ping: socket: Operation not permitted in proxmox lxc container

[gabevenberg]

Describe the bug

When bulding an lxc template with modules/virtualization/proxmox-lxc.nix and the config.system.build.tarball, the ping binary does not work as the not root user, giving:

ping 1.1.1.1
ping: socktype: SOCK_RAW
ping: socket: Operation not permitted
ping: => missing cap_net_raw+p capability or setuid?

Steps To Reproduce

Steps to reproduce the behavior:

1. clone my config repo: https://github.com/gabevenberg/nix-config
2. remove the nix-secrets input (private repo).
3. run `nix build .#proxmox
4. take the resulting tarball and upload to proxmox as an lxc template
5. create a container based on the template
6. ssh in (without nix-secrets repo, password is 'nixos') and attempt to run ping.

Expected behavior

The ping binary successfully pings something.

Additional context

the Home-manager systemd service also fails, but that might be a separate bug, reported here

Notify maintainers

@illustris

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

 - system: `"x86_64-linux"`
 - host os: `Linux 5.15.131-1-pve, NixOS, 24.05 (Uakari), 24.05.20240421.6143fc5`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.2`
 - nixpkgs: `/nix/store/cc0ribc27c349w1v2anrby7z8kigy5pq-source`

---

Add a :+1: reaction to issues you find important.

[illustris]

on NixOS 22.11:

$ ls -lah /run/wrappers/bin/ping
-r-x--x--x 1 root root 17K Mar 13 09:34 /run/wrappers/bin/ping

On NixOS 24.05:

$ ls -lah /run/wrappers/bin/ping
ls: cannot access '/run/wrappers/bin/ping': No such file or directory

Seems to have been broken by https://github.com/NixOS/nixpkgs/pull/253764

I'll spend some time over the weekend to see what the best way to solve this issue is.