Community discussions

MikroTik App
  4. Other topics
  5. Containers

Zabbix Proxy Container: Ping permission issues

Post Reply
 
Hativ
just joined
Topic Author
Posts: 4
Joined: Thu Apr 06, 2023 11:25 am

Zabbix Proxy Container: Ping permission issues

Wed Jul 26, 2023 11:37 am

Hello,

we are trying to run a Zabbix Proxy in a container (zabbix/zabbix-proxy-sqlite3:6.0-alpine-latest) on a MikroTik CCR2004-1G-12S+2XS.

For simple icmpping checks we get the following error:
Code: Select all
/usr/sbin/fping: can't create socket (must run as root?)

I tried to set the ping group range in the container:
Code: Select all
sysctl -w "net.ipv4.ping_group_range=0 2000"
Then the error is gone, but Zabbix still reports the monitored device as down.

The device is up, if I ping it as root:
Code: Select all
bash-5.1# fping 192.168.0.28 -s
192.168.0.28 is alive

       1 targets
       1 alive
       0 unreachable
       0 unknown addresses

       0 timeouts (waiting for response)
       1 ICMP Echos sent
       1 ICMP Echo Replies received
       0 other ICMP received

 0.546 ms (min round trip time)
 0.546 ms (avg round trip time)
 0.546 ms (max round trip time)
        0.001 sec (elapsed real time)

But when executing fping as zabbix user (or any other user than root), then the device is reported as down:
Code: Select all
bash-5.1# sudo -u zabbix fping 192.168.0.28 -s
192.168.0.28 is unreachable

       1 targets
       0 alive
       1 unreachable
       0 unknown addresses

       4 timeouts (waiting for response)
       4 ICMP Echos sent
       0 ICMP Echo Replies received
       0 other ICMP received

 0.000 ms (min round trip time)
 0.000 ms (avg round trip time)
 0.000 ms (max round trip time)
        4.067 sec (elapsed real time)
I think the container needs more rights, e.g. Privilege Escalation or NET_RAW capability. Can this be set somehow within RouterOS?

Any other ideas?
Top
 
semaja2
newbie
Posts: 39
Joined: Wed Sep 08, 2021 3:50 pm

Re: Zabbix Proxy Container: Ping permission issues

Fri Aug 11, 2023 4:18 am

I came here for the same reason, I thought I had a fix by switching to the ol image, but it seems whatever mikrotik is doing to the container is not always 100%

I thought the containers were built incorrectly, and made one where the setcap/systctl settings were corrected, but once it loads on the Mikrotik they are removed.

However I am unable to find any documentation about Mikrotiks implementation removing capabilities from the binaries? `getcap -r / 2>/dev/null` returns 0 results when running on the MikroTik

Linux Host
# getcap -r / 2>/dev/null
/usr/bin/fping cap_net_raw=ep
MikroTik CHR
admin@RT01 > /container/shell 0
0;root@proxy-crp: /root@proxy-crp:/# getcap -r / 2>/dev/null
0;root@proxy-crp: /root@proxy-crp:/#
As a work around I have to run the entire container as root which then resolves fping, but this is a horrible security problem.
Top
 
Hativ
just joined
Topic Author
Posts: 4
Joined: Thu Apr 06, 2023 11:25 am

Re: Zabbix Proxy Container: Ping permission issues

Sun Aug 20, 2023 12:55 pm

As a work around I have to run the entire container as root which then resolves fping, but this is a horrible security problem.
How can you run the container as root?
Top
 
semaja2
newbie
Posts: 39
Joined: Wed Sep 08, 2021 3:50 pm

Re: Zabbix Proxy Container: Ping permission issues

Wed Sep 06, 2023 3:50 pm

Basically create a new container image that simply switches to user 0, feel free to use my image but it may break in the future and also poses various security threats should zabbix be exploited

https://hub.docker.com/semaja2/zabbix-proxy-sqlite3/
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest
  4. Other topics
  5. Containers