Skip to content
This repository has been archived by the owner on Sep 7, 2023. It is now read-only.

Fix issue with ping not working within script checks #102

Merged
merged 1 commit into from Sep 10, 2018

Conversation

mkeeler
Copy link
Member

@mkeeler mkeeler commented Sep 10, 2018

Fixes: #17

/bin/ping in alpine is normally a symlink to /bin/busybox. On other distros /bin/ping is a setuid binary to allow ICMP sockets to work for regular users.

So there were 3 options:

1 - chmod u+s /bin/ping
2 - Install a ping binary not associated with busybox
3 - Require users to configure the host linux to allow GID 1000 the ability to ping (sysctl net.ipv4.ping_group_range)

Number 1 would be terribly insecure as it actually makes the entire /bin/busybox binary setuid and almost every command in /bin is actually just a symlink to /bin/busybox. Number 3 puts the burden of configuration on the user and isn't a wonderful UX. Number 2 however only has the downsides of including a few extra binaries in the image. The size becomes a little larger but not by much.

Therefore the iputils package was installed which provides real ping and ping6 binaries in addition to a handful of other utilities such as traceroute.

Copy link
Member

@banks banks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable given the constraints.

I'm not clear on the current rationale around changing user in our docker init script. Seems it's not universally accepted as a good idea and causes a lot of issues (like this). But assuming we are keeping it for now this seems like a pragmatic way to fix the paper cut of basic utils not working unexpectedly.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants