home-assistant
ping integration not working on rootless Podman container connected to bridge network
The problem
I'm trying to setup ping integration on a Podman rootless container connected to a bridge network but I'm not able to make it work because of permissions.
My environment is Debian 12 with Podman
$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 12 (bookworm)
Release: 12
Codename: bookworm
$ podman version
Client: Podman Engine
Version: 4.3.1
API Version: 4.3.1
Go Version: go1.19.8
Built: Thu Jan 1 01:00:00 1970
OS/Arch: linux/amd64
I have added net.ipv4.ping_group_range = 0 2147483647 to /etc/sysctl.conf and on the container configuration I have --cap-add=CAP_NET_RAW.
If I use the terminal inside the Home Assistant container I'm able to use ping command.
1666b8cf739b:~$ ping -c 4 192.168.1.120
PING 192.168.1.120 (192.168.1.120): 56 data bytes
64 bytes from 192.168.1.120: seq=0 ttl=254 time=0.685 ms
64 bytes from 192.168.1.120: seq=1 ttl=254 time=0.853 ms
64 bytes from 192.168.1.120: seq=2 ttl=254 time=0.793 ms
64 bytes from 192.168.1.120: seq=3 ttl=254 time=0.882 ms
--- 192.168.1.120 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.685/0.803/0.882 ms
I was also digging through the code and found the function where that error is thrown https://github.com/home-assistant/core/blob/3ba8a8224365b65d8e6fdcf900925ad18f375e95/homeassistant/components/ping/init.py#L39 but if I try to use it with python inside the container it seems to be working.
1666b8cf739b:~$ python3
Python 3.11.6 (main, Oct 22 2023, 19:35:22) [GCC 12.2.1 20220924] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import logging
>>>
>>> from icmplib import SocketPermissionError, ping as icmp_ping
>>>
>>> _LOGGER = logging.getLogger(__name__)
>>>
>>> def _can_use_icmp_lib_with_privilege() -> None | bool:
... """Verify we can create a raw socket."""
... try:
... icmp_ping("127.0.0.1", count=0, timeout=0, privileged=True)
... except SocketPermissionError:
... try:
... icmp_ping("127.0.0.1", count=0, timeout=0, privileged=False)
... except SocketPermissionError:
... _LOGGER.debug(
... "Cannot use icmplib because privileges are insufficient to create the"
... " socket"
... )
... return None
... _LOGGER.debug("Using icmplib in privileged=False mode")
... return False
... _LOGGER.debug("Using icmplib in privileged=True mode")
... return True
...
>>> _can_use_icmp_lib_with_privilege()
True
Even though I can use ping inside the container, home assistant seems to not be able to use it and logs the errors attached below.
The user used to execute all of the above inside the container and the user that home assistant is using seems to be the same also.
1666b8cf739b:~$ id
uid=901(901) gid=901(901)
1666b8cf739b:~$ ps
PID USER TIME COMMAND
1 901 0:00 /package/admin/s6/command/s6-svscan -d4 -- /run/service
13 901 0:00 s6-supervise s6-linux-init-shutdownd
16 901 0:00 /package/admin/s6-linux-init/command/s6-linux-init-shutdownd -c /run/s6/basedir -g 3000 -C -B
22 901 0:00 s6-supervise s6rc-fdholder
23 901 0:00 s6-supervise s6rc-oneshot-runner
31 901 0:00 /package/admin/s6/command/s6-ipcserverd -1 -- /package/admin/s6/command/s6-ipcserver-access -v0 -E -l0 -i data/rules -- /package/admin/s6/command/s6-sudod -t 30000 -- /package/admin/s6-rc/com
62 901 0:00 s6-supervise home-assistant
66 901 0:04 python3 -m homeassistant --config /config
208 901 0:00 bash
210 901 0:00 ps
What version of Home Assistant Core has the issue?
core-2023.11.1
What was the last working version of Home Assistant Core?
No response
What type of installation are you running?
Home Assistant Container
Integration causing the issue
ping
Link to integration documentation on our website
https://www.home-assistant.io/integrations/ping
Diagnostics information
No response
Example YAML snippet
binary_sensor:
- platform: ping
name: "PC"
host: 192.168.1.120
scan_interval: 60 # 1 minute
Anything in the logs that might be useful for us?
