ES-Nix / podman-rootless

Example of using nix + flakes to have podman rootless working
MIT License
15 stars 0 forks source link

Rootless network #10

Open PedroRegisPOAR opened 3 years ago

PedroRegisPOAR commented 3 years ago
podman run -it --rm busybox /bin/sh -c 'ping -c 5 google.com'
mwoodpatrick commented 1 year ago

I'm running on Arch Linux WSL-2, id shows:

uid=1000(mwoodpatrick) gid=1000(mwoodpatrick)

I am able to ping localhost, dns.google.com without issue.

cat /proc/sys/net/ipv4/ping_group_range

shows

0 2000000

but when I run:

podman run -it --rm busybox /bin/sh -c 'ping -c 5 google.com'

I get:

PING google.com (142.251.46.206): 56 data bytes
ping: permission denied (are you root?)

What do I need to do to get this to work?

PedroRegisPOAR commented 5 months ago

Totally missed your comment here @mwoodpatrick sorry for that, not so used to track github notifications.

The problem is that it misses the capability CAP_NET_RAW.

podman run busybox sh -c 'ping -c 3 1.1.1.1'

Outputs:

PING 1.1.1.1 (1.1.1.1): 56 data bytes
ping: permission denied (are you root?)

So it was broken for me too. Probably this was just saved as a way to trigger this error.

Adding the required capability:

podman run --cap-add CAP_NET_RAW busybox sh -c 'ping -c 3 1.1.1.1'

Outputs:

PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=255 time=62.911 ms
64 bytes from 1.1.1.1: seq=1 ttl=255 time=66.129 ms
64 bytes from 1.1.1.1: seq=2 ttl=255 time=64.300 ms

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 62.911/64.446/66.129 ms

Note: change it from google.com to 1.1.1.1 because it "works" the same even without internet, I mean the initial permission denied error is replicable even if internet is turned off.