search

linuxserver / docker-smokeping

GNU General Public License v3.0
347 stars 95 forks source link

Fping Probe not functioning as non-root #99

Closed rtgibbons closed 4 years ago

rtgibbons commented 4 years ago

linuxserver.io

If you are new to Docker or this application our issue tracker is ONLY used for reporting bugs or requesting features. Please use our discord server for general support.

Expected Behavior

Fping runs as user abc

Current Behavior

Fping errors with can't create socket.

# su -c "/usr/sbin/fping 127.0.0.1" -s /bin/sh abc
/usr/sbin/fping: can't create socket (must run as root?)

Steps to Reproduce

  1. Deploy new docker
  2. Execute shell in docker and run smokeping as abc and see u in response for RRD or run Fping
    1. su -c "/usr/sbin/fping 127.0.0.1" -s /bin/sh abc
    2. su -c '/usr/bin/perl /usr/bin/smokeping --config=/etc/smokeping/config --nodaemon --debug' -s /bin/sh abc

Environment

OS: CentOS / Rancher
CPU architecture: x86_64 How docker service was installed:
Latest Rancher

Command used to create docker container (run/create/compose/screenshot)

Rancher GUI deploy via linuxserver/workload and default ENV

Docker logs


[s6-init] ensuring user provided files have correct perms...exited 0. 
[fix-attrs.d] applying ownership & permissions fixes... 
[fix-attrs.d] done. 
[cont-init.d] executing container initialization scripts... 
[cont-init.d] 01-envfile: executing... 
[cont-init.d] 01-envfile: exited 0. 
[cont-init.d] 10-adduser: executing... 

------------------------------------- 
          _         () 
         | |  ___   _    __ 
         | | / __| | |  /  \ 
         | | \__ \ | | | () | 
         |_| |___/ |_|  \__/ 

Brought to you by linuxserver.io 
------------------------------------- 

To support LSIO projects visit: 
https://www.linuxserver.io/donate/ 
------------------------------------- 
GID/UID 
------------------------------------- 

User uid:    1000 
User gid:    1000 
------------------------------------- 

[cont-init.d] 10-adduser: exited 0. 
[cont-init.d] 30-config: executing... 
[cont-init.d] 30-config: exited 0. 
[cont-init.d] 99-custom-files: executing... 
[custom-init] no custom files found exiting... 
[cont-init.d] 99-custom-files: exited 0. 
[cont-init.d] done. 
[services.d] starting services 
[services.d] done. 
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.42.3.228. Set the 'ServerName' directive globally to suppress this message 
### assuming you are using an fping copy reporting in milliseconds 
Smokeping version 2.007003 successfully launched. 
Not entering multiprocess mode for just a single probe. 
FPing: probing 25 targets with step 60 s and offset 6 s. ```
github-actions[bot] commented 4 years ago

Thanks for opening your first issue here! Be sure to follow the issue template!

rtgibbons commented 4 years ago

Digging into it some; this appears to be security / kernel settings within Kubernetes.

Adding 

    sysctls:
    - name: net.ipv4.ping_group_range
      value: "0 1000"

I'm able to now get 

root@smokeping-5dfc89dbc4-w8wfh:/# su -c "/usr/sbin/fping 127.0.0.1" -s /bin/sh abc

127.0.0.1 is unreachable

ping now works; which was producing similar error above; so now just digging into next fun bit. You can close this if you want; but going to keep tracking what I find here for the next person to stumble on this. Maybe useful for building more documentation.

aptalca commented 4 years ago

Thanks for digging into it. Please update this issue with your findings as I'm sure others will stumble upon it later.

rtgibbons commented 4 years ago

Finally looked at this again.

The container security context needed

allowPrivilegeEscalation: true

which was set to false by default within my Kubernetes build, Enable / Disabling Pod Security Policies didn't make a difference before or after this was set; no capabilities were required to be added either.

Pulling up documentation led to https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation

In case link is removed in the future

Privilege Escalation

These options control the allowPrivilegeEscalation container option. This bool directly controls whether the no_new_privs flag gets set on the container process. This flag will prevent setuid binaries from changing the effective user ID, and prevent files from enabling extra capabilities (e.g. it will prevent the use of the ping tool). This behavior is required to effectively enforce MustRunAsNonRoot.

AllowPrivilegeEscalation - Gates whether or not a user is allowed to set the security context of a container to allowPrivilegeEscalation=true. This defaults to allowed so as to not break setuid binaries. Setting it to false ensures that no child process of a container can gain more privileges than its parent.

DefaultAllowPrivilegeEscalation - Sets the default for the allowPrivilegeEscalation option. The default behavior without this is to allow privilege escalation so as to not break setuidbinaries. If that behavior is not desired, this field can be used to default to disallow, while still permitting pods to request allowPrivilegeEscalation explicitly.

So to recap

Add below to the spec > template > spec > securityContext. This allows non-root user to run ping, which is safer than giving the capabilities for NET_RAW

sysctls:
    - name: net.ipv4.ping_group_range
      value: "0 1000"

Add below to spec > template > spec > containers > securityContext. This allows a container to run setuid binaries

allowPrivilegeEscalation: true
pjpmccarthy52 commented 11 months ago

Hi all, adding this line to my config in podman allowed fping to work in my smokeping container: --cap-add net_raw