RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2037807 - Unprivileged users can't send ICMP echo requests
Summary: Unprivileged users can't send ICMP echo requests
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: systemd
Version: ---
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Jan Macku
QA Contact: Frantisek Sumsal
URL:
Whiteboard:
: 2040385 2043500 2043614 2043929 2048905 2048990 2049413 (view as bug list)
Depends On:
Blocks: 2030107 2051329
TreeView+ depends on / blocked
 
Reported: 2022-01-06 15:32 UTC by Jan Macku
Modified: 2022-05-10 16:46 UTC (History)
30 users (show)

Fixed In Version: systemd-239-57.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-10 15:25:48 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github redhat-plumbers systemd-rhel8 pull 246 0 None Merged (#2037807) sysctl: Allow unprivileged users to send ICMP echo requests 2022-05-04 08:57:31 UTC
Github redhat-plumbers systemd-rhel8 pull 256 0 None Merged (#2037807) Allow unprivileged users to send ICMP echo requests 2022-05-04 08:57:33 UTC
Red Hat Issue Tracker RHELPLAN-106986 0 None None None 2022-01-06 15:39:35 UTC
Red Hat Product Errata RHBA-2022:2069 0 None None None 2022-05-10 15:26:32 UTC

Comment 1 Plumber Bot 2022-01-07 09:10:25 UTC
fix merged to github master branch -> https://github.com/redhat-plumbers/systemd-rhel8/pull/246

Comment 3 Jan Macku 2022-01-13 15:55:21 UTC
*** Bug 2040385 has been marked as a duplicate of this bug. ***

Comment 9 Josh Boyer 2022-01-18 22:05:36 UTC
For those interested in this issue on CentOS Stream 8, the build is still under test and not eligible due to an unrelated internal infrastructure issue.  We're working to resolve that soon.

Comment 10 smooney 2022-01-19 23:56:37 UTC
looking at the centos build in koji it failed on one test cases


155/298 test-procfs-util                          FAIL             0.32s   killed by signal 6 SIGABRT
>>> MALLOC_PERTURB_=200 SYSTEMD_KBD_MODEL_MAP=/builddir/build/BUILD/systemd-239/src/locale/kbd-model-map SYSTEMD_LANGUAGE_FALLBACK_MAP=/builddir/build/BUILD/systemd-239/src/locale/language-fallback-map PATH=/builddir/build/BUILD/systemd-239/x86_64-redhat-linux-gnu:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin /builddir/build/BUILD/systemd-239/x86_64-redhat-linux-gnu/test-procfs-util
――――――――――――――――――――――――――――――――――――― ✀  ―――――――――――――――――――――――――――――――――――――
stderr:
Current system CPU time: 5month 4w 4h 23min 16.380000s
Current memory usage: 34.6G
Current number of tasks: 681
kernel.pid_max: 40960
kernel.threads-max: 1030309
Limit of tasks: 40959
Reducing limit by one to 40958…
procfs_tasks_set_limit: Permission denied
Assertion 'r >= 0 ? w == v - 1 : w == v' failed at ../src/test/test-procfs-util.c:59, function main(). Aborting.
――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――

https://koji.mbox.centos.org/koji/taskinfo?taskID=334490 

Is that the infra issue you were referring too?

Comment 11 Brian Stinson 2022-01-20 03:16:22 UTC
(In reply to smooney from comment #10)


This is a different issue we're running into on the CentOS Stream builders. We're investigating.

Comment 13 Johnny Hughes 2022-01-20 22:18:02 UTC
OK .. Brain Stinson recommended and I tested:

Removing the dash in the line: 

-net.ipv4.ping_group_range = 0 2147483647

in /usr/lib/sysctl.d/50-default.conf

fixes the issue.

Comment 14 Frantisek Sumsal 2022-01-21 09:49:25 UTC
I see:

```
  Running scriptlet: systemd-239-55.el8.x86_64                            21/21 
Couldn't write '0 2147483647' to '-net/ipv4/ping_group_range', ignoring: No such file or directory

```

```
# sysctl -p 50-default.conf 
kernel.sysrq = 16
kernel.core_uses_pid = 1
kernel.kptr_restrict = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.promote_secondaries = 1
sysctl: cannot stat /proc/sys/-net/ipv4/ping_group_range: No such file or directory
net.core.default_qdisc = fq_codel
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
```

Looks like we need at least https://github.com/systemd/systemd/pull/13191/commits/dec02d6e1993d420a0a94c7fec294605df55e88e as well from the original PR (https://github.com/systemd/systemd/pull/13191/commits)

Comment 15 Frantisek Sumsal 2022-01-21 11:48:06 UTC
*** Bug 2043500 has been marked as a duplicate of this bug. ***

Comment 16 Johnny Hughes 2022-01-21 13:31:23 UTC
(In reply to Frantisek Sumsal from comment #14)
> I see:
> 
> ```
>   Running scriptlet: systemd-239-55.el8.x86_64                           
> 21/21 
> Couldn't write '0 2147483647' to '-net/ipv4/ping_group_range', ignoring: No
> such file or directory
> 
> ```
> 
> ```
> # sysctl -p 50-default.conf 
> kernel.sysrq = 16
> kernel.core_uses_pid = 1
> kernel.kptr_restrict = 1
> net.ipv4.conf.all.rp_filter = 1
> net.ipv4.conf.all.accept_source_route = 0
> net.ipv4.conf.all.promote_secondaries = 1
> sysctl: cannot stat /proc/sys/-net/ipv4/ping_group_range: No such file or
> directory
> net.core.default_qdisc = fq_codel
> fs.protected_hardlinks = 1
> fs.protected_symlinks = 1
> ```
> 
> Looks like we need at least
> https://github.com/systemd/systemd/pull/13191/commits/
> dec02d6e1993d420a0a94c7fec294605df55e88e as well from the original PR
> (https://github.com/systemd/systemd/pull/13191/commits)

removing the - (minus sign) in the /usr/lib/sysctl.d/50-default.conf after installing systemd-239-55.el8.x86_64 works for me in 2 installs.

