Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Heartbeat] root privileges required for ICMP #11498

Closed
fkelbert opened this issue Mar 27, 2019 · 4 comments
Closed

[Heartbeat] root privileges required for ICMP #11498

fkelbert opened this issue Mar 27, 2019 · 4 comments
Assignees
@andrewvc
Labels
good first issue Indicates a good issue for first-time contributors Heartbeat Team:obs-ds-hosted-services Label for the Observability Hosted Services team v7.4.0

Comments

@fkelbert
Copy link

It seems root privileges are required to execute the following monitor:

- type: icmp
  hosts: [ "google.co.uk", "8.8.8.8" ]
  schedule: '@every 10s'

When running without root privileges, heartbeat fails with the following message: Exiting: could not create monitor: job err failed to initiate IPv4 support

I propose to:

  • include a hint towards missing root privileges
  • extend the documentation accordingly
@andrewvc andrewvc added the Team:obs-ds-hosted-services Label for the Observability Hosted Services team label Mar 27, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/uptime

@andrewvc andrewvc added the good first issue Indicates a good issue for first-time contributors label Mar 27, 2019
@andrewvc
Copy link
Contributor

I agree, the error message is terrible. We should work on it.

Even more ideally, we could research using capabilities instead of root access to let people run with the minimum of necessary privileges.

@leopucci leopucci mentioned this issue Mar 29, 2019
Closed
@leopucci
Copy link
Contributor

leopucci commented Mar 29, 2019
edited
Loading

I've added log messages and unprivileged icmp access.
failed to initiate IPv4 support. Check log details for permission configuration

You dont have root permission to run ping. You can run without root by setting cap_net_raw:
sudo setcap cap_net_raw+eip /path/to/heartbeat
Your system allows the use of unprivileged ping by setting net.ipv4.ping_group_range
sysctl -w net.ipv4.ping_group_range='<min-uid> <max-uid>'

- Non-root execution (preferred)
Setting CAP_NET_RAW on file
Can be set by executing setcap cap_net_raw+ep /path/to/heartbeat to make raw socket available

- Unprivileged icmp access (implemented on kernel since ~2010)
Available for Linux/Mac OS darwin:
sysctl -w net.ipv4.ping_group_range="0 100"
After allowing group ids, users can use unpriveleged icmp socket

@leopucci leopucci mentioned this issue Apr 2, 2019
Closed
@andrewvc andrewvc self-assigned this Jun 25, 2019
@andrewvc
Copy link
Contributor

andrewvc commented Oct 8, 2019

Fixed with #13795

@andrewvc andrewvc closed this as completed Oct 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrewvc andrewvc

Labels
good first issue Indicates a good issue for first-time contributors Heartbeat Team:obs-ds-hosted-services Label for the Observability Hosted Services team v7.4.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@andrewvc @fkelbert @elasticmachine @leopucci