Skip to content

fix(pinger): update logic to determine pinger privileged mode #1346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

fix(pinger): update logic to determine pinger privileged mode #1346

wants to merge 7 commits into from

Conversation

h3mmy
Copy link

@h3mmy h3mmy commented Oct 18, 2025
edited
Loading

Summary

#697 (comment)
Based around fix attempted in #748 since the experimental tagged image worked for pings in non-privileged containers. Apparently it broke for users in root containers, so this PR includes a check for root privilege, albeit a naive one.

As of v5.26.0, ICMP checks still do not work for my (non-root) deployment regardless of whether I add CAP_NET_RAW

Checking individual capabilities will require adding "kernel.org/pub/linux/libs/security/libcap/cap" as a dependency. I'm not sure if you want to add more dependencies for a small check, so I can use some naive logic to check if the app is running as root like checking the EUID == 0

Since SetPrivileged needs to be set to false for non-privileged processes running on linux or darwin, I figured this is a reasonable check unless you are wanting a more precise check with the extra dependency.

Checklist

  • Tested and/or added tests to validate that the changes work as intended, if applicable.
  • Updated documentation in README.md, if applicable.

@github-actions github-actions bot added the bug Something isn't working label Oct 18, 2025
@h3mmy
Copy link
Author

h3mmy commented Oct 18, 2025

I can work on adding unit tests once an approach is finalized. I always feel weird making reviews without tests.

@h3mmy
Copy link
Author

h3mmy commented Oct 19, 2025

I played around with precisely checking for CAP_NET_RAW and CAP_NET_ADMIN but a consequence of relying on "kernel.org/pub/linux/libs/security/libcap/cap" is tht CGO_ENABLED would need to be set to 1 instead of 0. I hesitate to bring in a new dependency that will change the build process that way.

I would expect folks running as root without having the uid set to 0 is not super common. In order to be thorough, I decided to check for cap_net_raw by simply testing if opening a raw socket throws a permission error. Let me know if you like or dislike it and I can re-adjust

@h3mmy
Copy link
Author

h3mmy commented Oct 19, 2025

After some testing of the syscall method, it came to light that it won't compile on windows due to the different flags, so I discarded that route and fell back to the initial implementation.

@h3mmy
Copy link
Author

h3mmy commented Oct 19, 2025

I built my own image for testing purposes. Confirmed it works.

repository: ghcr.io/h3mmy/gatus
tag: testing@sha256:87f8e8ea0073d69dd6eecacecf93c55699f2ee9e2e062e547ce4b10b536743d1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@h3mmy