Details
-
Bug
-
Status: Resolved (View Workflow)
-
Major
-
Resolution: Fixed
-
None
-
None
-
Security Level: Default (Default Security Scheme)
-
None
-
Horizon 2020 - April 1st
Description
When running as non-root, additional permissions are required to be able to use a socket to send and receive ICMP messages. In Kernel 3.+ the system control `net.ipv4.ping_group_range` is introduced which allows giving non-root users just the permission to send and receive ICMP messages. In Docker we can pass sysctls into the docker-compose.yml (10001 is our Minion id):
sysctls: - net.ipv4.ping_group_range=0 10001
Running In Kubernetes < 1.18 it would be required to whitelist the net.ipv4.ping_group_range and set it in the deployment like this:
spec:
securityContext:
sysctls:
- name: net.ipv4.ping_group_range
value: "0 10001"
In case we run in environments where we don't have the possibility to whitelist net.ipv4.ping_group_range, the only option to get ICMP messages processed we have to give the CAP_NET_RAW capability to the JVM process in the Minion.
Conditions we have to use CAP_NET_RAW:
- Running on managed Kubernetes < 1.18 where we don't have control to whitelist
- Running on Linux Kernels which don't have net.ipv4.ping_group_range support