rootless podman run --network=none
from inside a container due to default_sysctls
ping_group_range
#13194
Labels
kind/bug
Categorizes issue or PR as related to a bug.
locked - please file new issue/PR
Assist humans wanting to comment on an old issue or PR with locked comments.
Description
Inside a container
/proc/sys/net/ipv4/ping_group_range
may not exist. Thedefault_sysctls
includenet.ipv4.ping_group_range=0 0
. If rootless podman is run inside a container, accessing this file may fail.I discovered this when trying to run a rootless
podman run --network=none ...
inside a Kubernetes container.Steps to reproduce the issue:
To reproduce the issue, run the following command which fails with
Error: OCI runtime error: open /proc/sys/net/ipv4/ping_group_range: Read-only file system
:A workaround is editing
~/.config/containers/containers.conf
inside the container to not includenet.ipv4.ping_group_range
:Describe the results you received:
Additional information you deem important (e.g. issue happens only occasionally):
Output of
podman version
:Output of
podman info --debug
:podman info --debug
Package info (e.g. output of
rpm -q podman
orapt list podman
):Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?
Yes
Additional environment details (AWS, VirtualBox, physical, etc.):
Rootless podman running inside a containerized environment without
/proc/sys/net/ipv4/ping_group_range
This is mostly a duplicate of #8482, but for
--network=none
this time. 0d70df1 fixed this only for--network=host
. Adding a check for network=none inspecgen/generate/security.go
may fix this?/kind bug
The text was updated successfully, but these errors were encountered: