I am trying to stop my docker container (running ubuntu 22.04) from replying to ping. Currently, i am trying with these 2 methods:
sysctl -w net.ipv4.icmp_echo_ignore_all=1. I am only able run this command from inside the container and only if i include the --privileged parameter for it to work: docker run -it --privileged --name container_name image_name. This does the job but the change is not persistent, meaning if i save the changes to another image with docker commit running_container_name image_to_be_created_name and start that image again with docker run, the value of icmp_echo_ignore_all will be 0.net.ipv4.icmp_echo_ignore_all = 1 to the /etc/sysctl.conf file then run sysctl -p to which i get this error: "sysctl: cannot stat /proc/sys/net/ipv4/icmp_echo_ignore_all : No such file or directory".
When i try to change the value of icmp_echo_ignore_all (which exists contrary to what the error says) to 1, manually or by running echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
, i get this error: "bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Read-only file system"I added the command from no.1 in the Dockerfile but is has no effect.
Are there any other ways to disable the ping and preferably the change to be persistent? Are there any commands that i can add to the Dockerfile that will do this thing?
If it helps, i am running this container in AWS ECS using a Fargate launch type.
Answering my own question here:
To disable ping for a container that is using Fargate launch type, when creating the task definition, choose Create task definition with JSON and include this in your task definition json:
"systemControls": [
{
"namespace": "net.ipv4.icmp_echo_ignore_all",
"value": "1"
}]