teknoraver / rpms / systemd

Forked from rpms/systemd 4 months ago
Clone

Blame SOURCES/0699-Revert-Revert-sysctl-Enable-ping-8-inside-rootless-P.patch

17aa40
From 54faef034bb2062ed8afa72e2c1be40ef7cc41c5 Mon Sep 17 00:00:00 2001
17aa40
From: Lennart Poettering <lennart@poettering.net>
17aa40
Date: Fri, 26 Jul 2019 09:25:09 +0200
17aa40
Subject: [PATCH] Revert "Revert "sysctl: Enable ping(8) inside rootless Podman
17aa40
 containers""
17aa40
17aa40
This reverts commit be74f51605b4c7cb74fec3a50cd13b67598a8ac1.
17aa40
17aa40
Let's add this again. With the new sysctl "-" thing we can make this
17aa40
work.
17aa40
17aa40
Resolves: #2037807
17aa40
17aa40
(cherry picked from commit 0338934f4bcda6a96a5342449ae96b003de3378d)
17aa40
---
17aa40
 sysctl.d/50-default.conf | 8 ++++++++
17aa40
 1 file changed, 8 insertions(+)
17aa40
17aa40
diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
17aa40
index e0afc9c702..21ae1df13d 100644
17aa40
--- a/sysctl.d/50-default.conf
17aa40
+++ b/sysctl.d/50-default.conf
17aa40
@@ -33,6 +33,14 @@ net.ipv4.conf.all.accept_source_route = 0
17aa40
 # Promote secondary addresses when the primary address is removed
17aa40
 net.ipv4.conf.all.promote_secondaries = 1
17aa40
 
17aa40
+# ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
17aa40
+# The upper limit is set to 2^31-1. Values greater than that get rejected by
17aa40
+# the kernel because of this definition in linux/include/net/ping.h:
17aa40
+#   #define GID_T_MAX (((gid_t)~0U) >> 1)
17aa40
+# That's not so bad because values between 2^31 and 2^32-1 are reserved on
17aa40
+# systemd-based systems anyway: https://systemd.io/UIDS-GIDS.html#summary
17aa40
+net.ipv4.ping_group_range = 0 2147483647
17aa40
+
17aa40
 # Fair Queue CoDel packet scheduler to fight bufferbloat
17aa40
 net.core.default_qdisc = fq_codel
17aa40