https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange
(Note this change proposal was originally submitted before the deadline, but was delayed due to some discussion between the change owner and change wrangler)
== Summary == Enable the Linux kernel's <code>net.ipv4.ping_group_range</code> parameter to cover all groups.
== Owner == * Name: [[User:rishi|Debarshi Ray]] * Email: debarshir@redhat.com
== Detailed Description == Enable the Linux kernel's <code>net.ipv4.ping_group_range</code> parameter to cover all groups. This will let all users on the operating system create ICMP Echo sockets without using setuid binaries, or having the <code>CAP_NET_ADMIN</code> and <code>CAP_NET_RAW</code> file capabilities.
== Benefit to Fedora == This makes <code>ping</code> work inside rootless [https://podman.io/ Podman] containers. Currently it doesn't.
When the Linux kernel's <code>net.ipv4.ping_group_range</code> parameter is enabled for a group, users in that group can send ICMP Echo packets without using setuid binaries, or having the <code>CAP_NET_ADMIN</code> and <code>CAP_NET_RAW</code> file capabilities. This works by using [http://man7.org/linux/man-pages/man7/icmp.7.html ICMP Echo] sockets instead of the more generic, and easier to abuse, [http://man7.org/linux/man-pages/man7/raw.7.html raw] sockets. For Fedora, this means that the file capabilities can be removed from the <code>ping</code> binary.
This is good for OSTree based Fedora variants like Silverblue, where development environments are often set up using rootless Podman containers with helpers like [https://github.com/debarshiray/toolbox Toolbox]. At present, <code>ping</code> doesn't work in those environments, and it's inconvenient to not be able to use such a basic network utility inside a development set-up.
== Scope == * Proposal owners: Enable <code>net.ipv4.ping_group_range</code> by adding it to one of the files shipped by the sytemd RPM in <code>/usr/lib/sysctl.d</code> or by creating a new file shipped by the podman or toolbox RPMs. [https://github.com/systemd/systemd/pull/13141 Here] is an upstream pull request against systemd. * Other developers: Once this change is in place, the file capabilities should be removed from the <code>ping</code> binary because they would no longer be necessary. However, it's not a requirement for implementing this change. * Release engineering: N/A (not needed for this Change) * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact == Systems with a previous version of Fedora won't need manual intervention. They will inherit this change when updated.
== How To Test == On a Fedora system containing this change, the following commands should work: <pre> $ podman run -it --rm registry.fedoraproject.org/fedora:latest ... # dnf -y install iputils ... # ping fedoraproject.org ... </pre>
== User Experience == Users of rootless Podman, including those developing on Silverblue inside Toolbox containers, would now be able to use <code>ping</code>. Earlier, they weren't able to.
== Dependencies == N/A (not needed for this Change)
== Contingency Plan == * Contingency mechanism: If <code>net.ipv4.ping_group_range</code> isn't enabled then status quo will be maintained. No explicit action needs to be taken. Note that the <code>ping</code> binary should not be touched until this change is complete. Only then should be the file capabilities removed. * Contingency deadline: N/A (not needed for this Change) * Blocks release? No * Blocks product? No
== Documentation == There's no upstream documentation. There's some discussion on [https://github.com/systemd/systemd/pull/13141 this] systemd pull request.
-- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis
devel-announce@lists.fedoraproject.org