Fixed
Details
Assignee
Ronny TrommerRonny TrommerReporter
Ronny TrommerRonny TrommerSprint
NoneFix versions
Priority
Major
Details
Details
Assignee
Ronny Trommer
Ronny TrommerReporter
Ronny Trommer
Ronny TrommerSprint
None
Fix versions
Priority
PagerDuty
PagerDuty
PagerDuty
Created April 2, 2020 at 1:06 PM
Updated April 3, 2020 at 1:20 PM
Resolved April 3, 2020 at 1:20 PM
When running as non-root, additional permissions are required to be able to use a socket to send and receive ICMP messages. In Kernel 3.+ the system control `net.ipv4.ping_group_range` is introduced which allows giving non-root users just the permission to send and receive ICMP messages. In Docker we can pass sysctls into the docker-compose.yml (10001 is our Minion id):
Running In Kubernetes < 1.18 it would be required to whitelist the net.ipv4.ping_group_range and set it in the deployment like this:
In case we run in environments where we don't have the possibility to whitelist net.ipv4.ping_group_range, the only option to get ICMP messages processed we have to give the CAP_NET_RAW capability to the JVM process in the Minion.
Conditions we have to use CAP_NET_RAW:
Running on managed Kubernetes < 1.18 where we don't have control to whitelist
Running on Linux Kernels which don't have net.ipv4.ping_group_range support