Using fedora 32, I launched a shell inside a network namespace using
sudo ip netns add net0
sudo ip netns exec net0 sudo -u fred /usr/bin/bash
I configured the network links and firewall to enable ping. When I try to ping as non-root I get:
$ ping 8.8.8.8
ping: socket: Operation not permitted
But if I try to ping with sudo, it works. Why?
See related question How does ping work on Fedora without setuid and capabilities?
and Links
https://lwn.net/Articles/422330/
https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange
For security reasons, Fedora no longer user setuid/capabilities in order to allow non-root to use ping. Instead, they use a recent kernel feature which lets the administrator enable ping use by gid.
In a normal shell:
$ sudo sysctl net.ipv4.ping_group_range
net.ipv4.ping_group_range = 0 2147483647
But in a fresh shell inside a network netspace:
$ sudo sysctl net.ipv4.ping_group_range
net.ipv4.ping_group_range = 1 0
So the mechanism which enables non-root users to use ping on fedora is disabled by default when you create a new netns. To fix this, simply set the sysctl value inside your netns:
$ sudo sysctl net.ipv4.ping_group_range="0 2147483647"
net.ipv4.ping_group_range = 0 2147483647
$ ping 8.8.8.8
64 bytes from 8.8.8.8: icmp_seq=1 ttl=40 time=20 ms