RHEL / CentOS Linux 7 Enable Ping Access In Docker Container

I’m using RHEL 7.1-4 container on a RHEL /CentOS Linux 7.x server. However, I’m unable to ping external site/IP address using the ping command. I’m getting the following error on screen:

ADVERTISEMENTS

ping: Operation not permitted

How do I fix this problem?

Linux kernel v2.2+, divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute. For example, CAP_NET_ADMIN capabilities perform various network-related operations such as:[donotprint]

Tutorial details
DifficultyEasy (rss)
Root privilegesNo
RequirementsNone
TimeN/A
[/donotprint]
  1. Interfaceconfiguration
  2. Administration of IP firewall, masquerading, and accounting;
  3. Modify routing tables;
  4. Bind to any address for transparent proxying
  5. Set type-of-service (TOS
  6. Clear driver statistics
  7. Set promiscuous mode
  8. Enabling multicasting
  9. The CAP_NET_RAW capabilities perform various operations such as:
    1. Use RAW and PACKET sockets
    2. Bind to any address for transparent proxying

Docker fix ping: Operation not permitted error

On a host server type the following command to assign CAP_NET_RAW and CAP_NET_ADMIN capabilities. The syntax is:

docker run --cap-add net_raw --cap-add net_admin --rm -t -i rhel7 /bin/sh

OR

docker run --cap-add net_raw --cap-add net_admin --rm -t -i registry.access.redhat.com/rhel7 /bin/bash

Attach to docker console

The following command allows you to enter a running docker called wwwserver:

docker exec -it [container-id] bash
docker exec -it wwwserver bash

Test ping command

Install ping command in wwwserver:

[root@wwwserver]# yum install -y iputils

Run the ping command:

[root@wwwserver]# ping -c4 google.com
PING google.com (216.58.219.206) 56(84) bytes of data.
64 bytes from lga25s40-in-f14.1e100.net (216.58.219.206): icmp_seq=1 ttl=55 time=42.2 ms
64 bytes from lga25s40-in-f14.1e100.net (216.58.219.206): icmp_seq=2 ttl=55 time=42.2 ms
64 bytes from lga25s40-in-f14.1e100.net (216.58.219.206): icmp_seq=3 ttl=55 time=42.1 ms
64 bytes from lga25s40-in-f14.1e100.net (216.58.219.206): icmp_seq=4 ttl=55 time=42.1 ms

--- google.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 42.160/42.194/42.217/0.146 ms
References
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
4 comments… add one
  • clemenko May 3, 2015 @ 23:05

    Why would you EVER need to do this? Can’t you simply use ping from the host to check sites? PLEASE, PLEASE, PLEASE keep the container images small and simple!

  • Illya May 7, 2015 @ 7:49

    Agreed! But that is the state of play today. Young devs running infrastructure as if it were an app where bad decisions can be glossed over and security and controls are hinderances that exist for “no good reason”.

  • Jeremy Eder Jun 4, 2015 @ 16:22

    This is https://bugzilla.redhat.com/show_bug.cgi?id=1142311 and a fix is queue’d up for an upcoming release (soon!)

    The root cause is that certain capabilities were set in the iputils spec file many years ago.
    iputils spec file was doing this:
    %attr(0755,root,root) %caps(cap_net_raw=ep cap_net_admin=ep) %{_bindir}/ping

    We no longer see a need for that, so we’ve changed it, and we’re waiting for the release cycle to come around now.

    We also did a full audit of all other spec files to identify any other packages that we might need to look at. We didn’t find any others.

    In the interim:
    https://twitter.com/jeremyeder/status/580368484556767233

    Hope that helps.

    • Jeremy Eder Jun 24, 2015 @ 16:04

      Fix has been shipped.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.