From Fedora Project Wiki
(Create page to enable net.ipv4.ping_group_range sysctl setting)
 
m (Add trackers)
 
(19 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.<br/> '''Copy the source to a ''new page'' before making changes!  DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.'''}}
<!-- Self Contained or System Wide Change Proposal?
<!-- Self Contained or System Wide Change Proposal?
Use this guide to determine to which category your proposed change belongs to.
Use this guide to determine to which category your proposed change belongs to.
Line 21: Line 19:
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->


= Change Proposal Name <!-- The name of your change proposal --> =
= Enable net.ipv4.ping_group_range in the kernel =


== Summary ==
== Summary ==
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release.  
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release.  
Note that motivation for the change should be in the Motivation section below, and this part should answer the question "What?" rather than "Why?". -->
Note that motivation for the change should be in the Motivation section below, and this part should answer the question "What?" rather than "Why?". -->
Enable the Linux kernel's <code>net.ipv4.ping_group_range</code> parameter to cover all groups.


== Owner ==
== Owner ==
Line 32: Line 31:
This should link to your home wiki page so we know who you are.  
This should link to your home wiki page so we know who you are.  
-->
-->
* Name: [[User:FASAcountName| Your Name]]
* Name: [[User:rishi|Debarshi Ray]], [[User:zbyszek|Zbigniew Jędrzejewski-Szmek]]
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
* Email: <your email address so we can contact you, invite you to meetings, etc. Please provide your Bugzilla email address if it is different from your email in FAS>
* Email: debarshir@redhat.com, zbyszek@in.waw.pl
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
Line 44: Line 43:


== Current status ==
== Current status ==
* Targeted release: [[Releases/<number> | Fedora <number> ]]  
* Targeted release: [[Releases/31 | Fedora 31 ]]  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Line 53: Line 52:
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
-->
-->
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1740809 #1740809]
* Release notes tracker: <will be assigned by the Wrangler>
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/376 #376]


== Detailed Description ==
== Detailed Description ==
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
Enable the Linux kernel's <code>net.ipv4.ping_group_range</code> parameter to cover all groups. This will let all users on the operating system create ICMP Echo sockets without using setuid binaries, or having the <code>CAP_NET_ADMIN</code> and <code>CAP_NET_RAW</code> file capabilities.


== Benefit to Fedora ==
== Benefit to Fedora ==
<!-- What is the benefit to the distribution?  Will the software we generate be improved? How will the process of creating Fedora releases be improved?
<!-- What is the benefit to the distribution?  Will the software we generate be improved? How will the process of creating Fedora releases be improved?
    
    
Line 89: Line 87:
     https://fedoraproject.org/wiki/Changes/perl5.26 (major upgrade to a popular software stack, visible to users of that stack)
     https://fedoraproject.org/wiki/Changes/perl5.26 (major upgrade to a popular software stack, visible to users of that stack)
-->
-->
This makes <code>ping</code> work inside rootless [https://podman.io/ Podman] containers. Currently it doesn't.
When the Linux kernel's <code>net.ipv4.ping_group_range</code> parameter is enabled for a group, users in that group can send ICMP Echo packets without using setuid binaries, or having the <code>CAP_NET_ADMIN</code> and <code>CAP_NET_RAW</code> file capabilities. This works by using [http://man7.org/linux/man-pages/man7/icmp.7.html ICMP Echo] sockets instead of the more generic, and easier to abuse, [http://man7.org/linux/man-pages/man7/raw.7.html raw] sockets. For Fedora, this means that the file capabilities can be removed from the <code>ping</code> binary.
This is good for OSTree based Fedora variants like Silverblue, where development environments are often set up using rootless Podman containers with helpers like [https://github.com/debarshiray/toolbox Toolbox]. At present, <code>ping</code> doesn't work in those environments, and it's inconvenient to not be able to use such a basic network utility inside a development set-up.


== Scope ==
== Scope ==
* Proposal owners:
* Proposal owners: Enable <code>net.ipv4.ping_group_range</code> by adding it to one of the files shipped by the sytemd RPM in <code>/usr/lib/sysctl.d</code> or by creating a new file shipped by the podman or toolbox RPMs. [https://github.com/systemd/systemd/pull/13141 Here] is an upstream pull request against systemd.
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


* Other developers: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers: Once this change is in place, the file capabilities should be removed from the <code>ping</code> binary because they would no longer be necessary. However, it's not a requirement for implementing this change.<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engineering is needed) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Release engineering: N/A (not needed for this Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.  
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.  
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->


* Policies and guidelines: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Policies and guidelines: N/A (not needed for this Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->


Line 111: Line 115:


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)
Systems with a previous version of Fedora won't need manual intervention. They will inherit this change when updated.


