On 06/23/2016 03:26 PM, Vasily Averin wrote:
iputils-ping 20150815 fails inside containers
because socket(PF_INET, SOCK_DGRAM, IPPROTO_ICMP)
is restricted by vz_security_protocol_check()
The patch enables creation of such sockets inside containers.
By default sys_socket still fails
because default setting of sysctl net.ipv4.ping_group_range,
however it's enough for iputils-ping 20150815.
its fallback handles this situation
and successfully creates RAW socket.
In mainlune it is enabled in MS kernel v3.13+, see:
commit fd2d5356d902 ("ipv4: Allow unprivileged users to use per net sysctls")
in future we're going backport this patch and add its save/restore into criu.
https://bugs.openvz.org/browse/OVZ-6744
Signed-off-by: Vasily Averin <[email protected]>
Acked-by: Pavel Tikhomirov <[email protected]>
diff-vz7-enable-ipproto_icmp-inside-containers
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 53fa12d..ef521cf 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -222,6 +222,7 @@ int vz_security_protocol_check(struct net *net, int
protocol)
switch (protocol) {
case IPPROTO_IP:
+ case IPPROTO_ICMP:
case IPPROTO_TCP:
case IPPROTO_UDP:
case IPPROTO_RAW:
--
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.
_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel
