check_icmp: escalate privileges via setuid

[Al2Klimov]

fixes #47 closes #49

[Al2Klimov]

Before/after

➜  docker-icinga2 git:(master) ✗ docker run --rm -it --entrypoint '' icinga/icinga2:master /usr/lib/nagios/plugins/check_icmp -H 127.0.0.1
check_icmp: Failed to obtain ICMP socket: Operation not permitted
➜  docker-icinga2 git:(master) ✗ docker run --rm -it --entrypoint '' --user 0 icinga/icinga2:master /usr/lib/nagios/plugins/check_icmp -H 127.0.0.1
OK - 127.0.0.1: rta 0.012ms, lost 0%|rta=0.012ms;200.000;500.000;0; pl=0%;40;80;; rtmax=0.039ms;;;; rtmin=0.005ms;;;;
➜  docker-icinga2 git:(master) ✗ docker run --rm -it --entrypoint '' icinga/icinga2 /usr/lib/nagios/plugins/check_icmp -H 127.0.0.1
OK - 127.0.0.1: rta 0.012ms, lost 0%|rta=0.012ms;200.000;500.000;0; pl=0%;40;80;; rtmax=0.039ms;;;; rtmin=0.004ms;;;;
➜  docker-icinga2 git:(master) ✗

[mcktr]

@Al2Klimov Thanks for fixing the issue. :+1: What wonders me is why the following works just fine:

# vim Dockerfile

FROM debian:buster-slim

ENV DEBIAN_FRONTEND noninteractive

RUN apt-get update; apt-get install -y \
    monitoring-plugins

RUN ["adduser", "--system", "--group", "--home", "/var/lib/icinga2", "--disabled-login", "--force-badname", "--no-create-home", "--uid", "5665", "icinga"]

USER icinga

CMD ["bash"]

# sudo docker build -t testing:latest .
# sudo docker run -ti testing:latest bash
icinga@dd0819f47a5c:/$ /usr/lib/nagios/plugins/check_icmp -H 127.0.0.1
OK - 127.0.0.1: rta 0.040ms, lost 0%|rta=0.040ms;200.000;500.000;0; pl=0%;40;80;; rtmax=0.095ms;;;; rtmin=0.025ms;;;; 

Why is there a different behavior form this custom Dockerfile and the Icinga 2 container? AFAIK the Icinga 2 Dockerfile uses also debian:buster-slim as base image.

Best regards Michael

[Al2Klimov]

🤷‍♂️

[mcktr]

I did a little investigation on this problem. Instead of fixing the symptom I would prefer to actually fix the root cause.

The problem is caused by a missing package which will not be installed since --no-install-{recommends,suggests} is set. The missing package in question is libcap2-bin which is marked as recommends on the monitoring-plugins-basic package. The libcap package implements the user-space interfaces to the POSIX 1003.1e capabilities available in Linux kernels

• https://packages.debian.org/en/stretch/monitoring-plugins-basic
• https://packages.debian.org/stretch/libcap2-bin

Test

not working

# vim Dockerfile

FROM debian:buster-slim

ENV DEBIAN_FRONTEND noninteractive

RUN ["/bin/bash", "-exo", "pipefail", "-c", "apt-get update; apt-get install --no-install-{recommends,suggests} -y monitoring-plugins" ]

RUN ["adduser", "--system", "--group", "--home", "/var/lib/icinga2", "--disabled-login", "--force-badname", "--no-create-home", "--uid", "5665", "icinga"]

USER icinga

CMD ["bash"]

# sudo docker build -t testing:latest .
# sudo docker run -ti testing:latest bash
icinga@36fb45255013:/$ /usr/lib/nagios/plugins/check_icmp -H 127.0.0.1
check_icmp: Failed to obtain ICMP socket: Operation not permitted

working

# vim Dockerfile

FROM debian:buster-slim

ENV DEBIAN_FRONTEND noninteractive

RUN ["/bin/bash", "-exo", "pipefail", "-c", "apt-get update; apt-get install --no-install-{recommends,suggests} -y monitoring-plugins libcap2-bin" ]

RUN ["adduser", "--system", "--group", "--home", "/var/lib/icinga2", "--disabled-login", "--force-badname", "--no-create-home", "--uid", "5665", "icinga"]

USER icinga

CMD ["bash"]

# sudo docker build -t testing:latest .
# sudo docker run -ti testing:latest bash
icinga@9df718170d20:/$ /usr/lib/nagios/plugins/check_icmp -H 127.0.0.1
OK - 127.0.0.1: rta 0.041ms, lost 0%|rta=0.041ms;200.000;500.000;0; pl=0%;40;80;; rtmax=0.099ms;;;; rtmin=0.025ms;;;; 

Since I don't know if other check plugins rely on the libcap package and we really can't say it for the plugins out in the wild I would suggest to add the missing package to the container image.

Best regards Michael

[Al2Klimov]

Nice one! Please open a PR. (Just add this particular package.)