This makes ping(8) work without CAP_NET_ADMIN and CAP_NET_RAW because those aren't effective inside rootless Podman containers.
It's quite useful when using OSTree based operating systems like Fedora Silverblue, where development environments are often set up using rootless Podman containers with helpers like Toolbox . Not having a basic network utility like ping(8) work inside the development environment can be inconvenient.
See: https://lwn.net/Articles/422330/ http://man7.org/linux/man-pages/man7/icmp.7.html https://github.com/containers/libpod/issues/1550
The upper limit of the range of group identifiers is set to 2147483647, which is 2^31-1. Values greater than that get rejected by the kernel because of this definition in linux/include/net/ping.h: #define GID_T_MAX (((gid_t)~0U) >> 1)
That's not so bad because values between 2^31 and 2^32-1 are reserved on systemd-based systems anyway .
 https://github.com/debarshiray/toolbox  https://systemd.io/UIDS-GIDS.html#summary
90ce7627df sysctl: Enable ping(8) inside rootless Podman containers
NEWS | 6 ++++++
sysctl.d/50-default.conf | 8 ++++++++
2 files changed, 14 insertions(+)