== How To Test ==
== How To Test ==
Line 129: Line 133:


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)
 
On a Fedora system containing this change, the following commands should work:
<pre>
$ podman run -it --rm registry.fedoraproject.org/fedora:latest
...
# dnf -y install iputils
...
# ping fedoraproject.org
...
</pre>


== User Experience ==
== User Experience ==
Line 142: Line 155:
  - Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system.
  - Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system.
-->
-->
Users of rootless Podman, including those developing on Silverblue inside Toolbox containers, would now be able to use <code>ping</code>. Earlier, they weren't able to.


== Dependencies ==
== Dependencies ==
Line 147: Line 162:


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)  
N/A (not needed for this Change)


== Contingency Plan ==
== Contingency Plan ==


<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
* Contingency mechanism: (What to do?  Who will do it?) N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency mechanism: If <code>net.ipv4.ping_group_range</code> isn't enabled then status quo will be maintained. No explicit action needs to be taken. Note that the <code>ping</code> binary should not be touched until this change is complete. Only then should be the file capabilities removed.<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
* Contingency deadline: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency deadline: N/A (not needed for this Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
* Blocks release? N/A (not a System Wide Change), Yes/No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Blocks release? No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Blocks product? product <!-- Applicable for Changes that blocks specific product release/Fedora.next -->
* Blocks product? No <!-- Applicable for Changes that blocks specific product release/Fedora.next -->


== Documentation ==
== Documentation ==
Line 163: Line 178:


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)
There's no upstream documentation. There's some discussion on [https://github.com/systemd/systemd/pull/13141 this] systemd pull request.


== Release Notes ==
== Release Notes ==
Line 172: Line 187:
-->
-->


[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF31]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->

Latest revision as of 16:28, 13 August 2019


Enable net.ipv4.ping_group_range in the kernel

Summary

Enable the Linux kernel's net.ipv4.ping_group_range parameter to cover all groups.

Owner

Current status

Detailed Description

Enable the Linux kernel's net.ipv4.ping_group_range parameter to cover all groups. This will let all users on the operating system create ICMP Echo sockets without using setuid binaries, or having the CAP_NET_ADMIN and CAP_NET_RAW file capabilities.

Benefit to Fedora

This makes ping work inside rootless Podman containers. Currently it doesn't.

When the Linux kernel's net.ipv4.ping_group_range parameter is enabled for a group, users in that group can send ICMP Echo packets without using setuid binaries, or having the CAP_NET_ADMIN and CAP_NET_RAW file capabilities. This works by using ICMP Echo sockets instead of the more generic, and easier to abuse, raw sockets. For Fedora, this means that the file capabilities can be removed from the ping binary.

This is good for OSTree based Fedora variants like Silverblue, where development environments are often set up using rootless Podman containers with helpers like Toolbox. At present, ping doesn't work in those environments, and it's inconvenient to not be able to use such a basic network utility inside a development set-up.

Scope

  • Proposal owners: Enable net.ipv4.ping_group_range by adding it to one of the files shipped by the sytemd RPM in /usr/lib/sysctl.d or by creating a new file shipped by the podman or toolbox RPMs. Here is an upstream pull request against systemd.
  • Other developers: Once this change is in place, the file capabilities should be removed from the ping binary because they would no longer be necessary. However, it's not a requirement for implementing this change.
  • Release engineering: N/A (not needed for this Change)
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

Systems with a previous version of Fedora won't need manual intervention. They will inherit this change when updated.

How To Test

On a Fedora system containing this change, the following commands should work:

$ podman run -it --rm registry.fedoraproject.org/fedora:latest
...
# dnf -y install iputils
...
# ping fedoraproject.org
...

User Experience

Users of rootless Podman, including those developing on Silverblue inside Toolbox containers, would now be able to use ping. Earlier, they weren't able to.

Dependencies

N/A (not needed for this Change)

Contingency Plan

  • Contingency mechanism: If net.ipv4.ping_group_range isn't enabled then status quo will be maintained. No explicit action needs to be taken. Note that the ping binary should not be touched until this change is complete. Only then should be the file capabilities removed.
  • Contingency deadline: N/A (not needed for this Change)
  • Blocks release? No
  • Blocks product? No

Documentation

There's no upstream documentation. There's some discussion on this systemd pull request.

Release Notes