Ping with unprivileged user in LXC container / Linux capabilities

[Sprinterfreak]

Same here while trying to get telegraf working using native ping plugin.
After setcap, user telegraf inside the container is able to execute ping (legacy, screen scrape).
This workaround does not work for telegraf's native ping implementation. Even after also applying setcap to telegraf binary.

Firewall is empty, default ACCEPT

root@pve ~ # pct config 103
arch: amd64
cores: 2
hostname: flux
memory: 1024
net0: name=eth0,bridge=vmbr0,hwaddr=A2:6D:6B:8E:B2:1D,ip=dhcp,type=veth
ostype: debian
rootfs: local-lvm:vm-103-disk-0,size=8G
swap: 4096
unprivileged: 1

PVE version 6.3-2
Container template version debian-10-standart_10.5-1_amd64.tar.gz + apt upgrade

 

[Sprinterfreak]

As some people say, root inside a container could be considered "safe" as it's allready running in user context on the host.
Sadly the best answer to this on the internet.

So in my case of telegraf in a container, run it as root and it is able to ping.

 

[TomFreudenberg]

Taken a hint from that post: https://forum.proxmox.com/threads/no-ping-from-non-root-user-in-debian-buster-lxc.72366/post-387633

...

on my containers I just reinstall all packages containing setcap command and be already installed by the image.

cd /var/lib/dpkg/info/ && apt install --reinstall $(grep -l 'setcap' * | sed -e 's/\.[^.]*$//g' | sort --unique)

 

[jsabater]

Not sure if this is the place, but this is still happening with Proxmox 7.2 and the latest Debian 11 Bullseye template provided by Proxmox (debian-11-standard-_11.3-1_amd64.tar.zst).

Configuration of the LXC:

~$ sudo pct config 200
arch: amd64
cores: 4
features: nesting=1
hostname: myhostname
memory: 4096
nameserver: 192.168.0.253 192.168.0.254
net0: name=eth0,bridge=vmbr4002,firewall=1,hwaddr=1A:38:9D:9D:65:18,ip=192.168.0.200/24,type=veth,mtu=1400
onboot: 1
ostype: debian
rootfs: zfspool:subvol-200-disk-0,size=8G
searchdomain: domain.com
swap: 512
unprivileged: 1

Info of PVE:

sudo pveversion -v  
proxmox-ve: 7.2-1 (running kernel: 5.15.35-3-pve)
pve-manager: 7.2-5 (running version: 7.2-5/12f1e639)
pve-kernel-5.15: 7.2-5
pve-kernel-helper: 7.2-5
pve-kernel-5.13: 7.1-9
pve-kernel-5.15.35-3-pve: 5.15.35-6
pve-kernel-5.15.35-2-pve: 5.15.35-5
pve-kernel-5.15.35-1-pve: 5.15.35-3
pve-kernel-5.13.19-6-pve: 5.13.19-15
ceph-fuse: 14.2.21-1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve1
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.2-2
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-2
libpve-guest-common-perl: 4.1-2
libpve-http-server-perl: 4.1-2
libpve-storage-perl: 7.2-5
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.12-1
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.2.3-1
proxmox-backup-file-restore: 2.2.3-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.1
pve-cluster: 7.2-1
pve-container: 4.2-1
pve-docs: 7.2-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.4-2
pve-ha-manager: 3.3-4
pve-i18n: 2.7-2
pve-qemu-kvm: 6.2.0-10
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-3
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.4-pve1

ping:

~$ ls -lh /bin/ping
-rwxr-xr-x 1 root root 76K Feb  2  2021 /bin/ping

 

[penton]

Proxmox 7.2 installed December 8 2021,
unpriveleged CT debian-11-standard_11.3-1_amd64.tar.zst deployed and upgraded on August 2 2022,
telegraf with native ping plugin was working.
August 7 Proxmox was upgraded and server was rebooted (Proxmox 7.2-7).

Today telegraf ping plugin don't work after upgrading and installing some packages in CT.

List of upgraded packages:
libtirpc-common:amd64 (1.3.1-1, 1.3.1-1+deb11u1),
tzdata:amd64 (2021a-1+deb11u4, 2021a-1+deb11u5),
grafana:amd64 (9.0.6, 9.1.1),
telegraf:amd64 (1.23.3-1, 1.23.4-1),
libgnutls30:amd64 (3.7.1-5+deb11u1, 3.7.1-5+deb11u2),
libtirpc3:amd64 (1.3.1-1, 1.3.1-1+deb11u1),
zlib1g:amd64 (1:1.2.11.dfsg-2+deb11u1, 1:1.2.11.dfsg-2+deb11u2).

