RHEL / CentOS Linux 7 Enable Ping Access In Docker Container

Posted on in Categories , , , last updated May 3, 2015

I’m using RHEL 7.1-4 container on a RHEL /CentOS Linux 7.x server. However, I’m unable to ping external site/IP address using the ping command. I’m getting the following error on screen:

ping: Operation not permitted

How do I fix this problem?

Linux kernel v2.2+, divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute. For example, CAP_NET_ADMIN capabilities perform various network-related operations such as:

  1. Interfaceconfiguration
  2. Administration of IP firewall, masquerading, and accounting;
  3. Modify routing tables;
  4. Bind to any address for transparent proxying
  5. Set type-of-service (TOS
  6. Clear driver statistics
  7. Set promiscuous mode
  8. Enabling multicasting
  9. The CAP_NET_RAW capabilities perform various operations such as:
    1. Use RAW and PACKET sockets
    2. Bind to any address for transparent proxying

Docker fix ping: Operation not permitted error

On a host server type the following command to assign CAP_NET_RAW and CAP_NET_ADMIN capabilities. The syntax is:

docker run --cap-add net_raw --cap-add net_admin --rm -t -i rhel7 /bin/sh

OR

docker run --cap-add net_raw --cap-add net_admin --rm -t -i registry.access.redhat.com/rhel7 /bin/bash

Attach to docker console

The following command allows you to enter a running docker called wwwserver:

docker exec -it [container-id] bash
docker exec -it wwwserver bash

Test ping command

Install ping command in wwwserver:

[[email protected]]# yum install -y iputils

Run the ping command:

[[email protected]]# ping -c4 google.com
PING google.com (216.58.219.206) 56(84) bytes of data.
64 bytes from lga25s40-in-f14.1e100.net (216.58.219.206): icmp_seq=1 ttl=55 time=42.2 ms
64 bytes from lga25s40-in-f14.1e100.net (216.58.219.206): icmp_seq=2 ttl=55 time=42.2 ms
64 bytes from lga25s40-in-f14.1e100.net (216.58.219.206): icmp_seq=3 ttl=55 time=42.1 ms
64 bytes from lga25s40-in-f14.1e100.net (216.58.219.206): icmp_seq=4 ttl=55 time=42.1 ms

--- google.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 42.160/42.194/42.217/0.146 ms
References

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

Share this on (or read 4 comments/add one below):

4 comment

  1. Why would you EVER need to do this? Can’t you simply use ping from the host to check sites? PLEASE, PLEASE, PLEASE keep the container images small and simple!

  2. Agreed! But that is the state of play today. Young devs running infrastructure as if it were an app where bad decisions can be glossed over and security and controls are hinderances that exist for “no good reason”.

  3. This is https://bugzilla.redhat.com/show_bug.cgi?id=1142311 and a fix is queue’d up for an upcoming release (soon!)

    The root cause is that certain capabilities were set in the iputils spec file many years ago.
    iputils spec file was doing this:
    %attr(0755,root,root) %caps(cap_net_raw=ep cap_net_admin=ep) %{_bindir}/ping

    We no longer see a need for that, so we’ve changed it, and we’re waiting for the release cycle to come around now.

    We also did a full audit of all other spec files to identify any other packages that we might need to look at. We didn’t find any others.

    In the interim:
    https://twitter.com/jeremyeder/status/580368484556767233

    Hope that helps.

Leave a Comment