abiosoft
ICMP echo reply for every IP from VM
Description
From colima VM almost every IP responds to ICMP echo (ping). The only exception is IPs from 192.168.5.0/24, where only 192.168.5.1 and 192.168.5.2 reply.
$ ping 5.6.7.8 -c1
PING 5.6.7.8 (5.6.7.8) 56(84) bytes of data.
64 bytes from 5.6.7.8: icmp_seq=1 ttl=64 time=1.62 ms
--- 5.6.7.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.619/1.619/1.619/0.000 ms
Version
colima version 0.7.4 git commit: c2595d464d81a29ebf2e1cf41786c1f05295980c
runtime: docker arch: aarch64 client: v26.0.2 server: v27.1.1 limactl version 0.23.1 qemu-img version 9.0.2 Copyright (c) 2003-2024 Fabrice Bellard and the QEMU Project developers
Operating System
- [ ] macOS Intel <= 13 (Ventura)
- [ ] macOS Intel >= 14 (Sonoma)
- [ ] Apple Silicon <= 13 (Ventura)
- [X] Apple Silicon >= 14 (Sonoma)
- [ ] Linux
Output of colima status
INFO[0000] colima is running using QEMU INFO[0000] arch: aarch64 INFO[0000] runtime: docker INFO[0000] mountType: sshfs INFO[0000] socket: unix:///Users/anton/.colima/default/docker.sock
Reproduction Steps
- colima ssh
- apt update && apt install iputils-ping
- ping 5.6.7.8
Expected behaviour
Should not see ICMP replies
Additional context
No response
I am also seeing this. I'm running:
Apple Silicon M2
Sonoma 14.5
Colima versions 0.7.5 and 0.8.1
using a fresh colima profile (colima start --memory 32 --cpu 6 --arch aarch64 --vm-type=vz --vz-rosetta pingtest) and (colima start --memory 32 --cpu 6 --disk 128 pingtest).
Same problem for me. Also verified via custom go-code using ICMP directly.
Still, native ping has the same behaviour:
$ ➜ docker run -it golang:1.20-alpine /bin/sh
/go # ping 5.6.7.8
PING 5.6.7.8 (5.6.7.8): 56 data bytes
64 bytes from 5.6.7.8: seq=0 ttl=63 time=0.738 ms
64 bytes from 5.6.7.8: seq=1 ttl=63 time=0.819 ms
--- 5.6.7.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.738/0.778/0.819 ms
/go # ping 10.1.2.3
PING 10.1.2.3 (10.1.2.3): 56 data bytes
64 bytes from 10.1.2.3: seq=0 ttl=63 time=0.695 ms
64 bytes from 10.1.2.3: seq=1 ttl=63 time=0.807 ms
64 bytes from 10.1.2.3: seq=2 ttl=63 time=0.796 ms
64 bytes from 10.1.2.3: seq=3 ttl=63 time=0.712 ms
64 bytes from 10.1.2.3: seq=4 ttl=63 time=0.618 ms
--- 10.1.2.3 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.618/0.725/0.807 ms
I'm a little bit clueless how to debug that further... First guess would be iptables within the VM, but also couldn't see a specific reason for this...
$ ➜ colima ssh
user@colima:/Users/user$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Has anyone found a workaround for this?
Ok, I guess its still unsolved in lima, see https://github.com/lima-vm/lima/issues/193