allow unprivileged users to use ping in application containers

Signed-off-by: Gwendolyn <[email protected]>

Author: gwenya

internal/server/instance/drivers/driver_lxc.go

@@ -2336,6 +2336,28 @@ func (d *lxc) startCommon() (string, []func() error, error) {
 			return "", nil, err
 		}
 
+		maxGid := int64(4294967295)
+
+		if !d.IsPrivileged() {
+			maxGid = 0
+			idMap, err := d.CurrentIdmap()
+			if err != nil {
+				return "", nil, err
+			}
+
+			for _, entry := range idMap.Entries {
+				if entry.NSID+entry.MapRange-1 > maxGid {
+					maxGid = entry.NSID + entry.MapRange - 1
+				}
+			}
+		}
+
+		err = lxcSetConfigItem(cc, "lxc.sysctl.net.ipv4.ping_group_range", fmt.Sprintf("0 %d", maxGid))
+
+		if err != nil {
+			return "", nil, err
+		}
+
 		// Get all mounts so far.
 		lxcMounts := []string{"/dev", "/proc", "/sys", "/sys/fs/cgroup"}
 		for _, mount := range cc.ConfigItem("lxc.mount.entry") {