mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-22 13:33:56 +03:00
Revert "Revert "sysctl: Enable ping(8) inside rootless Podman containers""
This reverts commit be74f51605
.
Let's add this again. With the new sysctl "-" thing we can make this
work.
This commit is contained in:
parent
e08be64937
commit
0338934f4b
9
NEWS
9
NEWS
@ -2,6 +2,15 @@ systemd System and Service Manager
|
|||||||
|
|
||||||
CHANGES WITH 243 in spe:
|
CHANGES WITH 243 in spe:
|
||||||
|
|
||||||
|
* This release enables unprivileged programs (i.e. requiring neither
|
||||||
|
setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests
|
||||||
|
by turning on the net.ipv4.ping_group_range sysctl of the Linux
|
||||||
|
kernel for the whole UNIX group range, i.e. all processes. This
|
||||||
|
change should be reasonably safe, as the kernel support for it was
|
||||||
|
specifically implemented to allow safe access to ICMP Echo for
|
||||||
|
processes lacking any privileges. If this is not desirable, it can be
|
||||||
|
disabled again by setting the parameter to "1 0".
|
||||||
|
|
||||||
* Previously, filters defined with SystemCallFilter= would have the
|
* Previously, filters defined with SystemCallFilter= would have the
|
||||||
effect that an calling an offending system call would terminate the
|
effect that an calling an offending system call would terminate the
|
||||||
calling thread. This behaviour never made much sense, since killing
|
calling thread. This behaviour never made much sense, since killing
|
||||||
|
@ -30,6 +30,14 @@ net.ipv4.conf.all.accept_source_route = 0
|
|||||||
# Promote secondary addresses when the primary address is removed
|
# Promote secondary addresses when the primary address is removed
|
||||||
net.ipv4.conf.all.promote_secondaries = 1
|
net.ipv4.conf.all.promote_secondaries = 1
|
||||||
|
|
||||||
|
# ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
|
||||||
|
# The upper limit is set to 2^31-1. Values greater than that get rejected by
|
||||||
|
# the kernel because of this definition in linux/include/net/ping.h:
|
||||||
|
# #define GID_T_MAX (((gid_t)~0U) >> 1)
|
||||||
|
# That's not so bad because values between 2^31 and 2^32-1 are reserved on
|
||||||
|
# systemd-based systems anyway: https://systemd.io/UIDS-GIDS.html#summary
|
||||||
|
net.ipv4.ping_group_range = 0 2147483647
|
||||||
|
|
||||||
# Fair Queue CoDel packet scheduler to fight bufferbloat
|
# Fair Queue CoDel packet scheduler to fight bufferbloat
|
||||||
net.core.default_qdisc = fq_codel
|
net.core.default_qdisc = fq_codel
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user