ping: permission denied error (are you root?)

[paolorechia]

Running on WSL2 (Windows 10 + Ubuntu 22), the ping example of Chapter 4 yields a permission denied error:

daggle-envpaolo@DESKTOP-QSGRPBP:~/dev/crio/network$ sudo crictl exec -ti $B1C_ID ping 172.27.237.131
PING 172.27.237.131 (172.27.237.131): 56 data bytes
ping: permission denied (are you root?)
FATA[0000] execing command in container: command terminated with exit code 1 

One Solution:

---
metadata:
  name: busybox
image:
  image: docker.io/library/busybox:latest
args:
  - "/bin/sleep"
  - "36000"
linux:
  security_context:
    capabilities:
      add_capabilities:
        - CAP_NET_RAW

Explanation:
It actually took me over a hour to find the solution, which is why I'm sharing how I arrived at the solution, to help the next poor soul :)

1. Busybox container image requires the CAP_NET_RAW capability (https://superuser.com/questions/1713520/why-does-busybox-ping-expect-root)
2. When running the command sudo crictl inspect $B1C_ID | jq .info.runtimeSpec.process.capabilities, we see that CAP_NET_RAW is not included.
3. In the cri-api repository, one can inspect the config definition to find out how to add capabilities (https://github.com/kubernetes/kubernetes/blob/46aa8959a0659e22c924bb52b38385d441715b2b/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto#L883)

Combining these resources we can produce the solution above.