-
Bug
-
Resolution: Not a Bug
-
Normal
-
None
-
rhel-9.4.z
-
None
-
No
-
None
-
rhel-sst-container-tools
-
3
-
False
-
-
None
-
None
-
None
-
None
-
None
What were you trying to do that didn't work?
Use ping command on the UBI9 image, as a non-root user.
What is the impact of this issue to you?
I can workaround by setting capability on the ping executable via:
setcap cap_net_raw+p /usr/bin/ping
Please provide the package NVR for which the bug is seen:
Probably iputils package, systemd package? No idea.
How reproducible is this bug?:
Always
Steps to reproduce
- Run the container (tested on Fedora 40 and RHEL9 as host systems):
podman run --cap-add CAP_NET_RAW -it --rm registry.access.redhat.com/ubi9/ubi
(I know that I need to run CAP_NET_RAW for the ping command to work ^.)
- In the container:
# useradd jboss # dnf install iputils # ping localhost # as root - works: PING localhost(localhost (::1)) 56 data bytes 64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.052 ms ... # su jboss $ ping localhost -v # as the jboss user ping: socket: Operation not permitted ping: socket: Operation not permitted $ echo $? 2
Interestingly, if I create a container image based on UBI9 with the "jboss" user already created, and run it with podman run --user jboss ..., the ping command works. It only doesn't work when becoming the jboss user via the su command.
Expected results
The ping command works for non-root user out of the box.
Actual results
The ping command throws an error for non-root user:
$ ping localhost -v ping: socket: Operation not permitted ping: socket: Operation not permitted $ echo $? 2