Can't ping (permission denied)

I have an issue with my docker installation. For some security reasons I configured my "daemon.json" that the namespace is switched to another user (userns-remap). Now I have the problem that if I run a container (with switched user context (USER containeruser) and try to ping another one which is in the same container network I get following error:

$ ping 172.16.0.3
PING 172.16.0.3 (172.16.0.3): 56 data bytes
ping: permission denied (are you root?)

I already tried several things with AppArmor, assigning more capabilities and so on. But nothing helped to resolve that issue.

The running image is an alpine linux without any modifications.

Do you have a solution for my problem?


Solution 1:

TLDR;

apk add iputils

Explanation

Alpine is based on busybox which implements the linux usual commands in a single binary. If you look at the /bin directory on your base alpine image, you will see that the ping command (like others) is a symbolic link to /bin/busybox

To be ran as a normal user, ping needs the suid bit set. You could be tempted to set the suid bit on the symbolic link (i.e. chmod u+s /bin/ping). But that would actually set it on the busybox binary hence on all other commands registered as a symbolic link which would be a security breach.

Fortunately, there is an iputils package in alpine which contains an alternative version of ping. If you install it, it will replace the symbolic link with a plain binary holding the necessary permissions to be executed by everyone. Simply add the above necessary command in a RUN line in your Dockerfile.

Solution 2:

Although it doesn't answer OP question, it may be helpful for people searching for the error in title.

You can run following command to enter shell as root user of docker container.

docker exec -u 0 -it <container-name> <shell>

Depending upon the shell present in the image, shell can be any of zsh, bash, sh, ash, etc. You can find through trial and error method.

This is especially helpful, if you don't have the dockerfile to modify it(e.g when fetching docker image directly from registry).