Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-12635

Restore CAP_NET_RAW capabilities in Minion when running as non-root

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 26.0.0
    • Component/s: None
    • Security Level: Default (Default Security Scheme)
    • Labels:
      None
    • Sprint:
      Horizon 2020 - April 1st

      Description

      When running as non-root, additional permissions are required to be able to use a socket to send and receive ICMP messages. In Kernel 3.+ the system control `net.ipv4.ping_group_range` is introduced which allows giving non-root users just the permission to send and receive ICMP messages. In Docker we can pass sysctls into the docker-compose.yml (10001 is our Minion id):

      sysctls:
        - net.ipv4.ping_group_range=0 10001
      

      Running In Kubernetes < 1.18 it would be required to whitelist the net.ipv4.ping_group_range and set it in the deployment like this:

      spec:
        securityContext:
          sysctls:
            - name: net.ipv4.ping_group_range
              value: "0 10001"
      

      In case we run in environments where we don't have the possibility to whitelist net.ipv4.ping_group_range, the only option to get ICMP messages processed we have to give the CAP_NET_RAW capability to the JVM process in the Minion.

      Conditions we have to use CAP_NET_RAW:

      • Running on managed Kubernetes < 1.18 where we don't have control to whitelist
      • Running on Linux Kernels which don't have net.ipv4.ping_group_range support

        Attachments

          Activity

            People

            Assignee:
            indigo Ronny Trommer
            Reporter:
            indigo Ronny Trommer
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: