(Submitted to FESCo https://pagure.io/fesco/issue/2204) |
m (Add trackers) |
||
(One intermediate revision by the same user not shown) | |||
Line 52: | Line 52: | ||
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | ||
--> | --> | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1740809 #1740809] | ||
* Release notes tracker: | * Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/376 #376] | ||
== Detailed Description == | == Detailed Description == | ||
Line 187: | Line 187: | ||
--> | --> | ||
[[Category: | [[Category:ChangeAcceptedF31]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> |
Latest revision as of 16:28, 13 August 2019
Enable net.ipv4.ping_group_range in the kernel
Summary
Enable the Linux kernel's net.ipv4.ping_group_range
parameter to cover all groups.
Owner
- Name: Debarshi Ray, Zbigniew Jędrzejewski-Szmek
- Email: debarshir@redhat.com, zbyszek@in.waw.pl
Current status
- Targeted release: Fedora 31
- Last updated: 2019-08-13
- Tracker bug: #1740809
- Release notes tracker: #376
Detailed Description
Enable the Linux kernel's net.ipv4.ping_group_range
parameter to cover all groups. This will let all users on the operating system create ICMP Echo sockets without using setuid binaries, or having the CAP_NET_ADMIN
and CAP_NET_RAW
file capabilities.
Benefit to Fedora
This makes ping
work inside rootless Podman containers. Currently it doesn't.
When the Linux kernel's net.ipv4.ping_group_range
parameter is enabled for a group, users in that group can send ICMP Echo packets without using setuid binaries, or having the CAP_NET_ADMIN
and CAP_NET_RAW
file capabilities. This works by using ICMP Echo sockets instead of the more generic, and easier to abuse, raw sockets. For Fedora, this means that the file capabilities can be removed from the ping
binary.
This is good for OSTree based Fedora variants like Silverblue, where development environments are often set up using rootless Podman containers with helpers like Toolbox. At present, ping
doesn't work in those environments, and it's inconvenient to not be able to use such a basic network utility inside a development set-up.
Scope
- Proposal owners: Enable
net.ipv4.ping_group_range
by adding it to one of the files shipped by the sytemd RPM in/usr/lib/sysctl.d
or by creating a new file shipped by the podman or toolbox RPMs. Here is an upstream pull request against systemd.
- Other developers: Once this change is in place, the file capabilities should be removed from the
ping
binary because they would no longer be necessary. However, it's not a requirement for implementing this change.
- Release engineering: N/A (not needed for this Change)
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
Systems with a previous version of Fedora won't need manual intervention. They will inherit this change when updated.
How To Test
On a Fedora system containing this change, the following commands should work:
$ podman run -it --rm registry.fedoraproject.org/fedora:latest ... # dnf -y install iputils ... # ping fedoraproject.org ...
User Experience
Users of rootless Podman, including those developing on Silverblue inside Toolbox containers, would now be able to use ping
. Earlier, they weren't able to.
Dependencies
N/A (not needed for this Change)
Contingency Plan
- Contingency mechanism: If
net.ipv4.ping_group_range
isn't enabled then status quo will be maintained. No explicit action needs to be taken. Note that theping
binary should not be touched until this change is complete. Only then should be the file capabilities removed. - Contingency deadline: N/A (not needed for this Change)
- Blocks release? No
- Blocks product? No
Documentation
There's no upstream documentation. There's some discussion on this systemd pull request.