From 1b57dab4daa2f54d40719beb70b5d6ada4445cbf Mon Sep 17 00:00:00 2001
From: Mikkel Georgsen <msgeorgsen@gmail.com>
Date: Wed, 14 Jan 2026 20:28:25 +0000
Subject: [PATCH] Add TODO.md and document ping fix for unprivileged containers

- Created TODO.md with pending task to fix ping on all containers
- Added setcap command to standard container setup in documentation
- Added detailed explanation in CLAUDE.md for future reference
- Unprivileged containers need cap_net_raw on /bin/ping

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 CLAUDE.md                | 14 ++++++++++++++
 README.md                |  1 +
 TODO.md                  | 11 +++++++++++
 homelab-documentation.md |  5 +++++
 4 files changed, 31 insertions(+)
 create mode 100644 TODO.md

diff --git a/CLAUDE.md b/CLAUDE.md
index 900d472..35022cb 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -112,6 +112,20 @@ ssh mikkel@10.5.0.111  # dev container
 ssh root@10.5.0.1 'cd /opt/npm && docker compose pull && docker compose up -d'
 ```
 
+**Enable ping in unprivileged containers:**
+
+Unprivileged LXC containers drop `cap_net_raw` capability, causing ping to fail with "Operation not permitted". Fix by granting the capability to the ping binary:
+
+```bash
+# Run inside the container as root
+setcap cap_net_raw+ep /bin/ping
+
+# Or from PVE host
+ssh root@10.5.0.254 'pct exec <vmid> -- setcap cap_net_raw+ep /bin/ping'
+```
+
+Note: Must be re-applied after `iputils-ping` package upgrades.
+
 ## User Preferences
 
 - Python and Batch for scripting
diff --git a/README.md b/README.md
index 0aa741a..73e817d 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,7 @@ Infrastructure documentation and management for Mikkel's homelab.
 
 - **homelab-documentation.md** - Complete infrastructure documentation
 - **CLAUDE.md** - Claude Code guidance and quick reference
+- **TODO.md** - Pending maintenance tasks
 
 ## Management Container
 
diff --git a/TODO.md b/TODO.md
new file mode 100644
index 0000000..85f2921
--- /dev/null
+++ b/TODO.md
@@ -0,0 +1,11 @@
+# Homelab TODO
+
+## Pending Tasks
+
+- [ ] **Fix ping on all unprivileged containers** - Run `setcap cap_net_raw+ep /bin/ping` on each container (requires restart or at least root access inside container)
+  - Containers to fix: 100 (npm), 101 (dockge), 102 (mgmt), 103 (postgresql01), 104 (redis01), 105 (sentry), 107 (pve-scripts-local), 108 (jukebox), 110 (sense), 111 (dev), 112 (dataloes), 114 (forgejo), 115 (dns), 1000 (tailscale)
+  - Skip: 106 (pbs) - privileged container, 113 (general) - already done
+
+## Completed
+
+- [x] Fix ping on container 113 (general) - 2025-01-14
diff --git a/homelab-documentation.md b/homelab-documentation.md
index 24a5ed7..aa2bdae 100644
--- a/homelab-documentation.md
+++ b/homelab-documentation.md
@@ -469,6 +469,11 @@ echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIOQrK06zVkfY6C1ec69kEZYjf8tC98icCcBju
 chmod 700 /root/.ssh /home/mikkel/.ssh
 chmod 600 /root/.ssh/authorized_keys /home/mikkel/.ssh/authorized_keys
 chown -R mikkel:georgsen /home/mikkel/.ssh
+
+# Enable ping in unprivileged containers (required because cap_net_raw is dropped)
+# Without this, ping fails with "Operation not permitted"
+# Must be re-applied if iputils-ping package is upgraded
+setcap cap_net_raw+ep /bin/ping
 ```
 
 ---