mirror of
https://github.com/systemd/systemd.git
synced 2024-10-27 01:55:22 +03:00
90ce7627df
This makes ping(8) work without CAP_NET_ADMIN and CAP_NET_RAW because those aren't effective inside rootless Podman containers. It's quite useful when using OSTree based operating systems like Fedora Silverblue, where development environments are often set up using rootless Podman containers with helpers like Toolbox [1]. Not having a basic network utility like ping(8) work inside the development environment can be inconvenient. See: https://lwn.net/Articles/422330/ http://man7.org/linux/man-pages/man7/icmp.7.html https://github.com/containers/libpod/issues/1550 The upper limit of the range of group identifiers is set to 2147483647, which is 2^31-1. Values greater than that get rejected by the kernel because of this definition in linux/include/net/ping.h: #define GID_T_MAX (((gid_t)~0U) >> 1) That's not so bad because values between 2^31 and 2^32-1 are reserved on systemd-based systems anyway [2]. [1] https://github.com/debarshiray/toolbox [2] https://systemd.io/UIDS-GIDS.html#summary
51 lines
1.7 KiB
Plaintext
51 lines
1.7 KiB
Plaintext
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
# See sysctl.d(5) and core(5) for documentation.
|
|
|
|
# To override settings in this file, create a local file in /etc
|
|
# (e.g. /etc/sysctl.d/90-override.conf), and put any assignments
|
|
# there.
|
|
|
|
# System Request functionality of the kernel (SYNC)
|
|
#
|
|
# Use kernel.sysrq = 1 to allow all keys.
|
|
# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html for a list
|
|
# of values and keys.
|
|
kernel.sysrq = 16
|
|
|
|
# Append the PID to the core filename
|
|
kernel.core_uses_pid = 1
|
|
|
|
# Source route verification
|
|
net.ipv4.conf.all.rp_filter = 2
|
|
|
|
# Do not accept source routing
|
|
net.ipv4.conf.all.accept_source_route = 0
|
|
|
|
# Promote secondary addresses when the primary address is removed
|
|
net.ipv4.conf.all.promote_secondaries = 1
|
|
|
|
# ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
|
|
# The upper limit is set to 2^31-1. Values greater than that get rejected by
|
|
# the kernel because of this definition in linux/include/net/ping.h:
|
|
# #define GID_T_MAX (((gid_t)~0U) >> 1)
|
|
# That's not so bad because values between 2^31 and 2^32-1 are reserved on
|
|
# systemd-based systems anyway: https://systemd.io/UIDS-GIDS.html#summary
|
|
net.ipv4.ping_group_range = 0 2147483647
|
|
|
|
# Fair Queue CoDel packet scheduler to fight bufferbloat
|
|
net.core.default_qdisc = fq_codel
|
|
|
|
# Enable hard and soft link protection
|
|
fs.protected_hardlinks = 1
|
|
fs.protected_symlinks = 1
|
|
|
|
# Enable regular file and FIFO protection
|
|
fs.protected_regular = 1
|
|
fs.protected_fifos = 1
|