Telegraf Error Guide: '[inputs.ping] socket: operation not permitted' — Fix Native ICMP Capability
Fix Telegraf's [inputs.ping] 'socket: operation not permitted': grant CAP_NET_RAW for native ICMP, or switch to method=exec using the system ping so host checks succeed.
- #telegraf
- #metrics
- #troubleshooting
- #errors
Fixing errors like this? Get 500 free DevOps AI prompts
500 copy-paste AI prompts for the stack you actually run — one PDF, free.
Overview
The ping input can send ICMP echo requests directly using a raw socket (method = "native"). Opening a raw socket requires the CAP_NET_RAW capability; when the telegraf process lacks it, the plugin fails to create the socket and logs:
2026-07-12T12:00:00Z E! [inputs.ping] Error in plugin: host www.example.com: socket: operation not permitted
A related form appears when the native method cannot bind an unprivileged ICMP datagram socket because the kernel ping_group_range does not include the service group:
E! [inputs.ping] Error in plugin: host 10.0.0.20: listen ip4:icmp 0.0.0.0: socket: operation not permitted
No ping metrics (packet loss, RTT) are produced for the affected hosts until the capability or method is corrected.
Symptoms
- All
pingmetrics are missing while other inputs collect normally. journalctl -u telegrafrepeatssocket: operation not permittedfor each configured host every interval.- Running
telegraf --testas root succeeds, but the systemd service (running astelegraf) fails. - The error started after switching
methodfromexectonative, or after a Telegraf package upgrade changed the default. getcap $(command -v telegraf)shows nocap_net_rawon the binary.
Common Root Causes
- Native method without
CAP_NET_RAW— the raw ICMP socket cannot be opened by an unprivileged user, so the socket call is denied. - systemd unit drops capabilities — a hardened unit with
CapabilityBoundingSet=orNoNewPrivileges=yesprevents Telegraf from ever holdingCAP_NET_RAW. setcaplost on upgrade — a file capability set on the binary is wiped when the package is reinstalled or upgraded.- Kernel
ping_group_rangeexcludes the group — unprivileged ICMP datagram sockets are gated bynet.ipv4.ping_group_range, which does not include thetelegrafGID. method = "exec"but systempingis missing or unprivileged — the fallback shells out toping, which itself may lack its setuid/cap_net_rawbit.- Container without net-raw — a container dropped
NET_RAWin its security context, so no process inside can open raw sockets.
Common Fix Paths
There are two supported approaches: grant the capability and keep method = "native", or switch to method = "exec" and let the system ping binary handle privileges.
Diagnostic Workflow
First confirm which method is configured and whether the binary or process holds the capability:
grep -A5 'inputs.ping' /etc/telegraf/telegraf.conf
getcap "$(command -v telegraf)"
systemctl show telegraf -p CapabilityBoundingSet -p AmbientCapabilities -p NoNewPrivileges
Run only the ping input under debug to see the exact host and socket error:
telegraf --config /etc/telegraf/telegraf.conf --test --input-filter ping --debug
Option A — grant CAP_NET_RAW via systemd (preferred). Add a drop-in so the service starts with the ambient capability:
sudo systemctl edit telegraf
[Service]
AmbientCapabilities=CAP_NET_RAW
CapabilityBoundingSet=CAP_NET_RAW
sudo systemctl daemon-reload && sudo systemctl restart telegraf
The native config stays simple:
[[inputs.ping]]
urls = ["www.example.com", "10.0.0.20"]
method = "native"
count = 3
ping_interval = 1.0
timeout = 2.0
Option B — use the system ping binary. Switch the method and let the setuid ping do the privileged work:
[[inputs.ping]]
urls = ["www.example.com", "10.0.0.20"]
method = "exec"
binary = "ping"
count = 3
timeout = 2.0
Option C — setcap on the binary (useful when systemd hardening is out of your control), noting it must be re-applied after upgrades:
sudo setcap cap_net_raw+ep "$(command -v telegraf)"
Example Root Cause Analysis
After a Telegraf upgrade, a synthetic-availability check that pinged public endpoints went dark, logging host www.example.com: socket: operation not permitted. The config used method = "native", which had worked for months. getcap on the old binary path had shown cap_net_raw+ep, but the upgraded package replaced the binary and the file capability was gone — package upgrades do not preserve setcap.
Rather than re-run setcap after every upgrade, the team moved the grant into a systemd drop-in with AmbientCapabilities=CAP_NET_RAW, which survives package upgrades because it lives in the unit, not on the inode. After daemon-reload and a restart, telegraf --test --input-filter ping reported RTT and packet loss again. The lesson: file capabilities are fragile across upgrades — grant CAP_NET_RAW through the service manager, or use method = "exec" so the OS ping owns the privilege.
Prevention Best Practices
- Prefer a systemd
AmbientCapabilities=CAP_NET_RAWdrop-in oversetcap, since it survives package upgrades. - If you must use
setcap, add a post-upgrade hook to re-apply it, because reinstalls wipe file capabilities. - Choose
method = "exec"when you want the systempingbinary to own ICMP privileges and keep Telegraf unprivileged. - Keep
CapabilityBoundingSetscoped to exactlyCAP_NET_RAWrather than loosening the whole unit. - In containers, add
NET_RAWto the security context explicitly if you rely on native ICMP. - Validate with
telegraf --test --input-filter pingin post-deploy checks so a lost capability is caught before availability data goes missing.
Quick Command Reference
# Check configured method and current capabilities
getcap "$(command -v telegraf)"
systemctl show telegraf -p AmbientCapabilities -p NoNewPrivileges
# Grant CAP_NET_RAW via systemd drop-in (preferred)
sudo systemctl edit telegraf # add AmbientCapabilities=CAP_NET_RAW
sudo systemctl daemon-reload && sudo systemctl restart telegraf
# Alternative: file capability on the binary (re-apply after upgrades)
sudo setcap cap_net_raw+ep "$(command -v telegraf)"
# Run only the ping input with debug
telegraf --config /etc/telegraf/telegraf.conf --test --input-filter ping --debug
Related Guides
- Telegraf docker.sock permission denied
- Telegraf tail input permission denied
- Telegraf exec input exit status 1
More fixes in the Telegraf guides.
Conclusion
[inputs.ping] socket: operation not permitted means Telegraf’s native ICMP method cannot open a raw socket because the process lacks CAP_NET_RAW. Grant the capability through a systemd AmbientCapabilities drop-in (which survives upgrades), or switch to method = "exec" and let the system ping binary handle privileges. Confirm the fix with telegraf --test --input-filter ping, and avoid setcap unless you re-apply it after every package upgrade.
Get 500 Battle-Tested DevOps AI Prompts — Free
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.