+++ This bug was initially created as a clone of Bug #1142311 +++ Description of problem: On a Fedora 24 host, I can use Dnf to install additional packages from 'docker run ...' or in a Docker file. If I install the 'iputils' package (and any dependencies), the basic 'ping' command does not work. However, if I use the 'busybox' image from the public Docker index, it's ping command works perfectly fine (on same Fedora 24 host). Version-Release number of selected component (if applicable): Client: Version: 1.10.3 API version: 1.22 Package version: docker-1.10.3-20.gitee81b72.fc24.x86_64 Go version: go1.6.2 Git commit: ee81b72/1.10.3 Built: OS/Arch: linux/amd64 Server: Version: 1.10.3 API version: 1.22 Package version: docker-1.10.3-20.gitee81b72.fc24.x86_64 Go version: go1.6.2 Git commit: ee81b72/1.10.3 Built: OS/Arch: linux/amd64 How reproducible: Trivial Steps to Reproduce: 1. docker run -i -t fedora:24 bash 2. (in container) dnf install -y iputils 3. (in container) ping 127.0.0.1 Actual results: bash: /usr/bin/ping: Operation not permitted Expected results: PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.032 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.141 ms 64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.044 ms Additional info: This bug is a clone of https://bugzilla.redhat.com/show_bug.cgi?id=1142311 See also: http://www.projectatomic.io/blog/2015/04/problems-with-ping-in-containers-on-atomic-hosts/ In particular, as written in the blog post, this command fixes the issue: setcap cap_net_raw,cap_net_admin+p /usr/bin/ping Here are some relevant notes from the cloned bug, though sometimes inaccurate: [...] --- Additional comment from Christoph Görn on 2015-01-28 11:28:43 EST --- Regarding the RHEL7 base image, Dan's comment lead in the right direction: the container that is running ping needs a set of capabilities enabled: net_raw and net_admin. [...] --- Additional comment from Daniel Walsh on 2015-03-10 13:25:15 EDT --- Ok after digging into this a little further the problem is that ping can be used for net_raw and net_admin, We install it with both capabilities and it fails on the net_admin since this is not allowed by policy. If it runs with just net_raw it works fine. setcap cap_net_raw+ep /usr/bin/ping # ping 4.2.2.2 PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data. 64 bytes from 4.2.2.2: icmp_seq=1 ttl=55 time=16.5 ms 64 bytes from 4.2.2.2: icmp_seq=2 ttl=55 time=15.3 ms We probably need to open a bugzilla on iputils to be able to handle this situation. --- Additional comment from Eric Paris on 2015-03-10 13:46:50 EDT --- The "File capabilities" and "Transformation of capabilities during execve()" sections of man (7) capabilities are probably illuminating. If you need to allow it both net_raw and admin in the file cap but only permit 1 or the other, you are going to have to remote the +ep portion of the filecap, but add code to put them into the effective set (and gracefully handle error).... [...] --- Additional comment from Stephen Tweedie on 2015-03-10 14:27:41 EDT --- I think we need +p, not +e, so that the caps are still permitted even though they are not immediately raised. And indeed, with setcap cap_net_raw,cap_net_admin+p, things seem to work perfectly for me, both as root and as non-root within a container: caps are raised as needed and fail gracefully when not available. [...] Also "-m <mark>" requires cap_net_admin, which is unavailable within the container, but this fails gracefully as desired: [root@29b49db23971 /]# /opt/ping/ping -m 123 -c1 10.3.1.1 PING 10.3.1.1 (10.3.1.1) 56(84) bytes of data. Warning: Failed to set mark 123 64 bytes from 10.3.1.1: icmp_seq=1 ttl=62 time=0.327 ms --- Additional comment from Eric Paris on 2015-03-10 14:33:27 EDT --- so we all now agree, the bug is in the spec file. it shouldn't include the e, only the p. %attr(0755,root,root) %caps(cap_net_raw=ep cap_net_admin=ep) %{_bindir}/ping This is likely true of the other binaries (ping6, arp, et al) but you'd need to make sure the code is doing a capset and failing gracefully for those. (we've proved it does it for ping....) [...] --- Additional comment from Eric Paris on 2015-03-11 09:11:27 EDT --- So +e should be removed from all binaries which call capset(). As there is no need for the kernel to automatically add those capabilities on execve(). The application is doing that step themselves. So if clockdiff doesn't work without +e, we'd need to check the code to see if clockdiff is using capset() correctly to add whatever it needs (cap_net_raw) into effective at runtime, instead of requiring the kernel to do it at execve() time... --- Additional comment from Daniel Walsh on 2015-03-11 11:18:16 EDT --- This is not only an SELinux issue. Docker removes capabilities net_admin from the container. Even with SELinux disabled this problem will happen. This probably blows up on an Ubunto machine also.
Not sure if this is relevant, but as of kernel 4.8.8-100.fc23.i686 I was forced to put cap_net_raw+p on a script I wrote that uses SOCK_RAW to generate ICMP packets *** RUN AS ROOT ***! This shocked me. Why should root need any extra cap bits set on a program? Any better place to discuss this?
Jan any movement on this bugzilla?
This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Still a problem in f26; ping still fails with the EPERM message, and the spec file still sets %caps(cap_net_raw=ep) rather than ...=p.
iputils-20161105-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f09730aa85
Looks good, ping is working as expected in an f26 docker container and everything looks OK in an f26 VM; getcap shows the expected capabilities on /usr/bin/ping. karma left. Many thanks!
iputils-20161105-5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f09730aa85
iputils-20161105-5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.