PING icmp open socket: Operation not permitted in vserver

Solution 1:

TL;DR version: reinstall iputils-ping

I have seen online where it has been suggested to use

chmod u+s $( which ping );

However this will permit the user to change the preload and flood. Which could result in a USER being able to Denial Of Service either your local machine or another machine or your network.

I tried what @nabil-bourenane suggested, reinstalling iputils-ping which resolved the issue for me and doesn't have the SUID bit set.

username@server:~$ ls -l $( which ping );
-rwxr-xr-x 1 root root 44104 Nov  8  2014 /bin/ping

If the SUID bit is set it will look like

username@server:~$ ls -l $( which ping );
-rwsr-xr-x 1 root root 44104 Nov  8  2014 /bin/ping

Solution 2:

The solution is to set Linux System Capabilites to allow raw socket on the host machine.

Since this is a very v-server specific problem, the solution is to create a single-lined file named /etc/vservers/VMNAME/bcapabilities:

NET_RAW

and reboot VM.

---

Solution 3:

Sorry I can't comment. This problem hit me after I extracting an archive of a working system over a minimal installation.

All above answers work. But the one proposed by @Nabil Bourenane and @Linx is prefered for security. To answer @rexkogitans's comment, here I quote from iputils-ping.postinst (/var/lib/dpkg/info/...)

if command -v setcap > /dev/null; then
    if setcap cap_net_raw+ep /bin/ping; then
        chmod u-s /bin/ping
    else
        echo "Setcap failed on /bin/ping, falling back to setuid" >&2
        chmod u+s /bin/ping
    fi
else
    echo "Setcap is not installed, falling back to setuid" >&2
    chmod u+s /bin/ping
fi

which basically says when configuring iputils-ping, first try setcap then if that fails use chmod u+s. That's why reinstalling iputils-ping works.