[ZBX-22833] Zabbix Server Docker : sh: /usr/sbin/fping: Operation not permitted Created: 2023 May 22  Updated: 2025 Jan 13  Resolved: 2024 Jan 23

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Documentation (D)
Affects Version/s: None
Fix Version/s: 6.0.26rc1, 6.4.11rc1, 7.0.0beta1, 7.0 (plan)

Type: Documentation task Priority: Major
Reporter: Luca Carangelo Assignee: Martins Valkovskis
Resolution: Fixed Votes: 4
Labels: Container, Permissions, Podman, fping
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-05-22-18-01-37-399.png     PNG File image-2023-05-24-11-04-51-896.png     PNG File image-2023-05-24-11-05-34-947.png     PNG File image-2023-05-25-10-46-25-531.png     PNG File image-2023-05-25-10-46-38-914.png     PNG File image-2023-05-25-10-48-38-491.png     PNG File image-2023-05-25-10-49-04-770.png     PNG File image-2023-09-08-12-10-50-929.png    
Issue Links:
Duplicate
is duplicated by ZBX-25839 fping issues Need info
Team: Team A
Sprint: S2401-1
Story Points: 1

 Description   

Steps to reproduce:

1) Install via podman  : 

podman pod create --name zabbix -p 8080:8080 -p 10051:10051

podman run --name mysql-server -t -e MYSQL_DATABASE="zabbix" -e "MYSQL_USER="zabbix" -e MYSQL_PASSWORD="pippo" -e MYSQL_ROOT_PASSWORD="pippo" --restart=always --pod=zabbix -d docker.io/library/mysql:8.0 --character-set-server=utf8 --collation-server=utf8_bin --default-authentication-plugin=mysql_native_password

podman run --name zabbix-server-mysql -t -e DB_SERVER_HOST="127.0.0.1" -e MYSQL_DATABASE="zabbix" -e MYSQL_USER="zabbix" -e MYSQL_PASSWORD="pippo" -e MYSQL_ROOT_PASSWORD="pippo" -e ZBX_JAVAGATEWAY="127.0.0.1" --restart=always --pod=zabbix -d zabbix/zabbix-server-mysql:alpine-6.4-latest

podman run --name zabbix-web-mysql -t -e ZBX_SERVER_HOST="127.0.0.1" -e DB_SERVER_HOST="127.0.0.1" -e MYSQL_DATABASE="zabbix" -e MYSQL_USER="zabbix" -e MYSQL_PASSWORD="pippo" -e MYSQL_ROOT_PASSWORD="pippo" --restart=always --pod=zabbix -d zabbix/zabbix-web-nginx-mysql:alpine-6.4-latest

podman run --name zabbix-agent -e ZBX_SERVER_HOST="127.0.0.1,localhost" --restart=always --pod=zabbix -d zabbix/zabbix-agent

2) create an host to monitor via Data Collection -> Host menù

3) give an IP to the monitored host and use the ICMP ping template for monitoring.

 

Result:

Looking at latest data for the monitored object I receive ad error sh: /usr/sbin/fping: Operation not permitted

If I logon on the zabbix-server-mysql container I cannot sudo in order to change the permissions.

 

Can you please fix it ?

Which is the password for zabbix user on container in order to "sudo" some commands?

 

Regards

Luca

 Comments   
Comment by Edgar Akhmetshin [ 2023 May 24 ]

Hello

Does the user used for the container is included in the net.ipv4.ping_group_range range?

Are you using rootless mode?

Which host operating system is used and podman version?

Regards,
Edgar

Comment by Luca Carangelo [ 2023 May 24 ]

Almalinux 9.2 VM with podman version 4.4.1 ; rootless mode.

I executed "sudo sysctl -w net.ipv4.ping_group_range="0 2147483647" ; restart podman; restart pod

But the problem is still present.

Opening a bash shell on container : 

Comment by Luca Carangelo [ 2023 May 25 ]

I've deployed again the zabbix-server-mysql using the ubuntu base os:

    podman run --user root --name zabbix-server-mysql -t \
                  -e DB_SERVER_HOST="127.0.0.1" \
                  -e MYSQL_DATABASE="zabbix" \
                  -e MYSQL_USER="zabbix" \
                  -e MYSQL_PASSWORD="go2jail" \
                  -e MYSQL_ROOT_PASSWORD="*******" \
                  -e ZBX_JAVAGATEWAY="127.0.0.1" \
                  --restart=always \
                  --pod=zabbix \
                  -d zabbix/zabbix-server-mysql:ubuntu-6.4-latest

 

In this case both (ping and fping) were returning the same problem :

At this point I've execute the following commands :

setcap cap_net_raw+p /usr/bin/ping 

setcap cap_net_raw+p /usr/bin/fping 

 

After thse steps I am now able to execute both commands but now ping is working and fping doesn't....

 

Comment by Luca Carangelo [ 2023 May 26 ]

Hi ,

I did the same installation using "Almalinux release 8.8 with podman version 4.4.1 ; rootless mode "instead of "Almalinux 9.2 VM with podman version 4.4.1 ; rootless mode" and the problem ISN'T present.

Everything works as expected, this means that it should be investigate on host based on Almalinux 9 (maybe also RHEL 9, I'll check also this case and let you know)

Comment by Hiroshi Shirosaki [ 2023 Aug 29 ]

I have the same issue on Rocky Linux 9.2.
fping works in root bash if I run `chown root:zabbix /usr/sbin/fping`.