So changing:

-net.ipv4.ping_group_range = 0 2147483647

to

net.ipv4.ping_group_range = 0 2147483647

  

Is the minus sign a typo?

Comment 17 Frantisek Sumsal 2022-01-21 13:34:06 UTC
(In reply to Johnny Hughes from comment #16)
> (In reply to Frantisek Sumsal from comment #14)
> > I see:
> > 
> > ```
> >   Running scriptlet: systemd-239-55.el8.x86_64                           
> > 21/21 
> > Couldn't write '0 2147483647' to '-net/ipv4/ping_group_range', ignoring: No
> > such file or directory
> > 
> > ```
> > 
> > ```
> > # sysctl -p 50-default.conf 
> > kernel.sysrq = 16
> > kernel.core_uses_pid = 1
> > kernel.kptr_restrict = 1
> > net.ipv4.conf.all.rp_filter = 1
> > net.ipv4.conf.all.accept_source_route = 0
> > net.ipv4.conf.all.promote_secondaries = 1
> > sysctl: cannot stat /proc/sys/-net/ipv4/ping_group_range: No such file or
> > directory
> > net.core.default_qdisc = fq_codel
> > fs.protected_hardlinks = 1
> > fs.protected_symlinks = 1
> > ```
> > 
> > Looks like we need at least
> > https://github.com/systemd/systemd/pull/13191/commits/
> > dec02d6e1993d420a0a94c7fec294605df55e88e as well from the original PR
> > (https://github.com/systemd/systemd/pull/13191/commits)
> 
> removing the - (minus sign) in the /usr/lib/sysctl.d/50-default.conf after
> installing systemd-239-55.el8.x86_64 works for me in 2 installs.
> 
> So changing:
> 
> -net.ipv4.ping_group_range = 0 2147483647
> 
> to
> 
> net.ipv4.ping_group_range = 0 2147483647
> 
>   
> 
> Is the minus sign a typo?

As I mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=2043500#c1 - no, the minus sign is intentional, to ignore errors (particularly in certain container solutions). Unfortunately, it turned out we were missing a couple of patches for this feature to work as advertised. This is being resolved in https://github.com/redhat-plumbers/systemd-rhel8/pull/256.

Comment 18 Brian Stinson 2022-01-21 16:16:19 UTC
*** Bug 2043614 has been marked as a duplicate of this bug. ***

Comment 19 Josh Boyer 2022-01-22 17:09:49 UTC
*** Bug 2043929 has been marked as a duplicate of this bug. ***

Comment 20 David Tardon 2022-02-01 09:58:59 UTC
*** Bug 2048905 has been marked as a duplicate of this bug. ***

Comment 21 David Tardon 2022-02-01 11:14:08 UTC
*** Bug 2048990 has been marked as a duplicate of this bug. ***

Comment 22 Frantisek Sumsal 2022-02-02 08:40:56 UTC
*** Bug 2049413 has been marked as a duplicate of this bug. ***

Comment 23 Roni Kishner 2022-02-03 09:38:23 UTC
This issue is effecting RHEL 6.10 and RHEL 7 releases as well, please verify the fix when it is successfully merged on those releases as well.

Comment 24 Roni Kishner 2022-02-03 11:51:02 UTC
(In reply to Roni Kishner from comment #23)
> This issue is effecting RHEL 6.10 and RHEL 7 releases as well, please verify
> the fix when it is successfully merged on those releases as well.

Please ignore was looking at another issue. sorry for the confusion.

Comment 26 Frantisek Sumsal 2022-02-07 08:00:09 UTC
*** Bug 2051329 has been marked as a duplicate of this bug. ***

Comment 27 Plumber Bot 2022-02-07 14:20:38 UTC
fix merged to github master branch -> https://github.com/redhat-plumbers/systemd-rhel8/pull/256

Comment 29 Igor Raits 2022-02-11 09:28:50 UTC
Is there any ETA when this build will appear in the CentOS Stream 8?

Comment 30 Brian Stinson 2022-02-11 14:31:38 UTC
There's no ETA for inclusion in Stream 8, but the process is working. This got pushed today:

https://git.centos.org/rpms/systemd/c/da2bf9e4d033db98743f33c925f39a0686c6628a?branch=c8s

Comment 31 Johnny Hughes 2022-02-11 15:42:38 UTC
It was just released to git.centos.org this morning. I am building it now, should go out in the next CentOS Stream 8 compose, sometime this afternoon.

Comment 32 Johnny Hughes 2022-02-11 23:50:17 UTC
The latest systemd for CentOS Stream 8 is now released (systemd-239-58.el8).  I have verified that non-privileged users can now use ICMP tools by default.

Comment 34 Roni Kishner 2022-02-16 12:20:56 UTC
Hey, @fsumsal do you have any estimation on verifying this bug? this is a set back for our team.

Comment 36 errata-xmlrpc 2022-05-10 15:25:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (systemd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2069


Note You need to log in before you can comment on or make changes to this bug.