From Fedora Project Wiki
< Changes
(Fill out the scope) |
(Fill in dependencies, contingency, etc..) |
||
| Line 24: | Line 24: | ||
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. | <!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. | ||
Note that motivation for the change should be in the Motivation section below, and this part should answer the question "What?" rather than "Why?". --> | Note that motivation for the change should be in the Motivation section below, and this part should answer the question "What?" rather than "Why?". --> | ||
Enable the Linux kernel's <code>net.ipv4.ping_group_range</code> parameter to cover all groups | Enable the Linux kernel's <code>net.ipv4.ping_group_range</code> parameter to cover all groups. | ||
== Owner == | == Owner == | ||
| Line 56: | Line 56: | ||
== Detailed Description == | == Detailed Description == | ||
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | <!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | ||
Enable the Linux kernel's <code>net.ipv4.ping_group_range</code> parameter to cover all groups. This will let all users on the operating system create ICMP Echo sockets without using setuid binaries, or having the <code>CAP_NET_ADMIN</code> and <code>CAP_NET_RAW</code> file capabilities. | |||
== Benefit to Fedora == | == Benefit to Fedora == | ||
<!-- What is the benefit to the distribution? Will the software we generate be improved? How will the process of creating Fedora releases be improved? | <!-- What is the benefit to the distribution? Will the software we generate be improved? How will the process of creating Fedora releases be improved? | ||
| Line 88: | Line 87: | ||
https://fedoraproject.org/wiki/Changes/perl5.26 (major upgrade to a popular software stack, visible to users of that stack) | https://fedoraproject.org/wiki/Changes/perl5.26 (major upgrade to a popular software stack, visible to users of that stack) | ||
--> | --> | ||
This makes <code>ping</code> work inside rootless [https://podman.io/ Podman] containers. Currently it doesn't. | |||
When the Linux kernel's <code>net.ipv4.ping_group_range</code> parameter is enabled for a group, users in that group can send ICMP Echo packets without using setuid binaries, or having the <code>CAP_NET_ADMIN</code> and <code>CAP_NET_RAW</code> file capabilities. This works by using [http://man7.org/linux/man-pages/man7/icmp.7.html ICMP Echo] sockets instead of the more generic, and easier to abuse, [http://man7.org/linux/man-pages/man7/raw.7.html raw] sockets. For Fedora, this means that the file capabilities can be removed from the <code>ping</code> binary. | |||
This is good for OSTree based Fedora variants like Silverblue, where development environments are often set up using rootless Podman containers with helpers like [https://github.com/debarshiray/toolbox Toolbox]. At present, <code>ping</code> doesn't work in those environments, and it's inconvenient to not be able to use such a basic network utility inside a development set-up. | |||
== Scope == | == Scope == | ||
| Line 128: | Line 133: | ||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
On a Fedora system containing this change, the following commands should work: | |||
<pre> | |||
$ podman run -it --rm registry.fedoraproject.org/fedora:latest | |||
... | |||
# dnf -y install iputils | |||
... | |||
# ping fedoraproject.org | |||
... | |||
</pre> | |||
== User Experience == | == User Experience == | ||
| Line 141: | Line 155: | ||
- Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system. | - Green has been scientifically proven to be the most relaxing color. The move to a default background color of green with green text will result in Fedora users being the most relaxed users of any operating system. | ||
--> | --> | ||
Users of rootless Podman, including those developing on Silverblue inside Toolbox containers, would now be able to use <code>ping</code>. Earlier, they weren't able to. | |||
== Dependencies == | == Dependencies == | ||
| Line 146: | Line 162: | ||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
N/A (not | N/A (not needed for this Change) | ||
== Contingency Plan == | == Contingency Plan == | ||
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "Revert the shipped configuration". Or it might not (e.g. rebuilding a number of dependent packages). If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. --> | <!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "Revert the shipped configuration". Or it might not (e.g. rebuilding a number of dependent packages). If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. --> | ||
* Contingency mechanism: | * Contingency mechanism: If <code>net.ipv4.ping_group_range</code> isn't enabled then status quo will be maintained. No explicit action needs to be taken. <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- When is the last time the contingency mechanism can be put in place? This will typically be the beta freeze. --> | <!-- When is the last time the contingency mechanism can be put in place? This will typically be the beta freeze. --> | ||
* Contingency deadline: N/A (not | * Contingency deadline: N/A (not needed for this Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? --> | <!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? --> | ||
* Blocks release? | * Blocks release? No <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
* Blocks product? | * Blocks product? No <!-- Applicable for Changes that blocks specific product release/Fedora.next --> | ||
== Documentation == | == Documentation == | ||
| Line 162: | Line 178: | ||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
There's no upstream documentation. There's some discussion on [https://github.com/systemd/systemd/pull/13141 this] systemd pull request. | |||
== Release Notes == | == Release Notes == | ||
Revision as of 15:09, 23 July 2019
Enable net.ipv4.ping_group_range in the kernel
Summary
Enable the Linux kernel's net.ipv4.ping_group_range parameter to cover all groups.
Owner
- Name: Debarshi Ray
- Email: debarshir@redhat.com
Current status
- Targeted release: Fedora 31
- Last updated: 2019-07-23
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Enable the Linux kernel's net.ipv4.ping_group_range parameter to cover all groups. This will let all users on the operating system create ICMP Echo sockets without using setuid binaries, or having the CAP_NET_ADMIN and CAP_NET_RAW file capabilities.
Benefit to Fedora
This makes ping work inside rootless Podman containers. Currently it doesn't.
When the Linux kernel's net.ipv4.ping_group_range parameter is enabled for a group, users in that group can send ICMP Echo packets without using setuid binaries, or having the CAP_NET_ADMIN and CAP_NET_RAW file capabilities. This works by using ICMP Echo sockets instead of the more generic, and easier to abuse, raw sockets. For Fedora, this means that the file capabilities can be removed from the ping binary.
This is good for OSTree based Fedora variants like Silverblue, where development environments are often set up using rootless Podman containers with helpers like Toolbox. At present, ping doesn't work in those environments, and it's inconvenient to not be able to use such a basic network utility inside a development set-up.
Scope
- Proposal owners: Enable
net.ipv4.ping_group_rangeby adding it to one of the files shipped by the sytemd RPM in/usr/lib/sysctl.dor by creating a new file shipped by the podman or toolbox RPMs. Here is an upstream pull request against systemd.
- Other developers: Depending on which exact RPM will ship the
sysctlsnippet, the relevant package or upstream maintainer would need to review the change.
- Release engineering: N/A (not needed for this Change)
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
Systems with a previous version of Fedora won't need manual intervention. They will inherit this change when updated.
How To Test
On a Fedora system containing this change, the following commands should work:
$ podman run -it --rm registry.fedoraproject.org/fedora:latest ... # dnf -y install iputils ... # ping fedoraproject.org ...
User Experience
Users of rootless Podman, including those developing on Silverblue inside Toolbox containers, would now be able to use ping. Earlier, they weren't able to.
Dependencies
N/A (not needed for this Change)
Contingency Plan
- Contingency mechanism: If
net.ipv4.ping_group_rangeisn't enabled then status quo will be maintained. No explicit action needs to be taken. - Contingency deadline: N/A (not needed for this Change)
- Blocks release? No
- Blocks product? No
Documentation
There's no upstream documentation. There's some discussion on this systemd pull request.