# podman run --user=0 -ti docker.io/zabbix/zabbix-server-mysql:alpine-6.0-latest bash
bash-5.1# fping 127.0.0.1
bash: /usr/sbin/fping: Operation not permitted
bash-5.1# chown root:zabbix /usr/sbin/fping
bash-5.1# fping 127.0.0.1
127.0.0.1 is alive

 

Comment by Hiroshi Shirosaki [ 2023 Aug 29 ]

I found just `chown root /usr/sbin/fping` works.
`chown root:zabbix` is not required.
It seems that chmod makes something right. I don't know why.

Comment by Joe Madden [ 2023 Sep 08 ]

Hi All,

 

This issue exists on the ubuntu container too

 

 

Is there any known work around or fixes for it yet?

Comment by Robin Roevens [ 2023 Oct 27 ]

I can confirm fping not working in container zabbix-server-mysql:alpine-6.4-latest on host system OpenSuse Leap Micro 5.5 running in root-mode:

zabbix:~ # cat /etc/os-release 
NAME="openSUSE Leap Micro"
VERSION="5.5"
ID="opensuse-leap-micro"
ID_LIKE="suse opensuse opensuse-leap suse-microos"
VERSION_ID="5.5"
PRETTY_NAME="openSUSE Leap Micro 5.5"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:leap-micro:5.5"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:LeapMicro"
LOGO="distributor-logo-LeapMicro"
zabbix:~ # whoami
root
zabbix:~ # podman ps -a
CONTAINER ID  IMAGE                                                      COMMAND               CREATED       STATUS       PORTS                     NAMES
4dbdd3cffc43  localhost/podman-pause:4.4.4-1680004800                                          21 hours ago  Up 21 hours                            6730bd2ed8b3-infra
6c38fe3329c2  registry.opensuse.org/opensuse/mariadb:11.0                mariadbd              21 hours ago  Up 21 hours                            zabbixdb
23a79d4491b6  docker.io/zabbix/zabbix-web-nginx-mysql:alpine-6.4-latest                        21 hours ago  Up 21 hours  0.0.0.0:80->8080/tcp      zabbix-web
9deaab7570bd  docker.io/zabbix/zabbix-server-mysql:alpine-6.4-latest     /usr/sbin/zabbix_...  21 hours ago  Up 21 hours  0.0.0.0:10051->10051/tcp  zabbix-server

fping not working by default. But suddenly working after performing a chown root /usr/sbin/fping :

zabbix:~ # podman exec -it zabbix-server /bin/bash
zabbix:/var/lib/zabbix$ whoami
zabbix
zabbix:/var/lib/zabbix$ ls -lia /usr/sbin/fping 
  26182 -rwxr-xr-x    1 root     root         43808 Jun  1 23:48 /usr/sbin/fping
zabbix:/var/lib/zabbix$ /usr/sbin/fping 192.168.0.1
bash: /usr/sbin/fping: Operation not permitted
zabbix:/var/lib/zabbix$ exit 

zabbix:~ # podman exec --user=0 -it zabbix-server /bin/bash
zabbix:/var/lib/zabbix# whoami
root
zabbix:/var/lib/zabbix$ ls -lia /usr/sbin/fping 
  26182 -rwxr-xr-x    1 root     root         43808 Jun  1 23:48 /usr/sbin/fping
zabbix:/var/lib/zabbix# chown root /usr/sbin/fping
zabbix:/var/lib/zabbix# ls -lia /usr/sbin/fping 
  26182 -rwxr-xr-x    1 root     root         43808 Jun  1 23:48 /usr/sbin/fping
zabbix:/var/lib/zabbix# exit

zabbix:~ # podman exec -it zabbix-server /bin/bash
zabbix:/var/lib/zabbix$ whoami
zabbix
zabbix:/var/lib/zabbix$ fping 192.168.0.1
192.168.0.1 is alive
Comment by Uwe W [ 2023 Dec 07 ]

I have the same issue since a long time.
running docker.io/zabbix/zabbix-server-mysql:alpine-latest on Fedora Server 38/39

Podman version 4.7.2

The workaroung with "chown root /usr/sbin/fping" even fails with an operation not permitted

Must be solved, otherwise zabbix cannot be used under podman and we have to go back to check_mk

Comment by Neal Harrington [ 2023 Dec 08 ]

@Uwe I have it working with podman 3.4.4 on Ubuntu 22.04 LTS and docker.io/zabbix/zabbix-proxy-mysql:alpine-6.0-latest. The trick is that the default user inside the container can not chown the file - but root inside the container can. Run this as the podman user on the host (changing "zabbix-proxy-mysql" if your container has a different name):

podman exec --user root zabbix-proxy-mysql chown root /usr/sbin/fping

Comment by Alexey Pustovalov [ 2023 Dec 14 ]

Did you try?

podman run --cap-add=net_raw --name zabbix-server-mysql -t -e DB_SERVER_HOST="127.0.0.1" -e MYSQL_DATABASE="zabbix" -e MYSQL_USER="zabbix" -e MYSQL_PASSWORD="pippo" -e MYSQL_ROOT_PASSWORD="pippo" -e ZBX_JAVAGATEWAY="127.0.0.1" --restart=always --pod=zabbix -d zabbix/zabbix-server-mysql:alpine-6.4-latest

Just add "--cap-add=net_raw".

PS: if you receive messages about lost packets / network is not reachable:

sudo sysctl -w "net.ipv4.ping_group_range=0 1995"

where "zabbix" gid is 1995.

Comment by Martins Valkovskis [ 2024 Jan 16 ]

Solutions to this issue are described in Zabbix documentation. See "Known issues" for versions 5.0, 6.0, 6.4, and 7.0.

Generated at Wed May 14 07:40:46 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.