[Devel] [PATCH RH7] enable ipproto_icmp inside containers

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Thu Jun 23 05:19:56 PDT 2016



On 06/23/2016 03:08 PM, Vasily Averin wrote:
> iputils-ping 20150815 fails inside containers
> because socket(PF_INET, SOCK_DGRAM, IPPROTO_ICMP)
> is restricted by vz_security_protocol_check()
>
> The patch enables creation of such sockets inside containers.
> By default sys_socket still fails
> because default setting of sysctl net.ipv4.ping_group_range,
> however it's enough for iputils-ping 20150815.
> its fallback handles this situation
> and successfully creates RAW socket.
>
> According to ptikhomirov@ this sysctl will be enabled inside conaintes soon,
> and in future it will be saved/restored by criu.

It is enabled in MS kernel v3.13+, see:
commit fd2d5356d902 ("ipv4: Allow unprivileged users to use per net 
sysctls")

>
> https://bugs.openvz.org/browse/OVZ-6744
>
> Signed-off-by:	Vasily Averin <vvs at virtuozzo.com>
>

patch is empty?

-- 
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.


More information about the Devel mailing list