Failed to run ping command from within docker container: "bash: /usr/bin/ping: Operation not permitted".

[hongyi-zhao]

The container is created with this Dockerfile and started with the following command:

$ x11docker --sudouser -c --hostnet --desktop --init=systemd -- --cap-add=IPC_LOCK --security-opt seccomp=unconfined -- hongyi-zhao/deepin-wine startdde

But I failed to execute the ping command in the container as shown below.

werner@X10DAi:~/Desktop$ curl -I www.baidu.com 
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Tue, 10 Nov 2020 09:15:39 GMT
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
Server: bfe/1.0.8.18

werner@X10DAi:~/Desktop$ ping www.baidu.com
bash: /usr/bin/ping: Operation not permitted
werner@X10DAi:~/Desktop$ which ping
/usr/bin/ping

Any hints for this problem?

Regards,
HY

[mviereck]

ping needs capability NET_RAW that is dropped by default in docker containers.
You can allow it with --cap-add NET_RAW.

[hongyi-zhao]

I checked the document here, and figure out the following trick:

--cap-add=ALL

or
--cap-add=IPC_LOCK --cap-add=NET_RAW

OTOH, based on the help, I see the following explanation:

$ docker run --help | grep -- --cap-add
      --cap-add list                   Add Linux capabilities

But, I still can't figure out how to add multiple explicit capabilities with one --cap-add argument. Any hints?

Regards,
HY

[mviereck]

This way:

 --cap-add=IPC_LOCK --cap-add=NET_RAW

You could have just tried out.

Edit: just saw your edit; I don't know how to specify a list instead of using single options.

[n-riesco]

In my case, using a debian image, I had pass the flags --cap-add=NET_RAW and --newprivileges=yes for ping to work.