From 7d665904fc3300ed8a1e70f551800793c873777d Mon Sep 17 00:00:00 2001 From: Sebastian Spaink <3441183+sspaink@users.noreply.github.com> Date: Tue, 30 Mar 2021 13:08:54 -0500 Subject: [PATCH] inputs.ping: Always SetPrivileged(true) in native mode (#9072) * Always SetPrivileged(true) * Improve error message --- plugins/inputs/ping/README.md | 13 +++---------- plugins/inputs/ping/ping.go | 14 +++++++++----- 2 files changed, 12 insertions(+), 15 deletions(-) diff --git a/plugins/inputs/ping/README.md b/plugins/inputs/ping/README.md index 7293a17081a71..82c0d58480b2a 100644 --- a/plugins/inputs/ping/README.md +++ b/plugins/inputs/ping/README.md @@ -102,7 +102,7 @@ $ systemctl edit telegraf #### Linux Permissions When using `method = "native"`, Telegraf will attempt to use privileged raw -ICMP sockets. On most systems, doing so requires `CAP_NET_RAW` capabilities. +ICMP sockets. On most systems, doing so requires `CAP_NET_RAW` capabilities or for Telegraf to be run as root. With systemd: ```sh @@ -127,16 +127,9 @@ setting capabilities. [man 7 capabilities]: http://man7.org/linux/man-pages/man7/capabilities.7.html -On Linux the default behaviour is to restrict creation of ping sockets for everybody. Execute the below command to enable creation of ping sockets for all possible user groups. The integers provided to ping_group_range defines the range of user groups that are permited to create ping sockets, were 2147483647 (the max of a signed int 2^31) is the max group identifier (GID). +#### Other OS Permissions -```sh -$ sudo sysctl -w net.ipv4.ping_group_range="0 2147483647" -``` - -Reference [`man 7 icmp`][man 7 icmp] for more information about ICMP echo -sockets and the `ping_group_range` setting. - -[man 7 icmp]: http://man7.org/linux/man-pages/man7/icmp.7.html +When using `method = "native"`, you will need permissions similar to the executable ping program for your OS. ### Metrics diff --git a/plugins/inputs/ping/ping.go b/plugins/inputs/ping/ping.go index 6249677eab6e2..c8d768c64a385 100644 --- a/plugins/inputs/ping/ping.go +++ b/plugins/inputs/ping/ping.go @@ -166,10 +166,7 @@ func (p *Ping) nativePing(destination string) (*pingStats, error) { return nil, fmt.Errorf("failed to create new pinger: %w", err) } - // Required for windows. Despite the method name, this should work without the need to elevate privileges and has been tested on Windows 10 - if runtime.GOOS == "windows" { - pinger.SetPrivileged(true) - } + pinger.SetPrivileged(true) if p.IPv6 { pinger.SetNetwork("ip6") @@ -193,7 +190,14 @@ func (p *Ping) nativePing(destination string) (*pingStats, error) { pinger.Count = p.Count err = pinger.Run() if err != nil { - return nil, fmt.Errorf("failed to run pinger: %w", err) + if strings.Contains(err.Error(), "operation not permitted") { + if runtime.GOOS == "linux" { + return nil, fmt.Errorf("permission changes required, enable CAP_NET_RAW capabilities (refer to the ping plugin's README.md for more info)") + } + + return nil, fmt.Errorf("permission changes required, refer to the ping plugin's README.md for more info") + } + return nil, fmt.Errorf("%w", err) } ps.Statistics = *pinger.Statistics()