[SOLVED] Non-root user in container has no ability to ping

MGR42 · 2025-11-25 21:51:01

I've installed Arch in a container twice now and launching it through machinectl makes it so I can't ping. I can start it through systemd-nspawn -bD just fine and sysctl shows the range of allowed UIDs is this:

net.ipv4.ping_group_range = 0   2147483647

but booting through machinectl makes it this:

net.ipv4.ping_group_range = 65534       65534

Am I making some really newbie mistake and need to configure something relevant to machinectl?

Last edited by MGR42 (2025-11-25 22:17:28)

MGR42 · 2025-11-25 21:54:45

To specify I'm using machinectl for the container. I want to use machinectl instead of nspawn since it provides good features to manage the container. All I did to set up Arch was to run

sudo pacstrap -K -c /var/lib/machines/Arch base nano sudo

and run nspawn without using the boot option to create a user in the wheel group. And machinectl does boot it I think.

NuSkool · 2025-11-25 22:08:51

https://wiki.archlinux.org/title/System … wn_options

MGR42 · 2025-11-25 22:18:16

In the systemd service that's launched the command that actually launches the container is this:

20713 systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth -U --settings=override --machine=Arch

I found my issue. Thanks NuSkool

Last edited by MGR42 (2025-11-25 22:19:13)

MGR42 · 2025-11-25 22:32:06

My fix was to make a .nspawn file in /etc/systemd/nspawn/ with my container's name and I put in

[Network]
Private=0
VirtualEthernet=0

and I can ping now.

NuSkool · 2025-11-25 22:49:04

Welcome MGR42

I'll add a bit of info in case others may find it useful...

I have an nspawn container I want to start upon boot, and I use network manager on host.
In my case I simply removed `--network-veth` from the systemd service that launches the container '/etc/systemd/system/machines.target.wants/systemd-nspawn@<container-name>.service'.

According to the wiki, and if I'm understanding the following correctly, enabling/starting the host 'systemd-networkd' service would be an option to removing `--network-veth`, and would not interfere with the existing 'network manager' setup.

However I've not tested this, and am not clear if 'without interfering with the existing network setup' is for any network management, or exclusively for using a systemd network setup.

Quote: https://wiki.archlinux.org/title/System … networking

Tip
Simply starting systemd-networkd on the host will provide the described container network auto-configuration without interfering with the existing network setup, as the existing interface(s) will remain unmanaged by systemd-networkd until configured otherwise. As such, it is perfectly compatible with a managed network setup e.g. with NetworkManager, and starting systemd-networkd is really all that is needed to get Internet connectivity inside the containers (as well as to be able to reach them from the host) without disturbing anything on the host.

ie: Having more than one network manager running is was known to cause issues AFAIK.

Quote: https://wiki.archlinux.org/title/Networ … orkManager

Note
Each network interface should be managed by only one DHCP client or network manager, so it is advised to run only one DHCP client or network manager on the system . Find a list of the currently running services with systemctl --type=service and then stop or reconfigure those that conflict.
If systemd-resolved is not started, an error message will start flooding your logs. See #Unit dbus-org.freedesktop.resolve1.service not found for more info.

Last edited by NuSkool (2025-11-25 23:29:03)

Arch Linux

#1 2025-11-25 21:51:01

[SOLVED] Non-root user in container has no ability to ping

#2 2025-11-25 21:54:45

Re: [SOLVED] Non-root user in container has no ability to ping

#3 2025-11-25 22:08:51

Re: [SOLVED] Non-root user in container has no ability to ping

#4 2025-11-25 22:18:16

Re: [SOLVED] Non-root user in container has no ability to ping

#5 2025-11-25 22:32:06

Re: [SOLVED] Non-root user in container has no ability to ping

#6 2025-11-25 22:49:04

Re: [SOLVED] Non-root user in container has no ability to ping

Board footer