PThread permissions problem after upgrading host to 19.10

jbcpollak · December 11, 2019, 7:05pm

Hello, I setup an Ubuntu 16.04 container on a host running Ubuntu 16.04 using the snap version of LXD 3.0.4. Everything was working great, so I upgraded the host to Ubuntu 19.10, and now I’m getting this error from my application in the container:

2019-12-11_18:59:26:02383 00:00:00:000 WARNING - PThread::_start: SCHED_FIFO - Failed to set scheduling parameters for PThreadPool

I suspect this is related to the SYS_NICE permission, but I’m not sure. I tried granting SYS_NICE via the raw.lxc setting, but that just took away other needed capabilities and it didn’t work well.

I read somewhere that the latest LXD grants all capabilities to unprivileged containers, so I tried upgrading to 3.18, but that didn’t help either.

Any advice would be appreciated.

gpatel-fr · December 11, 2019, 8:16pm

did you try

lxc config set mycontainer raw.lxc 'lxc.apparmor.profile=unconfined'

Granted if it’s a priviledged container it’s really not good from security point of view, but at least it could bring a negative information.

jbcpollak · December 11, 2019, 8:55pm

Thanks for the suggestion - I just tried it and got the same result. I am researching doing something similar with the cgroup cpu settings, based on this thread, but I don’t know how to apply the fix to lxc containers.

