non-root podman not able to ping external services (limited net capability)

[praveenkumar]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Non-root podman not able to ping external services (limited net capability).

Steps to reproduce the issue:

$ podman run -it --rm busybox /bin/sh
Trying to pull docker.io/busybox:latest...Getting image source signatures
Copying blob 697743189b6d: 738.18 KiB / 738.18 KiB [========================] 0s
Copying config d8233ab899d4: 1.46 KiB / 1.46 KiB [==========================] 0s
Writing manifest to image destination
Storing signatures
/ # ping google.com
PING google.com (172.217.164.110): 56 data bytes
^C
--- google.com ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss  ===> Not able to received

$ sudo podman run -it --rm busybox /bin/sh
[sudo] password for prkumar: 
Trying to pull docker.io/busybox:latest...Getting image source signatures
Copying blob 697743189b6d: 738.18 KiB / 738.18 KiB [========================] 0s
Copying config d8233ab899d4: 1.46 KiB / 1.46 KiB [==========================] 0s
Writing manifest to image destination
Storing signatures
/ # ping google.com
PING google.com (216.58.192.14): 56 data bytes
64 bytes from 216.58.192.14: seq=0 ttl=54 time=7.746 ms
64 bytes from 216.58.192.14: seq=1 ttl=54 time=8.390 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss   ===> able to receive

Output of podman version:

 $ podman version
Version:       1.0.0
Go Version:    go1.11.4
Git Commit:    "49780a1cf10d572edc4e1ea3b8a8429ce391d47d"
Built:         Tue Jan 15 02:08:17 2019
OS/Arch:       linux/amd64
```

**Output of `podman info --debug`:**

```
 $ podman info --debug
debug:
  compiler: gc
  git commit: '"49780a1cf10d572edc4e1ea3b8a8429ce391d47d"'
  go version: go1.11.4
  podman version: 1.0.0
host:
  BuildahVersion: 1.6-dev
  Conmon:
    package: podman-1.0.0-1.git82e8011.fc29.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.12.0-dev, commit: 49780a1cf10d572edc4e1ea3b8a8429ce391d47d'
  Distribution:
    distribution: fedora
    version: "29"
  MemFree: 13371105280
  MemTotal: 33567719424
  OCIRuntime:
    package: runc-1.0.0-68.dev.git6635b4f.fc29.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc6+dev
      commit: ef9132178ccc3d2775d4fb51f1e431f30cac1398-dirty
      spec: 1.0.1-dev
  SwapFree: 16664739840
  SwapTotal: 16850612224
  arch: amd64
  cpus: 8
  hostname: localhost.localdomain
  kernel: 4.20.6-200.fc29.x86_64
  os: linux
  rootless: true
  uptime: 75h 13m 59.7s (Approximately 3.12 days)
insecure registries:
  registries: []
registries:
  registries:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /home/prkumar/.config/containers/storage.conf
  ContainerStore:
    number: 0
  GraphDriverName: overlay
  GraphOptions:
  - overlay.mount_program=/usr/bin/fuse-overlayfs
  GraphRoot: /home/prkumar/.local/share/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
  ImageStore:
    number: 2
  RunRoot: /run/user/1000
```

**Additional environment details (AWS, VirtualBox, physical, etc.):**
On Fedora 29 installed.

[mheon]

Can you enable --log-level=debug for the rootless call and pastebin results? F29 should have slirp4netns installed, but it's possible it doesn't.

@giuseppe Slirp supports arbitrary traffic, right, not just TCP/UDP?

[giuseppe]

this is a known problem that we have documented here: https://github.com/containers/libpod/blob/master/troubleshooting.md#5-rootless-containers-cannot-ping-hosts

[giuseppe]

ping for an unprivileged user works because it is a file caps binary, but we don't have that in the container. We need root to enable access to ICMP for unprivileged users

[rhatdan]

Can we turn on the icmp boolean then it would work.

If you enable this sysctl does it work?
net.ipv4.ping_group_range = 0 2147483647

[rhatdan]

If yes, then we should document this.

[giuseppe]

@rhatdan, we already have that in the troubleshooting.md file. Do you think we should add something more?

[rhatdan]

Should be in the man page for podman run, I would guess.

[mheon]

@rhatdan Should we start a podman-rootless manpage for rootless-specific things like this, the newuidmap errors, etc?

[rhatdan]

Well you would have to reference it from the other man pages. But I am fine with that. Just realize that the average user executing podman commands does not know that we call this rootless. So they would not know where to find the man page.

[rhatdan]

I think some of the information in troubleshoot.md needs to be added to the podman run/create man pages.