From Fedora Project Wiki
(Fill in dependencies, contingency, etc..)
No edit summary
Line 98: Line 98:
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


* Other developers: Depending on which exact RPM will ship the <code>sysctl</code> snippet, the relevant package or upstream maintainer would need to review the change.<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers: Depending on which exact RPM will ship the <code>sysctl</code> snippet, the relevant package or upstream maintainer would need to review and merge the code changes.<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->



Revision as of 15:11, 23 July 2019


Enable net.ipv4.ping_group_range in the kernel

Summary

Enable the Linux kernel's net.ipv4.ping_group_range parameter to cover all groups.

Owner

Current status

  • Targeted release: Fedora 31
  • Last updated: 2019-07-23
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Enable the Linux kernel's net.ipv4.ping_group_range parameter to cover all groups. This will let all users on the operating system create ICMP Echo sockets without using setuid binaries, or having the CAP_NET_ADMIN and CAP_NET_RAW file capabilities.

Benefit to Fedora

This makes ping work inside rootless Podman containers. Currently it doesn't.

When the Linux kernel's net.ipv4.ping_group_range parameter is enabled for a group, users in that group can send ICMP Echo packets without using setuid binaries, or having the CAP_NET_ADMIN and CAP_NET_RAW file capabilities. This works by using ICMP Echo sockets instead of the more generic, and easier to abuse, raw sockets. For Fedora, this means that the file capabilities can be removed from the ping binary.

This is good for OSTree based Fedora variants like Silverblue, where development environments are often set up using rootless Podman containers with helpers like Toolbox. At present, ping doesn't work in those environments, and it's inconvenient to not be able to use such a basic network utility inside a development set-up.

Scope

  • Proposal owners: Enable net.ipv4.ping_group_range by adding it to one of the files shipped by the sytemd RPM in /usr/lib/sysctl.d or by creating a new file shipped by the podman or toolbox RPMs. Here is an upstream pull request against systemd.
  • Other developers: Depending on which exact RPM will ship the sysctl snippet, the relevant package or upstream maintainer would need to review and merge the code changes.
  • Release engineering: N/A (not needed for this Change)
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

Systems with a previous version of Fedora won't need manual intervention. They will inherit this change when updated.

How To Test

On a Fedora system containing this change, the following commands should work:

$ podman run -it --rm registry.fedoraproject.org/fedora:latest
...
# dnf -y install iputils
...
# ping fedoraproject.org
...

User Experience

Users of rootless Podman, including those developing on Silverblue inside Toolbox containers, would now be able to use ping. Earlier, they weren't able to.

Dependencies

N/A (not needed for this Change)

Contingency Plan

  • Contingency mechanism: If net.ipv4.ping_group_range isn't enabled then status quo will be maintained. No explicit action needs to be taken.
  • Contingency deadline: N/A (not needed for this Change)
  • Blocks release? No
  • Blocks product? No

Documentation

There's no upstream documentation. There's some discussion on this systemd pull request.

Release Notes