From 971974173b43583a3293c97ef5e850470671faa5 Mon Sep 17 00:00:00 2001
From: maybe-sybr <58414429+maybe-sybr@users.noreply.github.com>
Date: Mon, 9 Nov 2020 09:00:40 +1100
Subject: [PATCH] fix: Set `ping_group_range` to `0 0` by default

This sysctl is an inclusive range and since the intention is to only
allow ping for root, setting it to `0 0` is adequate. This change
ensures that if a container is run from a user namespace where GID 1
isn't mapped, we won't get an EINVAL back when attempting to write this
sysctl value which would then cause an OCI runtime error.

Fixes #345
---
 common/pkg/config/containers.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common/pkg/config/containers.conf b/common/pkg/config/containers.conf
index 343863e59f..e8519b2519 100644
--- a/common/pkg/config/containers.conf
+++ b/common/pkg/config/containers.conf
@@ -76,10 +76,10 @@ default_capabilities = [
 
 # A list of sysctls to be set in containers by default,
 # specified as "name=value",
-# for example:"net.ipv4.ping_group_range = 0 1".
+# for example:"net.ipv4.ping_group_range = 0 0".
 #
 default_sysctls = [
- "net.ipv4.ping_group_range=0 1",
+ "net.ipv4.ping_group_range=0 0",
 ]
 
 # A list of ulimits to be set in containers by default, specified as