42wim/docker-rhel-cap.md

Created October 31, 2014 23:07

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Select an option

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/42wim/9af0022cb9f3a987d2e2.js"></script>
Save 42wim/9af0022cb9f3a987d2e2 to your computer and use it in GitHub Desktop.

Download ZIP

ping not working in a rhel7 / centos7 docker container

Raw

docker-rhel-cap.md

Symptom

# ping
/bin/ping: Operation not permitted

Cause

# getcap /bin/ping /bin/ping6
/bin/ping = cap_net_admin,cap_net_raw+ep
/bin/ping6 = cap_net_admin,cap_net_raw+ep

Solution

# setcap cap_net_raw+ep /bin/ping6 cap_net_raw+ep /bin/ping

caveat: ping -m won't work, but you probably don't need it.

Other solutions

run the container with --privileged (only option if you're on a RHEL6/7 centos6/7 host, no docker >= 1.2 released in EPEL)
run the container with --cap-add=NET_ADMIN (works in 1.2) Both are not really recommended, because of other security issues you expose by giving CAP_NET_ADMIN to the whole container.

Why?

Seems like ping has the option -m to mark packets, which needs CAP_NET_ADMIN capability to function.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment