Closed ThunderYe closed 4 years ago
Ping requires networking features that we don't feel comfortable exposing in host mode. The netstack mode supports ping.
To clarify:
Allowing SOCK_RAW in host networking mode would thus let sandboxed applications interact directly with low level (link layer) code in the host networking stack. This bypasses a multitude of security checks. So like Ian said, we don't feel comfortable with this, and would recommend using netstack mode.
While we strongly recommend netstack for security reasons, raw sockets using host network could be enabled via a flag to runsc. The admin can decide the tradeoff between more secure or more compatible more, and enable the flag if it makes sense. The important thing is that runsc secure by default, while at the same time being flexible to different use cases people might have.
@ThunderYe, we would obviously prefer everyone to use netstack. Is there anything that prevents you from using netstack?
Closing this for lack of activity. @ThunderYe feel free to re-open if you have any questions.
Issue Status:
I found I can't execute the "Ping" CMD inside gVisor-Host network mode , when I run "Ping", sentry sends a error info as "ping: icmp open socket: Address family not supported by protocol ". I have a look into the sentry code ,I found gVisor misses some family and protocol supporting as "socket(PF_INET, SOCK_RAW, IPPROTO_ICMP)".
Scenario: We often use the "Ping www.google.com" to check whether the container can connect to the world , if missed this feature ,we'll have to modify many many detecting code.