We're investigating.
Comment 13 Johnny Hughes 2022-01-20 22:18:02 UTC 
OK .. Brain Stinson recommended and I tested:

Removing the dash in the line: 

-net.ipv4.ping_group_range = 0 2147483647

in /usr/lib/sysctl.d/50-default.conf

fixes the issue.
Comment 14 Frantisek Sumsal 2022-01-21 09:49:25 UTC 
I see:

```
  Running scriptlet: systemd-239-55.el8.x86_64                            21/21 
Couldn't write '0 2147483647' to '-net/ipv4/ping_group_range', ignoring: No such file or directory

```

```
# sysctl -p 50-default.conf 
kernel.sysrq = 16
kernel.core_uses_pid = 1
kernel.kptr_restrict = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.promote_secondaries = 1
sysctl: cannot stat /proc/sys/-net/ipv4/ping_group_range: No such file or directory
net.core.default_qdisc = fq_codel
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
```

Looks like we need at least https://github.com/systemd/systemd/pull/13191/commits/dec02d6e1993d420a0a94c7fec294605df55e88e as well from the original PR (https://github.com/systemd/systemd/pull/13191/commits)
Comment 15 Frantisek Sumsal 2022-01-21 11:48:06 UTC 
*** Bug 2043500 has been marked as a duplicate of this bug. ***
Comment 16 Johnny Hughes 2022-01-21 13:31:23 UTC 
(In reply to Frantisek Sumsal from comment #14)
> I see:
> 
> ```
>   Running scriptlet: systemd-239-55.el8.x86_64                           
> 21/21 
> Couldn't write '0 2147483647' to '-net/ipv4/ping_group_range', ignoring: No
> such file or directory
> 
> ```
> 
> ```
> # sysctl -p 50-default.conf 
> kernel.sysrq = 16
> kernel.core_uses_pid = 1
> kernel.kptr_restrict = 1
> net.ipv4.conf.all.rp_filter = 1
> net.ipv4.conf.all.accept_source_route = 0
> net.ipv4.conf.all.promote_secondaries = 1
> sysctl: cannot stat /proc/sys/-net/ipv4/ping_group_range: No such file or
> directory
> net.core.default_qdisc = fq_codel
> fs.protected_hardlinks = 1
> fs.protected_symlinks = 1
> ```
> 
> Looks like we need at least
> https://github.com/systemd/systemd/pull/13191/commits/
> dec02d6e1993d420a0a94c7fec294605df55e88e as well from the original PR
> (https://github.com/systemd/systemd/pull/13191/commits)

removing the - (minus sign) in the /usr/lib/sysctl.d/50-default.conf after installing systemd-239-55.el8.x86_64 works for me in 2 installs.

So changing:

-net.ipv4.ping_group_range = 0 2147483647

to

net.ipv4.ping_group_range = 0 2147483647

  

Is the minus sign a typo?
Comment 17 Frantisek Sumsal 2022-01-21 13:34:06 UTC 
(In reply to Johnny Hughes from comment #16)
> (In reply to Frantisek Sumsal from comment #14)
> > I see:
> > 
> > ```
> >   Running scriptlet: systemd-239-55.el8.x86_64                           
> > 21/21 
> > Couldn't write '0 2147483647' to '-net/ipv4/ping_group_range', ignoring: No
> > such file or directory
> > 
> > ```
> > 
> > ```
> > # sysctl -p 50-default.conf 
> > kernel.sysrq = 16
> > kernel.core_uses_pid = 1
> > kernel.kptr_restrict = 1
> > net.ipv4.conf.all.rp_filter = 1
> > net.ipv4.conf.all.accept_source_route = 0
> > net.ipv4.conf.all.promote_secondaries = 1
> > sysctl: cannot stat /proc/sys/-net/ipv4/ping_group_range: No such file or
> > directory
> > net.core.default_qdisc = fq_codel
> > fs.protected_hardlinks = 1
> > fs.protected_symlinks = 1
> > ```
> > 
> > Looks like we need at least
> > https://github.com/systemd/systemd/pull/13191/commits/
> > dec02d6e1993d420a0a94c7fec294605df55e88e as well from the original PR
> > (https://github.com/systemd/systemd/pull/13191/commits)
> 
> removing the - (minus sign) in the /usr/lib/sysctl.d/50-default.conf after
> installing systemd-239-55.el8.x86_64 works for me in 2 installs.
> 
> So changing:
> 
> -net.ipv4.ping_group_range = 0 2147483647
> 
> to
> 
> net.ipv4.ping_group_range = 0 2147483647
> 
>   
> 
> Is the minus sign a typo?

As I mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=2043500#c1 - no, the minus sign is intentional, to ignore errors (particularly in certain container solutions). Unfortunately, it turned out we were missing a couple of patches for this feature to work as advertised. This is being resolved in https://github.com/redhat-plumbers/systemd-rhel8/pull/256.
Comment 18 Brian Stinson 2022-01-21 16:16:19 UTC 
*** Bug 2043614 has been marked as a duplicate of this bug. ***
Comment 19 Josh Boyer 2022-01-22 17:09:49 UTC 
*** Bug 2043929 has been marked as a duplicate of this bug. ***
Comment 20 David Tardon 2022-02-01 09:58:59 UTC 
*** Bug 2048905 has been marked as a duplicate of this bug. ***
Comment 21 David Tardon 2022-02-01 11:14:08 UTC 
*** Bug 2048990 has been marked as a duplicate of this bug. ***
Comment 22 Frantisek Sumsal 2022-02-02 08:40:56 UTC 
*** Bug 2049413 has been marked as a duplicate of this bug. ***
Comment 23 Roni Kishner 2022-02-03 09:38:23 UTC 
This issue is effecting RHEL 6.10 and RHEL 7 releases as well, please verify the fix when it is successfully merged on those releases as well.
Comment 24 Roni Kishner 2022-02-03 11:51:02 UTC 
(In reply to Roni Kishner from comment #23)
> This issue is effecting RHEL 6.10 and RHEL 7 releases as well, please verify
> the fix when it is successfully merged on those releases as well.

Please ignore was looking at another issue. sorry for the confusion.
Comment 26 Frantisek Sumsal 2022-02-07 08:00:09 UTC 
*** Bug 2051329 has been marked as a duplicate of this bug. ***
Comment 27 Plumber Bot 2022-02-07 14:20:38 UTC 
fix merged to github master branch -> https://github.com/redhat-plumbers/systemd-rhel8/pull/256
Comment 29 Igor Raits 2022-02-11 09:28:50 UTC 
Is there any ETA when this build will appear in the CentOS Stream 8?
Comment 30 Brian Stinson 2022-02-11 14:31:38 UTC 
There's no ETA for inclusion in Stream 8, but the process is working. This got pushed today:

https://git.centos.org/rpms/systemd/c/da2bf9e4d033db98743f33c925f39a0686c6628a?branch=c8s
Comment 31 Johnny Hughes 2022-02-11 15:42:38 UTC 
It was just released to git.centos.org this morning. I am building it now, should go out in the next CentOS Stream 8 compose, sometime this afternoon.
Comment 32 Johnny Hughes 2022-02-11 23:50:17 UTC 
The latest systemd for CentOS Stream 8 is now released (systemd-239-58.el8).  I have verified that non-privileged users can now use ICMP tools by default.
Comment 34 Roni Kishner 2022-02-16 12:20:56 UTC 
Hey, @fsumsal do you have any estimation on verifying this bug? this is a set back for our team.
Comment 36 errata-xmlrpc 2022-05-10 15:25:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (systemd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2069