Ubuntu24 container from images upstream has no cap_net_raw on /bin/ping

smemsh · October 5, 2025, 8:56pm

With incus 6.17 from zabbly, hosted on ubuntu24, with ordinary incus launch images:ubuntu/24.04 the container’s /bin/ping does not have cap_net_raw=ep and therefore non-root user cannot ping. When launching with –vm then the ping binary does have the capability.

I tried both with and without security.idmap.isolated. There is nothing special about the profiles of these containers or the server configuration. They are essentially the defaults.

Is anyone else experiencing this? is it expected?

qkiel · October 6, 2025, 7:42am

I noticed the same thing a while ago. According to this askubuntu post we have two options:

Permanent, simply install linux-sysctl-defaults inside container:

sudo apt install linux-sysctl-defaults

Temporarily use setcap inside container:

sudo setcap cap_net_raw+p /usr/bin/ping

As a side note, on the Ubuntu host there is a script at /var/lib/dpkg/info/iputils-ping.postinst that does the chmod u-s /usr/bin/ping.

smemsh · October 6, 2025, 2:20pm

so why does the exact same image run as Incus QEMU VM have cap_net_raw on /bin/ping, but when run as an Incus LXC container, it does not?