google / gvisor

Application Kernel for Containers
https://gvisor.dev
Apache License 2.0
15.81k stars 1.3k forks source link

Support "ping" CMD inside gVisor #224

Closed ThunderYe closed 4 years ago

ThunderYe commented 5 years ago

Issue Status:
I found I can't execute the "Ping" CMD inside gVisor-Host network mode , when I run "Ping", sentry sends a error info as "ping: icmp open socket: Address family not supported by protocol ". I have a look into the sentry code ,I found gVisor misses some family and protocol supporting as "socket(PF_INET, SOCK_RAW, IPPROTO_ICMP)".

Scenario: We often use the "Ping www.google.com" to check whether the container can connect to the world , if missed this feature ,we'll have to modify many many detecting code.

iangudger commented 5 years ago

Ping requires networking features that we don't feel comfortable exposing in host mode. The netstack mode supports ping.

kevinGC commented 5 years ago

To clarify:

Allowing SOCK_RAW in host networking mode would thus let sandboxed applications interact directly with low level (link layer) code in the host networking stack. This bypasses a multitude of security checks. So like Ian said, we don't feel comfortable with this, and would recommend using netstack mode.

fvoznika commented 5 years ago

While we strongly recommend netstack for security reasons, raw sockets using host network could be enabled via a flag to runsc. The admin can decide the tradeoff between more secure or more compatible more, and enable the flag if it makes sense. The important thing is that runsc secure by default, while at the same time being flexible to different use cases people might have.

@ThunderYe, we would obviously prefer everyone to use netstack. Is there anything that prevents you from using netstack?

kevinGC commented 4 years ago

Closing this for lack of activity. @ThunderYe feel free to re-open if you have any questions.