Zabbix Proxy Container: Ping permission issues

Hativ · July 26, 2023, 8:37am

Hello,

we are trying to run a Zabbix Proxy in a container (zabbix/zabbix-proxy-sqlite3:6.0-alpine-latest) on a MikroTik CCR2004-1G-12S+2XS.

For simple icmpping checks we get the following error:

/usr/sbin/fping: can't create socket (must run as root?)

I tried to set the ping group range in the container:

sysctl -w "net.ipv4.ping_group_range=0 2000"

Then the error is gone, but Zabbix still reports the monitored device as down.

The device is up, if I ping it as root:

bash-5.1# fping 192.168.0.28 -s
192.168.0.28 is alive

       1 targets
       1 alive
       0 unreachable
       0 unknown addresses

       0 timeouts (waiting for response)
       1 ICMP Echos sent
       1 ICMP Echo Replies received
       0 other ICMP received

 0.546 ms (min round trip time)
 0.546 ms (avg round trip time)
 0.546 ms (max round trip time)
        0.001 sec (elapsed real time)

But when executing fping as zabbix user (or any other user than root), then the device is reported as down:

bash-5.1# sudo -u zabbix fping 192.168.0.28 -s
192.168.0.28 is unreachable

       1 targets
       0 alive
       1 unreachable
       0 unknown addresses

       4 timeouts (waiting for response)
       4 ICMP Echos sent
       0 ICMP Echo Replies received
       0 other ICMP received

 0.000 ms (min round trip time)
 0.000 ms (avg round trip time)
 0.000 ms (max round trip time)
        4.067 sec (elapsed real time)

I think the container needs more rights, e.g. Privilege Escalation or NET_RAW capability. Can this be set somehow within RouterOS?

Any other ideas?

semaja2 · August 11, 2023, 1:18am

I came here for the same reason, I thought I had a fix by switching to the ol image, but it seems whatever mikrotik is doing to the container is not always 100%

I thought the containers were built incorrectly, and made one where the setcap/systctl settings were corrected, but once it loads on the Mikrotik they are removed.

However I am unable to find any documentation about Mikrotiks implementation removing capabilities from the binaries? getcap -r / 2>/dev/null returns 0 results when running on the MikroTik

Linux Host

getcap -r / 2>/dev/null

/usr/bin/fping cap_net_raw=ep

MikroTik CHR

admin@RT01 > /container/shell 0
0;root@proxy-crp: /root@proxy-crp:/# getcap -r / 2>/dev/null
0;root@proxy-crp: /root@proxy-crp:/#

As a work around I have to run the entire container as root which then resolves fping, but this is a horrible security problem.

Hativ · August 20, 2023, 9:55am

How can you run the container as root?

semaja2 · September 6, 2023, 12:50pm

Basically create a new container image that simply switches to user 0, feel free to use my image but it may break in the future and also poses various security threats should zabbix be exploited

https://hub.docker.com/semaja2/zabbix-proxy-sqlite3/

maigonis · September 26, 2024, 2:21pm

Its a permission issue,

chmod u+s /usr/bin/fping

fixes for ubuntu version.