William Lieurance's Tech Blog

telegraf in docker wants CAP_NET_RAW


Operation not permitted is the only error message that shows up

A thing I ran into when upgrading my telegraf installation to the newest version is that on startup, the container would immediately exit with the only message Operation not permitted in the log. After doing some analysis of what changed inbetween my versions, and what the /entrypoint.sh script was up to, I found that it now needs NET_RAW in order to start.

The solution was to add this capability when running telegraf under podman. It likely will be needed with docker also.

--cap-add NET_RAW

The idea there is that telegraf does some ICMP echo-request/echo-reply pinging sometimes, and newer versions of docker (reasonably) require explicit permission to be able to do that.

Interetingly, PR 550 added the need for NET_RAW, and there have been a couple of PRs to improve it. PR 552 set the flag on the executable that describes the need for NET_RAW, and PR 562 gives a more compelling error message if the flag-setting fails.

Most interesting to me, under podman the flag can be set correctly but the error shows up when the executable get run. Apparently that's slightly different than what moby-docker throws the error on? I haven't tried to test that.