Open Stack

Hello,

Late yesterday, I noticed many Kayobe CI jobs started failing with
"ping: socket: Operation not permitted".
I investigated the issue with clarkb on #openstack-infra, with help
from #centos-devel as well (on Libera).

This happens on the latest CentOS Stream 8 images and is caused by
iputils 20180629-8.el8 removing capabilities on the ping binary [1].
This should have been shipped with a sysctl configuration allowing any
group to access unprivileged ICMP echo sockets [2], but this is not in
the systemd package yet. As a result, using ping without root
privileges fails.

TripleO is also impacted. They have fixed it in their CI jobs [3]. It
is possible other projects are affected.

There are multiple places within Kayobe and Kolla where we would need
to set this sysctl to fix our CI, including backports to all supported
branches. I was wondering if infra could instead customise their
stream image or apply the sysctl in one of the common roles from
zuul/zuul-jobs that are run at the beginning of each job? Many thanks.

Best wishes,
Pierre Riteau (priteau)

[1] https://git.centos.org/rpms/iputils/c/efa64b5e05ccb2c1332304ad493acc874b61e13a?branch=c8s
[2] https://github.com/redhat-plumbers/systemd-rhel8/pull/246
[3] https://review.opendev.org/c/openstack/tripleo-ci/+/824635