Granting access to kernel capabilities and keep default ones

zenlua · July 20, 2021, 9:43pm

Dears,

I am running Freeswitch aplication on LXD/LXC container but it requires some access to kernel capabilities.

1- ERROR: Failed to set SCHED_FIFO scheduler (Operation not permitted);

2- ERROR: Could not set nice level.

If i run the container in privileg security mode it works ok. But as i know it is unsafe to run a container in priviliged mode, isnit? Is there any way to grant access only to this kernel capabilities (sys_nice and sys_time) and the default ones?

Regards!

stgraber · July 20, 2021, 10:13pm

I don’t think there’s any way to do that with an unprivileged container, at least short of having us do a bunch more syscall interception work to allow this.

But there may well be a switch in freeswitch to not fail miserably on those as I’d expect the same errors were you to attempt to start it as a normal unprivileged user.

tomp · July 20, 2021, 10:55pm

I run Freeswitch inside an unprivileged LXC container (not LXD right now), and I use:

lxc.prlimit.nice = -20
lxc.prlimit.nofile = 1024:999999

To allow it to increase its nice priority inside the container. This seems to work, as I can see the freeswitch processes have a higher priority.

PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                   
369 freeswit  10 -10  874m 153m 8800 S  7.0 15.0   1304:09 freeswitch

I’m not sure if that gets you what you want, but has been working for for me.

In LXD you should be able to get same effect using limits.kernel.nice setting on the instance.

That won’t get you the SCHED_FIFO bit, but should fix 2. does freeswitch fail to start for you or is it just a warning?

zenlua · July 21, 2021, 12:07pm

@stgraber @tomp, thanks so very much!

Freeswitch fails to start.

root@debian-10:~# freeswitch -c
ERROR: Could not set nice level

root@debian-10:~# journalctl -xe
Jul 21 11:57:45 debian-10 ntpd[339]: adj_systime: Operation not permitted
Jul 21 11:57:46 debian-10 ntpd[339]: adj_systime: Operation not permitted

root@debian-10:~# freeswitch -c
ERROR: Could not set nice level

I tried to set it with this command. But it outputs following error.

root@XXXXXX:~# lxc config set debian-10 limits.kernel.nice -20
Error: unknown shorthand flag: ‘2’ in -20

Any suggestion? Thanks!

tomp · July 21, 2021, 12:21pm

try quoting the -20, so that lxc doesn’t think you’re passing a flag.

lxc config set debian-10 limits.kernel.nice "-20"

zenlua · July 21, 2021, 4:06pm

@tomp, no luck:

root@xxxxxxxxx:~# lxc config set debian-10 limits.kernel.nice “-20”
Error: unknown shorthand flag: ‘2’ in -20

tomp · July 21, 2021, 4:27pm

Use limits.kernel.nice=-20

Tested working:

lxc launch images:ubuntu/focal c1
lxc exec c1 -- nice -n -20 whoami
nice: cannot set niceness: Permission denied
root

lxc stop c1
lxc config set c1 limits.kernel.nice=-20
lxc start c1
lxc exec c1 -- nice -n -20 whoami
root

zenlua · July 21, 2021, 9:19pm

Dear @tomp,

Yep it worked, now freeswitch is not running due to another issue.

root@debian-10:~# service freeswitch status
● freeswitch.service - freeswitch
Loaded: loaded (/lib/systemd/system/freeswitch.service; enabled; vendor preset: enabled)
Drop-In: /run/systemd/system/freeswitch.service.d
└─zzz-lxc-service.conf
Active: failed (Result: exit-code) since Wed 2021-07-21 21:01:59 UTC; 34s ago
Process: 362 ExecStartPre=/bin/mkdir -p /var/run/freeswitch (code=exited, status=211/IOPRIO)

root@debian-10:~# journalctl -xe
…
Jul 21 21:02:08 debian-10 ntpd[339]: local_clock: ntp_loopfilter.c line 818: ntp_adjtime: Operation not permitted
Jul 21 21:02:13 debian-10 ntpd[339]: local_clock: ntp_loopfilter.c line 818: ntp_adjtime: Operation not permitted

The issue seems to be related to ntp or something related to,isn it?

As you can see bellow i set up the container as close to freeswitch service settings (systemd) regarding cpu/files/limits

////////freeswitch.service////////
LimitCORE=infinity
LimitNOFILE=100000
LimitNPROC=60000
LimitSTACK=250000
LimitRTPRIO=infinity
LimitRTTIME=infinity
IOSchedulingClass=realtime
IOSchedulingPriority=2
CPUSchedulingPolicy=rr
//////////////////////

root@XXXXXX:~# lxc config show debian-10
architecture: x86_64
config:
image.architecture: amd64
image.description: Debian buster amd64 (20210719_08:05)
image.os: Debian
image.release: buster
image.serial: “20210719_08:05”
image.type: squashfs
image.variant: default
limits.cpu: “1”
limits.kernel.core: unlimited
limits.kernel.nice: “-20”
limits.kernel.nofile: “100000”
limits.kernel.nproc: “60000”
limits.kernel.rtprio: unlimited
limits.kernel.rttime: unlimited
limits.kernel.stack: “250000”
limits.memory: 1024MB
security.privileged: “false”

tomp · July 22, 2021, 10:50am

Can you try running this command manually:

zenlua · July 22, 2021, 7:04pm

Dear @tomp ,

Actually this a FusionPBX install on a LXC/LXD container. I have found an issue regarding PostGreSql due to this line “lxc config set debian-10 limits.kernel.stack=250000”. Removed it and worked fine. Freeswitch needs to connect on Postgresql DB as well on Fusion. Now everything seems to be running fine. I will start some stress tests. Thanks a lot, you nailed it!