cap_net_raw+p capability to allow ping with non-root user | Dagger | Page 1

distant slate Oct 13, 2025, 5:57 PM

#

I have a Debian Trixie-based container where I need to ping as a non-root user. Running the image with Docker Desktop works:

$ docker run --rm -it myimage:latest ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.032 ms
^C
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1061ms
rtt min/avg/max/mdev = 0.032/0.042/0.052/0.010 ms

However, running the same image in Dagger produces a different result:

$ dagger shell --no-mod -c 'container | from "myimage:latest" | with-exec "ping,127.0.0.1"'
▶ connect 0.5s
✔ loading type definitions 0.2s

$ container: Container! 0.0s CACHED
$ .from(address: "myimage:latest"): Container! 0.3s CACHED
▼ .withExec(args: ["ping", "127.0.0.1"]): Container! 0.1s ERROR
┃ ping: socktype: SOCK_RAW                                                                                                                                                                                            
┃ ping: socket: Operation not permitted                                                                                                                                                                               
┃ ping: => missing cap_net_raw+p capability or setuid?                                                                                                                                                                
! process "ping 127.0.0.1" did not complete successfully: exit code: 2
...

This SO post suggests installing the linux-sysctl-defaults package, but this doesn't work since the config file only applies on reboot in non-containerised installations. Running sudo setcap cap_net_raw+p /usr/bin/ping does the trick, however, I'm curious whether there are better ways to make this work in Dagger, especially since ping just works with regular Docker runs.

Ask Ubuntu

Can no longer ping ("operation not permitted")

Recently (likely due to an upgrade but not due to a reboot), my system stopped letting me ping other hosts, though root can do so just fine. It provides an informative error message, but it wasn't ...

sudden bramble Oct 13, 2025, 7:54 PM

#

interesting... is this on a mac @distant slate? can't seem to be able to repro in linux.

#

would you mind checking if pinging from the engine containers work?

#

you can try with this docker exec $(docker ps --filter name="dagger-engine-*" -q) ping 127.0.0.1

distant slate Oct 14, 2025, 10:01 AM

#

sudden bramble interesting... is this on a mac <@1290726317150437467>? can't seem to be able to...

👋 Yes this is on a Mac with Docker Desktop. Running v0.19.2, this minimal Dagger Shell command reproduces the issue:

$ dagger shell --no-mod --progress=plain -c 'container | from "debian:trixie" | with-exec "apt,update" | with-exec "apt,install,-y,iputils-ping" | with-user 1000 | with-exec "ping,-c4,127.0.0.1"'
...

14  : Container.withExec(args: ["ping", "-c4", "127.0.0.1"]): Container!
14  : [0.1s] | ping: socktype: SOCK_RAW
14  : [0.1s] | ping: socket: Operation not permitted
14  : [0.1s] | ping: => missing cap_net_raw+p capability or setuid?
14  : Container.withExec ERROR [0.1s]

15  : with-exec
15  : with-exec ERROR [0.3s]
15  : ! input: container.from.withExec.withExec.withUser.withExec.id process "ping -c4 127.0.0.1" did not complete successfully: exit code: 2

Error: input: container.from.withExec.withExec.withUser.withExec.id process "ping -c4 127.0.0.1" did not complete successfully: exit code: 2

#

As suggested by the above linked SO post, running ping as root user works:

$ dagger shell --no-mod --progress=plain -c 'container | from "debian:trixie" | with-exec "apt,update" | with-exec "apt,install,-y,iputils-ping" | with-exec "ping,-c4,127.0.0.1"'
...

13  : Container.withExec(args: ["ping", "-c4", "127.0.0.1"]): Container!
13  : Container.withExec DONE [0.0s]
13  : [0.1s] | PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
13  : [0.1s] | 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.016 ms
13  : [1.1s] | 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.064 ms
13  : [2.1s] | 64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.098 ms
13  : [3.2s] | 64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.081 ms
13  : [3.2s] |
13  : [3.2s] | --- 127.0.0.1 ping statistics ---
13  : [3.2s] | 4 packets transmitted, 4 received, 0% packet loss, time 3089ms
13  : [3.2s] | rtt min/avg/max/mdev = 0.016/0.064/0.098/0.030 ms


Container@xxh3:351c797e5150fd0a

#

you can try with this docker exec $(docker ps --filter name="dagger-engine-*" -q) ping 127.0.0.1

Yes, this works:

$ docker exec $(docker ps --filter name="dagger-engine-*" -q) ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.043 ms
64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.124 ms
64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.157 ms
64 bytes from 127.0.0.1: seq=3 ttl=64 time=0.139 ms

#

can't seem to be able to repro in linux.

Just tried the above command on Ubuntu 24.04 (6.8.0-85-generic kernel) and got the same error.

sudden bramble Oct 14, 2025, 4:34 PM

#

distant slate > can't seem to be able to repro in linux. Just tried the above command on Ubun...

strange.. I have a similar setup and I don't get that error. 🤔

sudden bramble Oct 14, 2025, 4:35 PM

#

distant slate > can't seem to be able to repro in linux. Just tried the above command on Ubun...

is this on a cloud vm by any chance?

distant slate Oct 14, 2025, 4:38 PM

#

Just my local Macbook and local bare-metal workstation. I also get the same error on our K8s cluster running Talos on bare-metal AMD64 machines.

sudden bramble Oct 14, 2025, 4:51 PM

#

ok gotcha. I was able to repro now. Seems like it's related to the ping command in debian. I was trying with alpine and I wasn't being able to repro

distant slate Oct 14, 2025, 4:55 PM

#

Yes, this is related to a change in Debian Trixie. Earlies versions (e.g. Boomworm) did not show this issue. However, their recommendation to install linux-sysctl-defaults does not work for Dagger.

distant slate Oct 14, 2025, 5:16 PM

#

For debugging I tried the following to get the current value of net.ipv4.ping_group_range:

$ dagger shell --progress=plain -c 'container | from "debian:trixie" | with-exec "apt,update" | with-exec "apt,install,-y,procps,grep,linux-sysctl-defaults" | with-exec "sh,-c,sysctl -a | grep ping_group_range"'
...

17  : Container.withExec(args: ["sh", "-c", "sysctl -a | grep ping_group_range"]): Container!
17  : Container.withExec DONE [0.1s]
17  : [0.1s] | net.ipv4.ping_group_range = 1    0

Which would explain why ping does not work (installing linux-sysctl-defaults should set this to net.ipv4.ping_group_range = 0 2147483647, however this is not applied when running inside Dagger; on regular installtions this would require a reboot).

sudden bramble Oct 14, 2025, 7:29 PM

#

distant slate For debugging I tried the following to get the current value of `net.ipv4.ping_g...

yep, this seems correct. I was looking at the Docker code and they seem to be doing this explicitly:
https://github.com/moby/moby/blob/79c6247281ea7424c04933726a759002dae027a7/daemon/oci_linux.go#L758-L769

in order for this to work we should copy that logic into Dagger