Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Core ICMP stopped working after upgrade from 31.0.8 -> 31.0.9 (docker/k8s)

Description

I upgraded to 31.0.9 today from a 31.0.8 install running on Linode Kubernetes Engine.

core was unable to ping - logs showed:

2023-06-14 20:08:35,388 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://docs.opennms.com/ for information on configuring ICMP for non-root. 2023-06-14 20:08:35,388 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://docs.opennms.com/ for information on configuring ICMP for non-root. 2023-06-14 20:08:35,388 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://docs.opennms.com/ for information on configuring ICMP for non-root. 2023-06-14 20:08:35,389 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://docs.opennms.com/ for information on configuring ICMP for non-root. 2023-06-14 20:08:35,389 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://docs.opennms.com/ for information on configuring ICMP for non-root. 2023-06-14 20:08:35,389 ERROR [Main] o.o.n.i.j.Jni6Pinger: Permission error received while attempting to open ICMP socket. See https://docs.opennms.com/ for information on configuring ICMP for non-root. 2023-06-14 20:08:35,389 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://docs.opennms.com/ for information on configuring ICMP for non-root. 2023-06-14 20:08:35,390 ERROR [Main] o.o.n.i.j.JniPinger: Permission error received while attempting to open ICMP socket. See https://docs.opennms.com/ for information on configuring ICMP for non-root. 2023-06-14 20:08:35,390 ERROR [Main] o.o.n.i.j.Jni6Pinger: Permission error received while attempting to open ICMP socket. See https://docs.opennms.com/ for information on configuring ICMP for non-root. 2023-06-14 20:08:35,391 WARN [Main] o.o.n.i.j.JnaIcmpMessenger: Unable to initialize JNA ICMP messenger

After prompting in chat, I was able to get things working again by updating my k8s yaml to add the ‘safe’ sysctl net.ipv4.ping_group_range:

spec: securityContext: sysctls: - name: net.ipv4.ping_group_range - value: "10001 10001"

I was suprised to have to do this for a patch release since 31.0.8 worked without that setting.

Environment

Linode Kubernetes Environment (running k8s 1.25)

Acceptance / Success Criteria

None

Activity

Show:

Veena Kannan October 10, 2023 at 1:52 PM

chiuen (Qun) July 12, 2023 at 6:26 PM

For the NET_RAW scenario, we evaluated the risk as the following:

CVSS: AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS Score: 4.7 x likelihood low 0.5 = 2.4 low

 

For the sysctls scenario, we evaluated the risk as the following:

CVSS: AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS Score: 2.5 x likelihood low 0.5 = 1.3 low

Either case has low risk with low margin of difference.

chiuen (Qun) July 11, 2023 at 8:06 PM

I have marked it up for security’s team meeting to discuss tomorrow. Thanks!

Veena Kannan July 11, 2023 at 7:58 PM

Could you please take a look at this and provide input?

Jeff Gehlbach June 21, 2023 at 6:57 PM

would you mind weighing in on the risk profile of reintroducing NET_RAW please?

Fixed

Details

Assignee

Reporter

Labels

Priority

PagerDuty

Created June 14, 2023 at 9:03 PM
Updated October 10, 2023 at 2:53 PM
Resolved October 10, 2023 at 1:52 PM

Flag notifications