14

I have an issue with my docker installation. For some security reasons I configured my "daemon.json" that the namespace is switched to another user (userns-remap). Now I have the problem that if I run a container (with switched user context (USER containeruser) and try to ping another one which is in the same container network I get following error:

$ ping 172.16.0.3
PING 172.16.0.3 (172.16.0.3): 56 data bytes
ping: permission denied (are you root?)

I already tried several things with AppArmor, assigning more capabilities and so on. But nothing helped to resolve that issue.

The running image is an alpine linux without any modifications.

Do you have a solution for my problem?

Phil
  • 153
  • 1
  • 1
  • 7

2 Answers2

20

TL;DR

apk add iputils

Explanation

Alpine is based on busybox which implements the linux usual commands in a single binary. If you look at the /bin directory on your base alpine image, you will see that the ping command (like others) is a symbolic link to /bin/busybox

To be ran as a normal user, ping needs the suid bit set. You could be tempted to set the suid bit on the symbolic link (i.e. chmod u+s /bin/ping). But that would actually set it on the busybox binary hence on all other commands registered as a symbolic link which would be a security breach.

Fortunately, there is an iputils package in alpine which contains an alternative version of ping. If you install it, it will replace the symbolic link with a plain binary holding the necessary permissions to be executed by everyone. Simply add the above necessary command in a RUN line in your Dockerfile.

Zeitounator
  • 1,199
  • 5
  • 12
  • Just one thing to mention here is that the user namespaces aren't the issue, it's when you use `USER` in the `Dockerfile` As OP is already using User namespaces, it should be safe to run as `root` inside the container (as it's not "real" root) – Rory McCune Jan 31 '20 at 22:22
  • OP used `USER containeruser` in his Dockerfile. If he launches the containter with default settings (i.e. without using `-u` on docker command line) he will not be able to run `ping` out of the box. If I have to choose, I'd rather install iputils thant suid busybox in the container. – Zeitounator Jan 31 '20 at 22:45
  • 2
    OP mentioned user namespaces as part of the Q. I was just clarifying that the user namespaces don't affect this, as the container will still get CAP_NET_RAW from Docker. with user namespaces although the user is `root` in the container, they're not actually `uid 0` on the host, so in reality there's not really any more risk to running as root in the container, than running as a non-root user at that point. – Rory McCune Jan 31 '20 at 22:59
  • Thank you for that. The iputils package solved that issue to send an icmp message to ipv4 as well as ipv6 addresses. Now here is my next problem: `[Fri Jan 31 23:49:33.878974 2020] [proxy:error] [pid 6:tid 140048130087712] (13)Permission denied: AH00957: FCGI: attempt to connect to [fd00:cafe:d1ce::2]:9090 (fd00:cafe:d1ce::2) failed [Fri Jan 31 23:49:33.879029 2020] [proxy_fcgi:error] [pid 6:tid 140048130087712] [client fd00:cafe:d1ce::1:58820] AH01079: failed to make connection to backend: fd00:cafe:d1ce::2` Which binary is or which permissions are required to solve that issue? – Phil Jan 31 '20 at 23:52
  • 1
    Next problem should be asked in next question. If this solved your actual issue (i.e. using ping), you should accept the answer so others know there is a solution. – Zeitounator Feb 01 '20 at 00:01
  • @Zeitounator Thank you. I opened a new question: https://serverfault.com/questions/1001325/docker-13-permission-denied-ah00957-fcgi-attempt-to-connect – Phil Feb 01 '20 at 00:17
  • 1
    docker exec -u root mycontainer ping 10.1.1.1 – Cristian Florescu Dec 12 '20 at 09:58
  • 1
    @myset OP wants to ping with a non root user... – Zeitounator Dec 12 '20 at 12:29
  • This solved my problem with running "ping" in a docker healthcheck. Healthcheck run as the proscribed container "user" and there is no configuration to run healthchecks as root. – Dave Aug 28 '21 at 23:54
  • Unfortunately, this only gives me `ping: my_hostname: Try again` after 1-2s wait. What could be the reason? – Cadoiz Sep 20 '21 at 15:08
4

Although it doesn't answer OP question, it may be helpful for people searching for the error in title.

You can run following command to enter shell as root user of docker container.

docker exec -u 0 -it <container-name> <shell>

Depending upon the shell present in the image, shell can be any of zsh, bash, sh, ash, etc. You can find through trial and error method.

This is especially helpful, if you don't have the dockerfile to modify it(e.g when fetching docker image directly from registry).

Krishna
  • 141
  • 4
  • 2
    `-u root` is perfectly fine. Note that this can be an option to `docker run` as well. And for your record, the above command on an unmodified alpine image (as asked by OP) would give the error `starting container process caused: exec: "bash": executable file not found in $PATH: unknown` since bash is not installed by default. – Zeitounator Jan 10 '22 at 11:59