sysctl: Enable ping(8) inside rootless Podman containers

This makes ping(8) work without CAP_NET_ADMIN and CAP_NET_RAW because
those aren't effective inside rootless Podman containers.

It's quite useful when using OSTree based operating systems like Fedora
Silverblue, where development environments are often set up using
rootless Podman containers with helpers like Toolbox [1]. Not having
a basic network utility like ping(8) work inside the development
environment can be inconvenient.

See:
https://lwn.net/Articles/422330/
http://man7.org/linux/man-pages/man7/icmp.7.html
https://github.com/containers/libpod/issues/1550

The upper limit of the range of group identifiers is set to 2147483647,
which is 2^31-1. Values greater than that get rejected by the kernel
because of this definition in linux/include/net/ping.h:
  #define GID_T_MAX (((gid_t)~0U) >> 1)

That's not so bad because values between 2^31 and 2^32-1 are reserved
on systemd-based systems anyway [2].

[1] https://github.com/debarshiray/toolbox
[2] https://systemd.io/UIDS-GIDS.html#summary

diff --git a/NEWS b/NEWS
index ced3b5c04458f6f0e665fddf42c930815f9dc4be..eecf26c5116e67e6835fe966b30c422433ba714c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,12 @@ systemd System and Service Manager
 
 CHANGES WITH 243 in spe:
 
+        * Enable unprivileged programs, neither setuid nor having file
+          capabilities, to send ICMP Echo requests by turning on the
+          net.ipv4.ping_group_range parameter of the Linux kernel for all
+          groups. If this is not desirable, then it can be disabled by setting
+          the parameter to "1 0".
+
         * Previously, filters defined with SystemCallFilter= would have the
           effect that an calling an offending system call would terminate the
           calling thread. This behaviour never made much sense, since killing

diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
index 27084f62424bf2cf3407c7a1a6bcc6bed2aa15b9..f0b4f610f850a27af52544ff1d4cbdc368a90836 100644 (file)
--- a/sysctl.d/50-default.conf
+++ b/sysctl.d/50-default.conf
@@ -30,6 +30,14 @@ net.ipv4.conf.all.accept_source_route = 0
 # Promote secondary addresses when the primary address is removed
 net.ipv4.conf.all.promote_secondaries = 1
 
+# ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
+# The upper limit is set to 2^31-1. Values greater than that get rejected by
+# the kernel because of this definition in linux/include/net/ping.h:
+#   #define GID_T_MAX (((gid_t)~0U) >> 1)
+# That's not so bad because values between 2^31 and 2^32-1 are reserved on
+# systemd-based systems anyway: https://systemd.io/UIDS-GIDS.html#summary
+net.ipv4.ping_group_range = 0 2147483647
+
 # Fair Queue CoDel packet scheduler to fight bufferbloat
 net.core.default_qdisc = fq_codel