Question 252319 in Ubuntu Question posted in
The official Ubuntu documentation can be found here.

Disable the ping in ubuntu docker container

I am trying to stop my docker container (running ubuntu 22.04) from replying to ping. Currently, i am trying with these 2 methods:

  1. sysctl -w net.ipv4.icmp_echo_ignore_all=1. I am only able run this command from inside the container and only if i include the –privileged parameter for it to work: docker run -it --privileged --name container_name image_name. This does the job but the change is not persistent, meaning if i save the changes to another image with docker commit running_container_name image_to_be_created_name and start that image again with docker run, the value of icmp_echo_ignore_all will be 0.
  2. add this line net.ipv4.icmp_echo_ignore_all = 1 to the /etc/sysctl.conf file then run sysctl -p to which i get this error: "sysctl: cannot stat /proc/sys/net/ipv4/icmp_echo_ignore_all : No such file or directory".
    When i try to change the value of icmp_echo_ignore_all (which exists contrary to what the error says) to 1, manually or by running echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
    , i get this error: "bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Read-only file system"

I added the command from no.1 in the Dockerfile but is has no effect.

Are there any other ways to disable the ping and preferably the change to be persistent? Are there any commands that i can add to the Dockerfile that will do this thing?

If it helps, i am running this container in AWS ECS using a Fargate launch type.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Answering my own question here:

    To disable ping for a container that is using Fargate launch type, when creating the task definition, choose Create task definition with JSON and include this in your task definition json:

    "systemControls": [
                {
                    "namespace": "net.ipv4.icmp_echo_ignore_all",
                    "value": "1"
                }]

  2. 0

    The sorts of changes you’re describing are kernel settings; there’s no way to make them "persistent" in a container image. Running docker commit ... isn’t effective because changing a sysctl setting doesn’t change any files on disk; there’s nothing for Docker to save (and you shouldn’t be using docker commit in general; you want to use a Dockerfile to build your images so that you have a manageable, repeatable process).

    On the other hand, as long as you can ensure that your container runs with appropriate privileges (e.g., docker run --privileged), you could configure things so that the commands will be applied automatically when the container starts up.

    You could an an ENTRYPOINT script to your image; this script is run at startup and receives the value of CMD as its arguments. If you have an ENTRYPOINT script that looks like:

    #!/bin/sh

sysctl -w net.ipv4.icmp_echo_ignore_all=1
exec "$@"

    And in your Dockerfile:

    ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["my-application"]

    Then whenever you start the container (docker run --privileged mycontainer), it will run the sysctl command before running your application.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search