Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default ping_group_range value causes EINVAL when written from unshared ns #345

Closed
maybe-sybr opened this issue Nov 5, 2020 · 4 comments · Fixed by #347
Closed

Default ping_group_range value causes EINVAL when written from unshared ns #345

maybe-sybr opened this issue Nov 5, 2020 · 4 comments · Fixed by #347

Comments

@maybe-sybr
Copy link
Contributor

When I attempt to run podman containers from an unshared user namespace and network namespace (related to my adventures described in containers/podman#7774) I get OCI runtime errors caused by a failure to write the default ping_group_range value from containers.conf. I assume this to be because the group ID 1 probably isn't included in my subgidmap.

The default value changed from 0 1000 -> 0 1 in #319 but neither value works for me. Instead, I think we should be using 0 0 since the ping_group_range is inclusive per icmp(7). This config is vendorised in containers/podman and I think it'd need to land there to fix my issue. For the moment, it's easy for me to work around by having a per-user containers.conf like:

[containers]
default_sysctls=[]
@rhatdan
Copy link
Member

rhatdan commented Nov 6, 2020

Open a PR to fix. The intention is to only allow it for root, so if your change works, then it SGTM.

maybe-sybr added a commit to maybe-sybr/common that referenced this issue Nov 8, 2020
@maybe-sybr
fix: Set ping_group_range to 0 0 by default
4c206da 
This sysctl is an inclusive range and since the intention is to only
allow ping for root, setting it to `0 0` is adequate. This change
ensures that if a container is run from a user namespace where GID 1
isn't mapped, we won't get an EINVAL back when attempting to write this
sysctl value which would then cause an OCI runtime error.

Fixes containers#345
@maybe-sybr maybe-sybr mentioned this issue Nov 8, 2020
Merged
@maybe-sybr
Copy link
Contributor Author

Please check out #347 when you have a chance, @rhatdan and co. Thanks! Obviously this will need to get vendorised across to podman but since a modified config can be provided, there's no rush on that. I doubt anyone other than me work will even hit this issue :/

@rhatdan
Copy link
Member

rhatdan commented Nov 9, 2020

This is now available in v0.27.0

@maybe-sybr
Copy link
Contributor Author

maybe-sybr commented Nov 9, 2020 via email

M1cha pushed a commit to M1cha/common that referenced this issue Dec 20, 2022
@Luap99
update netlink crates
13c03cb 
This includes an import fix for kernel v5.19, without this it is
impossible to delete interfaces.

Fixes containers#345

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
@grooverdan grooverdan mentioned this issue Jan 16, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Set ping_group_range to 0 0 by default maybe-sybr/common
2 participants
@rhatdan @maybe-sybr