OS: Ubuntu 24.04
Incus version: 6.18
Container image: Ubuntu 22.04
Network: system software bridge to external network w/ static IP
I only recently noticed that ping doesn’t return results when run as an ordinary user in an Incus container. Digging in to this a bit I learned that ping requires a raw socket capability (cap_net_raw=ep) and that ping in the container doesn’t have this capability. This is hardly a pressing matter, but I’m curious to know what the security implications are of giving ping access to raw network sockets.
No real security implications. There are actually sysctls to allow it widely to all unprivileged users (limited to echo packets).
The main issue with it in images is around getting the capability to stick all the way from package installation, to image generation, to image unpacking and finally container creation.
We don’t actively try to strip it and we also have specific logic to shift those correctly on creation, but something likely dropped it somewhere between image generation and image unpack.