List of installed packages:
libnginx-mod-http-image-filter:amd64 (1.18.0-6.1+deb11u2, automatic),
nginx:amd64 (1.18.0-6.1+deb11u2),
nginx-common:amd64 (1.18.0-6.1+deb11u2, automatic),
libdeflate0:amd64 (1.7-1, automatic),
libnginx-mod-stream-geoip:amd64 (1.18.0-6.1+deb11u2, automatic),
libtiff5:amd64 (4.2.0-1+deb11u1, automatic),
libxau6:amd64 (1:1.0.9-1, automatic),
libxcb1:amd64 (1.14-3, automatic),
libnginx-mod-http-geoip:amd64 (1.18.0-6.1+deb11u2, automatic),
nginx-core:amd64 (1.18.0-6.1+deb11u2, automatic),
libxpm4:amd64 (1:3.5.12-1, automatic),
libnginx-mod-http-xslt-filter:amd64 (1.18.0-6.1+deb11u2, automatic),
libx11-data:amd64 (2:1.7.2-1, automatic),
libjpeg62-turbo:amd64 (1:2.0.6-4, automatic),
libgeoip1:amd64 (1.6.12-7, automatic),
geoip-database:amd64 (20191224-3, automatic),
libnginx-mod-mail:amd64 (1.18.0-6.1+deb11u2, automatic),
libwebp6:amd64 (0.6.1-2.1, automatic),
libxslt1.1:amd64 (1.1.34-4+deb11u1, automatic),
libjbig0:amd64 (2.1-3.1+b2, automatic),
libnginx-mod-stream:amd64 (1.18.0-6.1+deb11u2, automatic),
libgd3:amd64 (2.3.0-2, automatic),
libx11-6:amd64 (2:1.7.2-1, automatic),
libxdmcp6:amd64 (1:1.1.2-3, automatic).

/usr/bin/ping not working too.

Ping in analogous CT on Proxmox 7.2-4 working fine, but I'm not sure this CT was deployed from debian-11-standard_11.3-1_amd64.tar.zst.


Update.
New CT from debian-11-standard_11.3-1_amd64.tar.zst on Proxmox 7.2-4 and 7.2-7 - ping not working with unpriveleged user.

 

[hotspot021]

Just another bump here that it still doesn't work.
Proxmox 7.2
Debian 11 container from Proxmox template.

Tried to install Nagios server for monitoring inside the container. It creates separate user "nagios". This particular user can not run ping command from inside the container as mentioned by many ppl already. And Nagios without being able to ping is ... :x

 

[kaN5300]

Hello! Same here:

PVE: 7.3-3
Template: debian-11-standard_11.3-1_amd64.tar.zst

pct config:

arch: amd64
cores: 2
description: 192.168.241.93%0A
features: fuse=1,nesting=1
hostname: ct-dns-lab
memory: 1000
net0: name=eth0,bridge=vmbr4082,firewall=1,hwaddr=42:B6:F6:FB:07:BC,type=veth
ostype: debian
rootfs: local-zfs:subvol-107-disk-0,size=128G
swap: 1000
unprivileged: 1

Issue:

kan5300@ct-dns-lab ~> id
uid=1003(kan5300) gid=1003(kan5300) groups=1003(kan5300)
kan5300@ct-dns-lab ~> ping 1.1.1.1
ping: socket: Operation not permitted
kan5300@ct-dns-lab ~ [2]> sudo ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=61 time=3.09 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=61 time=3.02 ms
^C
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 3.016/3.053/3.091/0.037 ms
kan5300@ct-dns-lab ~> whereis ping
ping: /usr/bin/ping /usr/share/man/man8/ping.8.gz
kan5300@ct-dns-lab ~> ls -al /usr/bin/ping
-rwxr-xr-x 1 root root 77432 фев  2  2021 /usr/bin/ping*

 

[copec]

I'm encountering this from a standard user inside an unprivileged Ubuntu 22.04.3 container on PVE 8.04.

`setcap cap_net_raw+p /bin/ping` does indeed cause it to work.

 

[Proxygen]

I'm encountering this from a standard user inside an unprivileged Ubuntu 22.04.3 container on PVE 8.04.

`setcap cap_net_raw+p /bin/ping` does indeed cause it to work.

same here. still happening and this fixes it.

 

[ubersk]

Taken a hint from that post: https://forum.proxmox.com/threads/no-ping-from-non-root-user-in-debian-buster-lxc.72366/post-387633

...

on my containers I just reinstall all packages containing setcap command and be already installed by the image.

cd /var/lib/dpkg/info/ && apt install --reinstall $(grep -l 'setcap' * | sed -e 's/\.[^.]*$//g' | sort --unique)

its helps, and work for me ! THX BRO

 

[thebox]

On Proxmox VE 5.1, inside an LXC container, I cannot ping with unprivileged user. It gives me the following error:

$ ping google.ch
ping: socket: Operation not permitted

On the hostnode itself I can ping with both unprivileged user and root, but inside an LXC container only as root.

The following fixes it and gives all unprivileged users the required privileges to a open the socket:

$ sudo setcap cap_net_raw+p /bin/ping

Here's my question:
Would that be the right solution without exposing too many privileges?
How come this has suddenly changed? I remember ping was always available to all system users, at least in the pre LXC 2.1 days.

Just wanted to say thank you this solved my issue with my lxc not being able to ping with other containers in antother node.

 

[tomtom13]

Yeah, the good old ping. I wonder why Proxmox guys don't address it. But hey, maybe ping is old fashioned thing, we should be all using web 5.0 javapplets ?

 

[jsabater]

Yeah, the good old ping. I wonder why Proxmox guys don't address it. But hey, maybe ping is old fashioned thing, we should be all using web 5.0 javapplets ?

I have come up with these two solutions for my plays/provision.yml Ansible playbook, that provisions LXC in the Proxmox cluster:

1. Reinstall all packages containing the setcap command: apt-get --reinstall install iproute2 iputils-ping libcap2-bin.
2. Fix permissions of the affected binary: setcap cap_net_raw+p /bin/ping.