Skip to content

Rootless preempt-rt mode (Work in Progress) #918

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
dwrobel wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

Rootless preempt-rt mode (Work in Progress) #918

dwrobel wants to merge 6 commits into from

Conversation

@dwrobel
Copy link
Contributor

@dwrobel dwrobel commented Aug 4, 2020
edited
Loading

Allows to run linuxcnc in preempt-rt mode without root (setuid bit).

Benefits:

  • allows to always run using SCHED_FIFO policy (on both rt and non-rt kernels),
  • CI flow can use and tests exactly the same code flow as will be used on the production,
  • latency-test (on modern hardware) should return much more reliable results on non-rt kernel,
  • will help packaging linuxcnc in Fedora (see: setuid removal) and maybe other distros where setuid binaries are not welcome.

How to run it:

  • In order to run it in place, just set the following capabilities:
$ sudo setcap cap_ipc_lock,cap_net_admin,cap_sys_rawio,cap_sys_nice+ep  bin/rtapi_app
  • If you're going to use parallel port, just add yourself to the appropriate group (as you would do for accessing printer).

TODO list:

  • add something like make setcap target to set capabilities on rtapi_app,
  • decide how to clean up the API: like rtapi_is_realtime(),
  • add an option to not invoke iptables in hm2_eth.c (it's much easier and more reliable to configure the rules using firewalld/NetworkManager e.g. on Fedora >=32 firewalld switched from iptables to nftables backend),
  • test with pci cards (currently tested with parport and ethernet based mesa card),
  • very likely other things were missed - would appreciate to get a feedback.

dwrobel added 6 commits August 4, 2020 20:42
@dwrobel
Use TEMP_FAILURE_RETRY() to handle EINTR properly
49fea88 
Signed-off-by: Damian Wrobel <dwrobel@ertelnet.rybnik.pl>
@dwrobel
Remove unused thread_lock
9ca6c26 
Signed-off-by: Damian Wrobel <dwrobel@ertelnet.rybnik.pl>
@dwrobel
Unify FIFO_SCHED between root and non-root user
339d84f 
The code tries to unify the codebase of using FIFO_SCHED
between root and non-root as being a root is not a prerequisite
to set FIFO_SCHED scheduler policy (see capabilities(7)).

Signed-off-by: Damian Wrobel <dwrobel@ertelnet.rybnik.pl>
@dwrobel
Always report realtime from rtapi_is_realtime()
789445d 
Signed-off-by: Damian Wrobel <dwrobel@ertelnet.rybnik.pl>
@dwrobel
Disable using iptables (work in progress)
c1ea763 
Temporarily disable executing iptables.

Signed-off-by: Damian Wrobel <dwrobel@ertelnet.rybnik.pl>
@dwrobel
Run tests in verbose mode and with timeout (github)
502b84d 
Also print out both linuxcnc_debug.txt and linuxcnc_print.txt
in case of failure.

Signed-off-by: Damian Wrobel <dwrobel@ertelnet.rybnik.pl>
@dwrobel dwrobel marked this pull request as draft August 4, 2020 19:58
@dwrobel dwrobel mentioned this pull request Aug 4, 2020
Closed
@jepler
Copy link
Contributor

jepler commented Aug 4, 2020

Things to make sure of as you work on this:

  • Top priority: Identify parts of this which can be separated into pull requests which can be incorporated one by one, so that you have to carry less "outstanding work" as the process continues and you can monitor community acceptance of the coding choices you're making instead of getting the real feedback at the end.
    For instance, these immediately strike me as separate PRs that can be evaluated on their own merits:
    • re-working how hm2_eth does firewalls
    • re-working how harden_rt can work without root but with capabilities (if you can keep as-root and as-capabilities intact, or as a configure-time flag)
  • It must remain possible to run LinuxCNC in a pure simulator mode with no elevated privileges required to build it, run the tests, run UIs in simulator mode, etc.
  • It must work on whatever range of platforms we will commit to supporting in our main development branch
  • It must be furnished with the debian packaging work completed as well. I am not familiar with how capabilities are represented in debian packages, so you may have to educate yourself.
  • It must not regress on preventing non-rtapi_app processes from sending packets on the ethernet interface while LinuxCNC is running.

I don't know what's the point of protecting a system against a setuid binary but allowing a binary with cap_sys_rawio, but linux security decisions are a land of contrasts.

@andypugh
Copy link
Collaborator

andypugh commented Mar 30, 2022

It's been quite a while, but this might still be a good idea. Any comments?

@petterreinholdtsen
Copy link
Collaborator

petterreinholdtsen commented Aug 25, 2022

It sound like a great idea to reduce the privileges needed to run linuxcnc. Any hope to get this patch out of draft / work in progress mode?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dwrobel @jepler @andypugh @petterreinholdtsen