Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use non-privileged ICMP socket on Linux #9

Open
squeed opened this issue Nov 8, 2018 · 7 comments
Open

Use non-privileged ICMP socket on Linux #9

squeed opened this issue Nov 8, 2018 · 7 comments
Assignees
@SuperQ
Labels
enhancement New feature or request

Comments

@squeed
Copy link

squeed commented Nov 8, 2018

Linux (and Darwin) support non-privileged ICMP echo sockets. It would be a fun exercise to use them, rather than requiring capabilities.
@SuperQ SuperQ added the enhancement New feature or request label Nov 8, 2018
@SuperQ SuperQ self-assigned this Nov 8, 2018
@paulfantom
Copy link
Contributor

I may be completely wrong, but isn't it already implemented in ping.go?

smokeping_prober/ping/ping.go

Lines 249 to 259 in 08734ee

// SetPrivileged sets the type of ping pinger will send.
// false means pinger will send an "unprivileged" UDP ping.
// true means pinger will send a "privileged" raw ICMP ping.
// NOTE: setting to true requires that it be run with super-user privileges.
func (p *Pinger) SetPrivileged(privileged bool) {
if privileged {
p.network = "ip"
} else {
p.network = "udp"
}
}

@SuperQ
Copy link
Owner

SuperQ commented Nov 13, 2018

We have the same issue open for the blackbox_exporter. prometheus/blackbox_exporter#147

@squeed
Copy link
Author

squeed commented Nov 13, 2018

@paulfantom that's a udp ping. Linux now has unprivileged icmp sockets.

@paulfantom
Copy link
Contributor

Oh, yeah, I just looked closer into ping.go and you are right. So maybe it could be just changed to use unprivileged icmp mode from icmp go package since that one seems to be using what you described.

@atomlab
Copy link

atomlab commented Aug 26, 2019

I have same problem. I create user prometheus, and see error.

# sudo -u prometheus /usr/local/bin/smokeping_prober 192.168.12.1
INFO[0000] Starting smokeping_prober (version=0.3.0, branch=HEAD, revision=594bd985ddfac52c473dcd4d290e9a8798406a10)  source="main.go:100"
INFO[0000] Build context (go=go1.12.6, user=root@100e204324f4, date=20190625-13:48:41)  source="main.go:101"
INFO[0000] Starting prober for 192.168.12.1                source="main.go:122"
INFO[0000] Listening on :9374                            source="main.go:140"
Error listening for ICMP packets: listen ip4:icmp : socket: operation not permitted

# stat /bin/ping
  File: '/bin/ping'
  Size: 44168           Blocks: 88         IO Block: 4096   regular file
Device: 900h/2304d      Inode: 2894738     Links: 1
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2019-08-26 13:14:25.000000000 +0000
Modify: 2014-05-07 19:45:47.000000000 +0000
Change: 2019-08-26 13:14:26.240688262 +0000
 Birth: -

@amexboy
Copy link

amexboy commented Sep 6, 2022

I believe this has already been resovled. I see it supports passing icmp or udp as protocol. It works for me without running docker as privileged

@brokenjacobs
Copy link

I try setting:

--sysctl net.ipv4.ping_group_range="0 2147483647" --user 1000 --cap-add CAP_NET_RAW

like the blackbox exporter uses, but no pings go out unless --privileged is used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SuperQ SuperQ

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@squeed @atomlab @SuperQ @brokenjacobs @paulfantom @amexboy