Rootless network

[PedroRegisPOAR]

• non-root podman not able to ping external services (limited net capability) containers/podman#2488 (comment)
• https://wiki.opennms.org/wiki/ICMP
• Podman - Networking 3/3
• echo 0 9999999 > /proc/sys/net/ipv4/ping_group_range from sudo command would be nice to have landley/toybox#111 (comment)
• https://github.com/containers/common/blob/main/docs/containers.conf.5.md#network-table

podman run -it --rm busybox /bin/sh -c 'ping -c 5 google.com'

[mwoodpatrick]

I'm running on Arch Linux WSL-2, id shows:

uid=1000(mwoodpatrick) gid=1000(mwoodpatrick)

I am able to ping localhost, dns.google.com without issue.

cat /proc/sys/net/ipv4/ping_group_range

shows

0 2000000

but when I run:

podman run -it --rm busybox /bin/sh -c 'ping -c 5 google.com'

I get:

PING google.com (142.251.46.206): 56 data bytes
ping: permission denied (are you root?)

What do I need to do to get this to work?

[PedroRegisPOAR]

Totally missed your comment here @mwoodpatrick sorry for that, not so used to track github notifications.

The problem is that it misses the capability CAP_NET_RAW.

podman run busybox sh -c 'ping -c 3 1.1.1.1'

Outputs:

PING 1.1.1.1 (1.1.1.1): 56 data bytes
ping: permission denied (are you root?)

So it was broken for me too. Probably this was just saved as a way to trigger this error.

Adding the required capability:

podman run --cap-add CAP_NET_RAW busybox sh -c 'ping -c 3 1.1.1.1'

Outputs:

PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=255 time=62.911 ms
64 bytes from 1.1.1.1: seq=1 ttl=255 time=66.129 ms
64 bytes from 1.1.1.1: seq=2 ttl=255 time=64.300 ms

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 62.911/64.446/66.129 ms

Note: change it from google.com to 1.1.1.1 because it "works" the same even without internet, I mean the initial permission denied error is replicable even if internet is turned off.