Closed agalue closed 6 years ago
@agalue @indigo423 I would have let the user select if the minion runs as "root" or "minion" using the env vars. What do you thing?
@agalue By the way what tuning / options did you use to allow it to work correctly as user = minion? I have tried "net.ipv4.ping_group_range=0 429496729" plus the running the container in privileged mode, but I am still not able to use the ICMP
Hi @syepes, thanks a lot for your input.
I'm planning to update the README to provide better instructions about how to use the container to allow it to execute ICMP requests.
Certainly the docker machine should have the appropriate value for net.ipv4.ping_group_range, but that doesn't guarrantee it will be passed to the container. In order for this to happen, you should use the --sysctl
directive when executing docker run
; for example:
docker run --sysctl "net.ipv4.ping_group_range=0 429496729" --rm --name minion -it
-e MINION_LOCATION=Apex \
-e OPENNMS_BROKER_URL=tcp://192.168.205.1:61616 \
-e OPENNMS_HTTP_URL=http://192.168.205.1:8980/opennms \
opennms/minion:bleeding -f
That way, you should be able to execute pings. I tested it and it works.
In terms of running as root, you can use the --user
directive, and in this case, you won't need the --sysctl
directive; for example:
docker run --user 0 --rm --name minion -it \
-e MINION_LOCATION=Apex \
-e OPENNMS_BROKER_URL=tcp://192.168.205.1:61616 \
-e OPENNMS_HTTP_URL=http://192.168.205.1:8980/opennms \
opennms/minion:bleeding -f
Makes sense ?
@agalue Thanks man, I was setting these option on the host not the container :-)
You're very welcome. And, that's exactly why adding those details to the README will be useful. I'll work on that soon.
Minion will run as root by default but it was designed to run as non-root, assuming the kernel is recent enough to allow the execution of ICMP requests for unprivileged users.
To run docker, you also need a recent kernel version, so it is entirely possible to be able to run Minion as non-root. Although, this might require to add some kernel tuning on the docker machine though, according to Minion's documentation (please let me know if a note on the README.md is required).
This small change makes sure to use the default minion user as the owner of the process to run minion as non-root.