Make wording steer people in the direction of unprivileged sockets

Update some comments and mention that dont_fragment needs raw sockets. Signed-off-by: David Leadbeater <[email protected]>
prometheus · Jun 16, 2020 · 3e6a316 · 3e6a316
1 parent a821076
commit 3e6a316
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 7 deletions.
diff --git a/CONFIGURATION.md b/CONFIGURATION.md
@@ -217,7 +217,8 @@ validate_additional_rrs:
 # The source IP address.
 [ source_ip_address: <string> ]
 
-# Set the DF-bit in the IP-header. Only works with ip4 and on *nix systems.
+# Set the DF-bit in the IP-header. Only works with ip4, on *nix systems and
+# requires raw sockets (i.e. root or CAP_NET_RAW on Linux).
 [ dont_fragment: <boolean> | default = false ]
 
 # The size of the payload.

diff --git a/README.md b/README.md
@@ -94,13 +94,14 @@ scrape_configs:
 The ICMP probe requires elevated privileges to function:
 
 * *Windows*: Administrator privileges are required.
-* *Linux*: either the root user, the `CAP_NET_RAW` capability or a user with a
-  group within net.ipv4.ping_group_range is required.
-  * The capability can be set by executing `setcap cap_net_raw+ep blackbox_exporter`
+* *Linux*: either a user with a group within `net.ipv4.ping_group_range`, the
+  `CAP_NET_RAW` capability or the root user is required.
   * Your distribution may configure `net.ipv4.ping_group_range` by default in
     `/etc/sysctl.conf` or similar. If not you can set
     `net.ipv4.ping_group_range = 0  2147483647` to allow any user the ability
     to use ping.
+  * Alternatively the capability can be set by executing `setcap cap_net_raw+ep
+    blackbox_exporter`
 * *BSD*: root user is required.
 * *OS X*: No additional privileges are needed.
 

diff --git a/prober/icmp.go b/prober/icmp.go
@@ -141,6 +141,8 @@ func ProbeICMP(ctx context.Context, target string, module config.Module, registr
 		}
 
 		var icmpConn *icmp.PacketConn
+		// If the user has set the don't fragment option we cannot use unprivileged
+		// sockets as it is not possible to set IP header level options.
 		if tryUnprivileged && !module.ICMP.DontFragment {
 			icmpConn, err = icmp.ListenPacket("udp4", srcIP.String())
 			if err != nil {
@@ -211,8 +213,8 @@ func ProbeICMP(ctx context.Context, target string, module config.Module, registr
 		return
 	}
 
-	// Reply should be the same except for the message type and ID if the kernel
-	// used its own.
+	// Reply should be the same except for the message type and ID if
+	// unprivileged sockets were used and the kernel used its own.
 	wm.Type = replyType
 	// Unprivileged cannot set IDs on Linux.
 	idUnknown := unprivileged && runtime.GOOS == "linux"
@@ -226,7 +228,8 @@ func ProbeICMP(ctx context.Context, target string, module config.Module, registr
 	}
 
 	if idUnknown {
-		// If the ID is unknown we also cannot know the checksum in userspace.
+		// If the ID is unknown (due to unprivileged sockets) we also cannot know
+		// the checksum in userspace.
 		wb[2] = 0
 		wb[3] = 0
 	}