[BUG] Not Correct working under other user as Root #207
Comments
|
Privileged ping was only required on windows. It will only be set on windows from now on. To use the docker container as a non-root user do the following: chown -R 1000:1000 ./dataIf you start a fresh instance, create the mountpoint first: mkdir dataand then add |
|
I've temporarily reverted the change as it caused issues on other hosts that I tried later on. I need to work on a more reliable implementation. |
|
This is now available with 4.0.7. |
|
I'm still having this issue when running this container with rootless podman. To get WoL packets to send out, you have to run the container with --network=host. I can even define the user inside the container to be non-root and everything appears to work except ping. I can ping from upsnap if I use slirp4netns as the container networking (default) instead of defining --network=host, but then of course it's not possible to get WoL packets to send out properly. Even though the user I'm running the container as has cap_net_raw, it doesn't translate over properly when the container is ran with --network=host. Is it possible to get a container image to test that has the changes in this commit: cce6823 ? I'm a bit lost as to how to build it myself after looking over the dockerfile. Did one of the previous releases maybe have it? I would be interested to see if these changes work with my setup. Everything works fine if I run the container itself as root, but I don't want to do that for what I think are obvious reasons. |
|
I dont have any podman experience. Maybe you need cap_net_admin as well? git clone https://github.com/seriousm4x/UpSnap.git
cd UpSnap
git checkout cce6823f256b4a0822b8add0fad90750498a84f6And then use the |
|
Thanks for explaining that, it builds great with podman. I ended up just using the master branch and removing the below line, only change really needed from what I can see. pinger.SetPrivileged(true)Ping works great now, as does everything else I'd like to use it for. |
|
Sorry to bug you again on this @seriousm4x, but I have one more question regarding this issue. Could we get a config option (maybe env var?) for whether or not to use privileged ping? I think it would be fine to still default to having it on/included in the dockerfile, but if we could overwrite it that would be great. My use case is I always prefer having my docker containers use: security_opt:
- no-new-privileges:truebut unfortunately it doesn't work here: I'm pretty sure its because with and therefore it isn't able to run. That denial is silent enough so I don't think its a big deal to leave it there. I feel like adding an option would be nice so we could explicitly choose to not use privileged pings if it works on our system without needing the escalation. Thanks for the great project! |
|
I've added |
|
That's amazing! Thank you so much. It works perfectly. |
Programm is not Correct working under nozr Root users
I know this is known. But it was better when you found a Solution, a other lib to Ping to example
because all other is working wihtout root rights, only ping does nothing
To Reproduce
Steps to reproduce the behavior:
Change Complete rights to a other user
to example chown -R upsnap:upsnap -R /opt/upsnap
And Restart upsnap with new Rights
Logs
pUpSnapGitea upSnap[2207]: [ERROR] 2023/09/10 18:32:15 ping.go:23: listen ip4:icmp : socket: operation not permitted
Sep 10 18:32:15 pUpSnapGitea upSnap[2207]: [ERROR] 2023/09/10 18:32:15 ping.go:23: listen ip4:icmp : socket: operation not permitted
Sep 10 18:32:15 pUpSnapGitea upSnap[2207]: [ERROR] 2023/09/10 18:32:15 ping.go:23: listen ip4:icmp : socket: operation not permitted
Sep 10 18:32:15 pUpSnapGitea upSnap[2207]: [ERROR] 2023/09/10 18:32:15 ping.go:23: listen ip4:icmp : socket: operation not permitted
Host OS (and version)
LXC Debian 12
Host Architecture
amd64
Brower (if relevant)
e.g. Firefox 109.0.1
The text was updated successfully, but these errors were encountered: