Fping Probe not functioning as non-root
rtgibbons opened this issue · 5 comments
If you are new to Docker or this application our issue tracker is ONLY used for reporting bugs or requesting features. Please use our discord server for general support.
Expected Behavior
Fping runs as user abc
Current Behavior
Fping errors with can't create socket.
# su -c "/usr/sbin/fping 127.0.0.1" -s /bin/sh abc
/usr/sbin/fping: can't create socket (must run as root?)
Steps to Reproduce
- Deploy new docker
- Execute shell in docker and run smokeping as
abc
and seeu
in response for RRD or run Fpingsu -c "/usr/sbin/fping 127.0.0.1" -s /bin/sh abc
su -c '/usr/bin/perl /usr/bin/smokeping --config=/etc/smokeping/config --nodaemon --debug' -s /bin/sh abc
Environment
OS: CentOS / Rancher
CPU architecture: x86_64
How docker service was installed:
Latest Rancher
Command used to create docker container (run/create/compose/screenshot)
Rancher GUI deploy via linuxserver/workload and default ENV
Docker logs
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...
-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/
Brought to you by linuxserver.io
-------------------------------------
To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------
User uid: 1000
User gid: 1000
-------------------------------------
[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 30-config: executing...
[cont-init.d] 30-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.42.3.228. Set the 'ServerName' directive globally to suppress this message
### assuming you are using an fping copy reporting in milliseconds
Smokeping version 2.007003 successfully launched.
Not entering multiprocess mode for just a single probe.
FPing: probing 25 targets with step 60 s and offset 6 s. ```
Thanks for opening your first issue here! Be sure to follow the issue template!
Digging into it some; this appears to be security / kernel settings within Kubernetes.
Adding
sysctls:
- name: net.ipv4.ping_group_range
value: "0 1000"
I'm able to now get
root@smokeping-5dfc89dbc4-w8wfh:/# su -c "/usr/sbin/fping 127.0.0.1" -s /bin/sh abc
127.0.0.1 is unreachable
ping now works; which was producing similar error above; so now just digging into next fun bit. You can close this if you want; but going to keep tracking what I find here for the next person to stumble on this. Maybe useful for building more documentation.
Thanks for digging into it. Please update this issue with your findings as I'm sure others will stumble upon it later.
Finally looked at this again.
The container security context needed
allowPrivilegeEscalation: true
which was set to false by default within my Kubernetes build, Enable / Disabling Pod Security Policies didn't make a difference before or after this was set; no capabilities were required to be added either.
Pulling up documentation led to https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
In case link is removed in the future
Privilege Escalation
These options control the
allowPrivilegeEscalation
container option. This bool directly controls whether the no_new_privs flag gets set on the container process. This flag will preventsetuid
binaries from changing the effective user ID, and prevent files from enabling extra capabilities (e.g. it will prevent the use of theping
tool). This behavior is required to effectively enforceMustRunAsNonRoot
.AllowPrivilegeEscalation - Gates whether or not a user is allowed to set the security context of a container to
allowPrivilegeEscalation=true
. This defaults to allowed so as to not breaksetuid
binaries. Setting it tofalse
ensures that no child process of a container can gain more privileges than its parent.DefaultAllowPrivilegeEscalation - Sets the default for the
allowPrivilegeEscalation
option. The default behavior without this is to allow privilege escalation so as to not breaksetuid
binaries. If that behavior is not desired, this field can be used to default to disallow, while still permitting pods to requestallowPrivilegeEscalation
explicitly.
So to recap
Add below to the spec > template > spec > securityContext. This allows non-root user to run ping, which is safer than giving the capabilities for NET_RAW
sysctls:
- name: net.ipv4.ping_group_range
value: "0 1000"
Add below to spec > template > spec > containers > securityContext. This allows a container to run setuid binaries
allowPrivilegeEscalation: true
Hi all, adding this line to my config in podman allowed fping to work in my smokeping container:
--cap-add net_raw