Skip to content

fix(client): Use libcap to fix icmp not working in containers as non-root #1056

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 1, 2025
Merged

fix(client): Use libcap to fix icmp not working in containers as non-root #1056

merged 3 commits into from
Apr 1, 2025

Conversation

thequailman
Copy link
Contributor

@thequailman thequailman commented Apr 1, 2025
edited by TwiN
Loading

Summary

Fixes #697

This PR modifies the Gatus binary in the container to have the CAP_NET_RAW capability. Gatus can now perform ICMP monitoring without running as a privileged or root container.

Checklist

  • Tested and/or added tests to validate that the changes work as intended, if applicable.
  • Updated documentation in README.md, if applicable.

@TwiN TwiN changed the title Fix ping monitors not working in containers as non-root fix(client): Use libcap to fix icmp not working in containers as non-root Apr 1, 2025
@TwiN TwiN added area/client Related to client bug Something isn't working labels Apr 1, 2025
@TwiN TwiN mentioned this pull request Apr 1, 2025
Closed
2 tasks
@TwiN TwiN merged commit 8a62eb0 into TwiN:master Apr 1, 2025
2 checks passed
@TwiN TwiN added the area/networking Related to networking label Apr 1, 2025
@TwiN
Copy link
Owner

TwiN commented Apr 2, 2025

Looks like this is causing an issue: #1057

I may have to revert this if we can't find a fix

@TwiN TwiN mentioned this pull request Apr 2, 2025
Open
@thequailman
Copy link
Contributor Author

thequailman commented Apr 2, 2025
edited
Loading

I think there are three options here:

  • Require CAP_NET_RAW since gatus doesn't fully work without it as non-root (Go ping requires it). Folks may not be using ping, but the capability doesn't really decrease security that much.
  • Have two gatus container image tags, one with the cap added, one without
  • Make the setcap step conditional at runtime by adding a shell and cap tooling to the container and have an entrypoint script that conditionally performs setcap. This will increase the size of the container and the attack surface, IMO.

@thequailman
Copy link
Contributor Author

thequailman commented Apr 2, 2025
edited
Loading

FWIW, Docker enables CAP_NET_RAW by default

Telegraf had a similar situation and required CAP_NET_RAW for podman folks

@TwiN
Copy link
Owner

TwiN commented Apr 3, 2025

The chaotic inside of me just makes me feel like having those using podman deal with it, mostly because podman users are a minority.

@TwiN
Copy link
Owner

TwiN commented Apr 3, 2025
edited
Loading

Based on what I'm seeing on containerd/containerd#10434, it seems like CAP_NET_RAW being enabled by default may be changed in the future.

I wonder if the current default behavior is why Gatus worked just fine for me on Kubernetes even before this change?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TwiN TwiN TwiN approved these changes

Assignees
No one assigned
Labels
area/client Related to client area/networking Related to networking bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ICMP not working on Kubernetes even if sysctl -w net.ipv4.ping_group_range="0 2147483647"
2 participants
@thequailman @TwiN