[SOLVED] Ping problem from apache2 in LXC container

yarii

Renowned Member
Mar 24, 2014
145
8
83
Apparmor default profile doesn't allow to ping hosts from apache2.

If Your create ping.php with contents:

<?php
///$result = shell_exec('su -pc "ping -c3 172.20.2.42" 2>&1');
$result = shell_exec('sudo -u www-data ping -c3 172.20.2.4 2>&1');

print "<pre>$result</pre>";
?>

ping: socket: Operation not permitted

I've got Debian Buster from proxmox repository template.

How to change that behaviour?
All the networking software is using ICMP ping to check if host is alive.
 
works here. please post your:
  1. pveversion -v
  2. pct config ID
 
# pveversion -v
proxmox-ve: 6.1-2 (running kernel: 5.3.18-2-pve)
pve-manager: 6.1-8 (running version: 6.1-8/806edfe1)
pve-kernel-helper: 6.1-8
pve-kernel-5.3: 6.1-6
pve-kernel-5.3.18-3-pve: 5.3.18-3
pve-kernel-5.3.18-2-pve: 5.3.18-2
ceph-fuse: 12.2.11+dfsg1-2.1+b1
corosync: 3.0.3-pve1
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: 0.8.35+pve1
ksm-control-daemon: 1.3-1
libjs-extjs: 6.0.1-10
libknet1: 1.15-pve1
libpve-access-control: 6.0-6
libpve-apiclient-perl: 3.0-3
libpve-common-perl: 6.0-17
libpve-guest-common-perl: 3.0-5
libpve-http-server-perl: 3.0-5
libpve-storage-perl: 6.1-5
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve4
lxc-pve: 3.2.1-1
lxcfs: 4.0.1-pve1
novnc-pve: 1.1.0-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.1-3
pve-cluster: 6.1-4
pve-container: 3.0-23
pve-docs: 6.1-6
pve-edk2-firmware: 2.20200229-1
pve-firewall: 4.0-10
pve-firmware: 3.0-7
pve-ha-manager: 3.0-9
pve-i18n: 2.0-4
pve-qemu-kvm: 4.1.1-4
pve-xtermjs: 4.3.0-1
qemu-server: 6.1-7
smartmontools: 7.1-pve2
spiceterm: 3.1-1
vncterm: 1.6-1
zfsutils-linux: 0.8.3-pve1




# pct config 601
arch: amd64
cpuunits: 512
hostname: cacti
memory: 8192
nameserver: 46.151.191.151 46.151.191.5 8.8.8.8
net0: name=eth0,bridge=vmbr0,firewall=1,gw=10.100.0.254,hwaddr=2A:D0:E7:F3:0C:3E,ip=10.100.0.108/24,type=veth
net1: name=eth1,bridge=vmbr0,firewall=1,hwaddr=F6:5A:53:71:7B:8E,ip=10.200.0.249/16,tag=997,type=veth
onboot: 1
ostype: debian
rootfs: zfs1-vps1:subvol-601-disk-0,size=10G
searchdomain: interduo.pl
swap: 0
lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: c 4:64 rwm
lxc.cgroup.devices.allow: c 188:0 rwm
 
And inside your CT, you cannot use ping as root, e.g.:

> ping -c3 www.google.com

your script tries to run the ping command as www-data which is not allowed by default.
 
I can ping as root:

# ping -c3 www.google.com
PING www.google.com (172.217.20.164) 56(84) bytes of data.
64 bytes from waw02s07-in-f164.1e100.net (172.217.20.164): icmp_seq=1 ttl=58 time=4.34 ms
64 bytes from waw02s07-in-f164.1e100.net (172.217.20.164): icmp_seq=2 ttl=58 time=4.35 ms
^C


I tried to:
1. chmod 777 /bin/ping.
2. chmod +s /bin/ping.
3. chown www-data /bin/ping
4. get iputils-ping from debian 11.
5. changing the lxc.apparmor.profile: unconfined

It didn't helped.
 
Last edited:
root@cacti:~# ls -la /bin/ping
-rwsr-xr-x 1 www-data root 73496 sty 31 00:11 /bin/ping

root@cacti:~# sudo -u www-data /bin/ping www.google.com
/bin/ping: socket: Operacja niedozwolona
 
works here. in any case, its not a Proxmox VE/LXC issue, its a permission issue inside the CT.
 
AMAHO, this is not an Apache problem, as the problem happens with any non privilegied user, not only with www-data.
So it's an OS problem, and I think it comes from PVE LXC templates configuration. I put this post à propos.
The setuid is not the best way to solve it. With capabilities, one can give minimal needed rights with:
Bash:
setcap cap_net_raw+ep `which ping`
or, simply and more elegant, reinstall iputils-ping package.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!