sysctl: Enable ping(8) inside rootless Podman containers

This makes ping(8) work without CAP_NET_ADMIN and CAP_NET_RAW because
those aren't effective inside rootless Podman containers.

It's quite useful when using OSTree based operating systems like Fedora
Silverblue, where development environments are often set up using
rootless Podman containers with helpers like Toolbox [1]. Not having
a basic network utility like ping(8) work inside the development
environment can be inconvenient.

See:
https://lwn.net/Articles/422330/
http://man7.org/linux/man-pages/man7/icmp.7.html
https://github.com/containers/libpod/issues/1550

The upper limit of the range of group identifiers is set to 2147483647,
which is 2^31-1. Values greater than that get rejected by the kernel
because of this definition in linux/include/net/ping.h:
  #define GID_T_MAX (((gid_t)~0U) >> 1)

That's not so bad because values between 2^31 and 2^32-1 are reserved
on systemd-based systems anyway [2].

[1] https://github.com/debarshiray/toolbox
[2] https://systemd.io/UIDS-GIDS.html#summary

1 files changed, 8 insertions, 0 deletions

diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
index 27084f6242..f0b4f610f8 100644
--- a/sysctl.d/50-default.conf
+++ b/sysctl.d/50-default.conf
@@ -30,6 +30,14 @@ net.ipv4.conf.all.accept_source_route = 0
 # Promote secondary addresses when the primary address is removed
 net.ipv4.conf.all.promote_secondaries = 1
 
+# ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
+# The upper limit is set to 2^31-1. Values greater than that get rejected by
+# the kernel because of this definition in linux/include/net/ping.h:
+#   #define GID_T_MAX (((gid_t)~0U) >> 1)
+# That's not so bad because values between 2^31 and 2^32-1 are reserved on
+# systemd-based systems anyway: https://systemd.io/UIDS-GIDS.html#summary
+net.ipv4.ping_group_range = 0 2147483647
+
 # Fair Queue CoDel packet scheduler to fight bufferbloat
 net.core.default_qdisc = fq_codel