2023-11-05 11:48:01.962 DEBUG (SyncWorker_0) [homeassistant.components.ping] Cannot use icmplib because privileges are insufficient to create the socket
2023-11-05 11:49:01.987 DEBUG (MainThread) [homeassistant.components.ping.helpers] Output of command: `ping -n -q -c 5 -W1 192.168.1.120`, return code: 1:
b'PING 192.168.1.120 (192.168.1.120): 56 data bytes\n'
2023-11-05 11:49:01.987 DEBUG (MainThread) [homeassistant.components.ping.helpers] Error of command: `ping -n -q -c 5 -W1 192.168.1.120`, return code: 1:
b'ping: permission denied (are you root?)\n'
2023-11-05 11:50:01.987 DEBUG (MainThread) [homeassistant.components.ping.helpers] Output of command: `ping -n -q -c 5 -W1 192.168.1.120`, return code: 1:
b'PING 192.168.1.120 (192.168.1.120): 56 data bytes\n'
2023-11-05 11:50:01.987 DEBUG (MainThread) [homeassistant.components.ping.helpers] Error of command: `ping -n -q -c 5 -W1 192.168.1.120`, return code: 1:
b'ping: permission denied (are you root?)\n'
Additional information
No response
Hey there @jpbede, mind taking a look at this issue as it has been labeled with an integration (ping) you are listed as a code owner for? Thanks!
Code owner commands
Code owners of ping can trigger bot actions by commenting:
@home-assistant closeCloses the issue.@home-assistant rename Awesome new titleRenames the issue.@home-assistant reopenReopen the issue.@home-assistant unassign pingRemoves the current integration label and assignees on the issue, add the integration domain after the command.
(message by CodeOwnersMention)
ping documentation ping source (message by IssueLinks)
![home-assistant[bot] avatar](https://avatars.githubusercontent.com/in/97978?v=4 "Published by a pub.dev verified publisher"){kind=small}
This seems more or less a permissions issue with the Docker container. I've tried to reproduce this in my development environment (which is running as a non-root user). The integration works as expected there (disabled the use of icmplib to fallback to ping subprocess).
2023-11-06 07:36:15.952 DEBUG (MainThread) [homeassistant.components.ping.helpers] Output of command: `ping -n -q -c 5 -W1 1.1.1.1`, return code: 0:
b'PING 1.1.1.1 (1.1.1.1): 56 data bytes\n\n--- 1.1.1.1 ping statistics ---\n5 packets transmitted, 5 packets received, 0.0% packet loss\nround-trip min/avg/max/stddev = 9.579/9.793/9.923/0.126 ms\n'
In your log, ping also complains about the missing permission. The integrations starts ping in a subprocess if it do not have the permission to create a raw socket.
Why ping is working in a plain bash, Idk, I'm not that firm with Podman unfortunately. Maybe you get different permission than the HA process within the container.
I'm also thinking that could be something about permissions but I'm not familiar on how is that handled on home assistant image or if it could be something related with s6-overlay.
I was also trying other configurations and if I change to --network host and remove --cap-add=CAP_NET_RAW it works.
2023-11-06 20:47:22.960 DEBUG (SyncWorker_2) [homeassistant.components.ping] Using icmplib in privileged=False mode
2023-11-06 20:48:23.359 DEBUG (MainThread) [homeassistant.components.ping.helpers] ping address: 192.168.1.120
2023-11-06 20:49:23.360 DEBUG (MainThread) [homeassistant.components.ping.helpers] ping address: 192.168.1.120
Maybe it has something to do with how Podman handles rootless networks but it does not explain how it works from bash and not from home assistant while on a rootless network.
Try to set up https://www.home-assistant.io/integrations/shell_command/ and check if you can start ping from there. If this doesn't work either, it has something to do with Podman and the container image.
There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.
![issue-triage-workflows[bot] avatar](https://avatars.githubusercontent.com/u/13844975?v=4 "Published by a pub.dev verified publisher"){kind=small}
Still a problem in 2024.2.0:
2024-02-09 18:33:14.531 DEBUG (MainThread) [homeassistant.components.ping.helpers] Output of command: `ping -n -q -c 2 -W1 stargate.arkane-systems.lan`, return code: 1:
b'PING stargate.arkane-systems.lan (172.16.0.254): 56 data bytes\n'
2024-02-09 18:33:14.531 DEBUG (MainThread) [homeassistant.components.ping.helpers] Error of command: `ping -n -q -c 2 -W1 stargate.arkane-systems.lan`, return code: 1:
b'ping: permission denied (are you root?)\n'
2024-02-09 18:33:14.531 DEBUG (MainThread) [homeassistant.components.ping.coordinator] Finished fetching Ping stargate.arkane-systems.lan data in 0.057 seconds (success: True)
It can be worked around by running the HA container as root, but obviously this isn't desirable. Granting it privileged status and/or NET_RAW or NET_ADMIN capabilities doesn't suffice.
Another workaround (the one I used) is to use the host network (I don't remember if this is needed since I also wanted wake on lan to work and that only works with host network) and then set the sysctl configuration net.ipv4.ping_group_range=0 2147483647 so all users are allowed to execute the ping command.
There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.