flowfuse icon indicating copy to clipboard operation
flowfuse copied to clipboard
verified publisher icon FlowFuse

node-red-node-ping doesn't work in FFC

Open knolleary opened this issue 8 months ago • 6 comments

Added node-red-node-ping to a flow, configured to ping www.google.com, www.flowfuse.com, 8.8.8.8 and a few others. They all result in a false response - meaning ping timed out.

Not sure if this is a firewall type issue from inside the FFC environment, but we should understand it and either fix it, or document it.

knolleary avatar Apr 17 '25 17:04 knolleary

This looks like a alpine container problem, running ping in the container also fails as follows:

$ ping 8.8.8.8
ping: socktype: SOCK_RAW
ping: socket: Operation not permitted
ping: => missing cap_net_raw+p capability or setuid?

This should be something we can fix in the Dockerfile, but it might need to be in Node-RED

I will test the base NR container in the morning

hardillb avatar Apr 17 '25 20:04 hardillb

OK, normal Node-RED container in just docker works fine, so this is a kube thing not allowing it.

@ppawlowski might need to include some flags in the deployment for the Node-RED instances to allow ping?

Probably related to the secrutiyContext

https://github.com/FlowFuse/driver-k8s/blob/6ee4f05f67a5a04def25a3427942e60a1f06135e/templates.js#L57

hardillb avatar Apr 17 '25 20:04 hardillb

Probably related to the secrutiyContext

That is correct, ping command requires NET_RAW capability and allowPrivilegeEscalation security context set to true.

ppawlowski avatar Apr 18 '25 06:04 ppawlowski

Since I am not a fan of setting allowPrivilegeEscalation to true, I found another solution for this particular problem. Allowing specific groups to send ICMP packets seems to be a valid solution:

securityContext:
    sysctls:
        - name: net.ipv4.ping_group_range
          value: "1000 1000"

Above securityContext entry allows group with ID 1000 (node-red in our case) to run ping.

This solution also requires kubernetes driver modification, but it is safer than allowing privilege escalation.

ppawlowski avatar Apr 24 '25 12:04 ppawlowski

Kubernetes driver allows to modify pod security context via options so no code change is needed. I will test the sysctl approach on pre-staging environment.

ppawlowski avatar Apr 24 '25 13:04 ppawlowski

Kubernetes driver allows to modify pod security context via options so no code change is needed. I will test the sysctl approach on pre-staging environment.

I can confirm that the approach with sysctl modification works as expected on the pre-staging environment. Unfortunately, although our kubernetes driver supports Node-RED pods' security context modification, our helm chart is missing this feature. I've created a pull requests which adds such functionality to the helm chart. Once merged and released, we can update values for FFC deployments. Once deployed, every new Node-RED pod will have the ability to send ICMP packets.

ppawlowski avatar Apr 24 '25 17:04 ppawlowski

Proper pod configuration has been applied to the production environment. From now on, each new Node-RED pod can use ping.

ppawlowski avatar Apr 30 '25 10:04 ppawlowski