github.com/coreos/bugs

pthread_create priority thread returns EPERM when run as root

opened 03:31PM - 13 Jul 15 UTC

closed 04:55PM - 26 Sep 18 UTC

onedsc

kind/design priority/P1 area/usability component/kernel team/os closed/rejected

#### Summary: Setting a thread priority to anything other than zero using a sch…eduling policy of Round Robin fails with an EPERM when running as root. #### Details: After building the SDK and an image on an Ubuntu 14.04 LTS I tried to set the priority of a thread created as root and received an EPERM. I then pulled the source code below is directly from the man pages for pthread_setschedparam to investigate further and it too returns EPERM when run as root with the command line options `-ar20 -ie`. Just to make sure my SDK or image where not at fault I scp'd the program to a Rackspace machine running the Alpha release and it also failed with EPERM. To compile: `gcc -Wall pthreads_sched_test.c -lpthread -o sched_test` #### Usage: ``` Usage: ./sched_test [options] Options are: -a<policy><prio> Set scheduling policy and priority in thread attributes object <policy> can be f SCHED_FIFO r SCHED_RR o SCHED_OTHER -A Use default thread attributes object -i {e|i} Set inherit scheduler attribute to 'explicit' or 'inherit' -m<policy><prio> Set scheduling policy and priority on main thread before pthread_create() call ``` #### Receive an EPERM executing as root: Set the scheduling policy to SCHED_RR (r), the priority to 20, and the inherit scheduling policy to "explicit". `./sched_test -ar20 -ie` ``` localhost core # ./sched_test -ar20 -ie Scheduler settings of main thread policy=SCHED_OTHER, priority=0 Scheduler settings in 'attr' policy=SCHED_RR, priority=20 inheritsched is EXPLICIT pthread_create: Operation not permitted ``` #### Ulimits are set to "unlimited": ``` localhost core # ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) unlimited file size (blocks, -f) unlimited pending signals (-i) 3825 max locked memory (kbytes, -l) 64 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) unlimited stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 3825 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited ``` #### Contents of /etc/os-release ``` core@localhost ~ $ cat /etc/os-release NAME=CoreOS ID=coreos VERSION=734.0.0+2015-07-05-1552 VERSION_ID=734.0.0 BUILD_ID=2015-07-05-1552 PRETTY_NAME="CoreOS 734.0.0+2015-07-05-1552" ANSI_COLOR="1;32" HOME_URL="https://coreos.com/" BUG_REPORT_URL="https://github.com/coreos/bugs/issues" ``` #### Source code from pthread_setschedparam man page: ``` c /* pthreads_sched_test.c */ #include <pthread.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <errno.h> #define handle_error_en(en, msg) \ do { errno = en; perror(msg); exit(EXIT_FAILURE); } while (0) static void usage(char *prog_name, char *msg) { if (msg != NULL) fputs(msg, stderr); fprintf(stderr, "Usage: %s [options]\n", prog_name); fprintf(stderr, "Options are:\n"); #define fpe(msg) fprintf(stderr, "\t%s", msg); /* Shorter */ fpe("-a<policy><prio> Set scheduling policy and priority in\n"); fpe(" thread attributes object\n"); fpe(" <policy> can be\n"); fpe(" f SCHED_FIFO\n"); fpe(" r SCHED_RR\n"); fpe(" o SCHED_OTHER\n"); fpe("-A Use default thread attributes object\n"); fpe("-i {e|i} Set inherit scheduler attribute to\n"); fpe(" 'explicit' or 'inherit'\n"); fpe("-m<policy><prio> Set scheduling policy and priority on\n"); fpe(" main thread before pthread_create() call\n"); exit(EXIT_FAILURE); } static int get_policy(char p, int *policy) { switch (p) { case 'f': *policy = SCHED_FIFO; return 1; case 'r': *policy = SCHED_RR; return 1; case 'o': *policy = SCHED_OTHER; return 1; default: return 0; } } static void display_sched_attr(int policy, struct sched_param *param) { printf(" policy=%s, priority=%d\n", (policy == SCHED_FIFO) ? "SCHED_FIFO" : (policy == SCHED_RR) ? "SCHED_RR" : (policy == SCHED_OTHER) ? "SCHED_OTHER" : "???", param->sched_priority); } static void display_thread_sched_attr(char *msg) { int policy, s; struct sched_param param; s = pthread_getschedparam(pthread_self(), &policy, &param); if (s != 0) handle_error_en(s, "pthread_getschedparam"); printf("%s\n", msg); display_sched_attr(policy, &param); } static void * thread_start(void *arg) { display_thread_sched_attr("Scheduler attributes of new thread"); return NULL; } int main(int argc, char *argv[]) { int s, opt, inheritsched, use_null_attrib, policy; pthread_t thread; pthread_attr_t attr; pthread_attr_t *attrp; char *attr_sched_str, *main_sched_str, *inheritsched_str; struct sched_param param; /* Process command-line options */ use_null_attrib = 0; attr_sched_str = NULL; main_sched_str = NULL; inheritsched_str = NULL; while ((opt = getopt(argc, argv, "a:Ai:m:")) != -1) { switch (opt) { case 'a': attr_sched_str = optarg; break; case 'A': use_null_attrib = 1; break; case 'i': inheritsched_str = optarg; break; case 'm': main_sched_str = optarg; break; default: usage(argv[0], "Unrecognized option\n"); } } if (use_null_attrib && (inheritsched_str != NULL || attr_sched_str != NULL)) usage(argv[0], "Can't specify -A with -i or -a\n"); /* Optionally set scheduling attributes of main thread, and display the attributes */ if (main_sched_str != NULL) { if (!get_policy(main_sched_str[0], &policy)) usage(argv[0], "Bad policy for main thread (-m)\n"); param.sched_priority = strtol(&main_sched_str[1], NULL, 0); s = pthread_setschedparam(pthread_self(), policy, &param); if (s != 0) handle_error_en(s, "pthread_setschedparam"); } display_thread_sched_attr("Scheduler settings of main thread"); printf("\n"); /* Initialize thread attributes object according to options */ attrp = NULL; if (!use_null_attrib) { s = pthread_attr_init(&attr); if (s != 0) handle_error_en(s, "pthread_attr_init"); attrp = &attr; } if (inheritsched_str != NULL) { if (inheritsched_str[0] == 'e') inheritsched = PTHREAD_EXPLICIT_SCHED; else if (inheritsched_str[0] == 'i') inheritsched = PTHREAD_INHERIT_SCHED; else usage(argv[0], "Value for -i must be 'e' or 'i'\n"); s = pthread_attr_setinheritsched(&attr, inheritsched); if (s != 0) handle_error_en(s, "pthread_attr_setinheritsched"); } if (attr_sched_str != NULL) { if (!get_policy(attr_sched_str[0], &policy)) usage(argv[0], "Bad policy for 'attr' (-a)\n"); param.sched_priority = strtol(&attr_sched_str[1], NULL, 0); s = pthread_attr_setschedpolicy(&attr, policy); if (s != 0) handle_error_en(s, "pthread_attr_setschedpolicy"); s = pthread_attr_setschedparam(&attr, &param); if (s != 0) handle_error_en(s, "pthread_attr_setschedparam"); } /* If we initialized a thread attributes object, display the scheduling attributes that were set in the object */ if (attrp != NULL) { s = pthread_attr_getschedparam(&attr, &param); if (s != 0) handle_error_en(s, "pthread_attr_getschedparam"); s = pthread_attr_getschedpolicy(&attr, &policy); if (s != 0) handle_error_en(s, "pthread_attr_getschedpolicy"); printf("Scheduler settings in 'attr'\n"); display_sched_attr(policy, &param); s = pthread_attr_getinheritsched(&attr, &inheritsched); printf(" inheritsched is %s\n", (inheritsched == PTHREAD_INHERIT_SCHED) ? "INHERIT" : (inheritsched == PTHREAD_EXPLICIT_SCHED) ? "EXPLICIT" : "???"); printf("\n"); } /* Create a thread that will display its scheduling attributes */ s = pthread_create(&thread, attrp, &thread_start, NULL); if (s != 0) handle_error_en(s, "pthread_create"); /* Destroy unneeded thread attributes object */ if (!use_null_attrib) { s = pthread_attr_destroy(&attr); if (s != 0) handle_error_en(s, "pthread_attr_destroy"); } s = pthread_join(thread, NULL); if (s != 0) handle_error_en(s, "pthread_join"); exit(EXIT_SUCCESS); } ```

This post even mentions the same permissions: pthread_create priority thread returns EPERM when run as root · Issue #410 · coreos/bugs · GitHub

I’ve also tried making the container privileged and restarting, but that did not help:

lxc config set c1 security.privileged true

jbcpollak · December 12, 2019, 4:44pm

ok, figured it out - it was a two step fix which is what make it tricky. First, you need to run the container in privileged mode, as I posted above:

lxc config set c1 security.privileged true

then stop and start the container. Then I was able to run my process as root (with sudo), and it worked fine. I could probably mess with the permissions inside the container to get this working as a regular user, but this is good enough for me.

If anyone cares, I found the C test program near the top of this thread useful for diagnostics: https://github.com/moby/moby/issues/22380

Run it as root - if permissions are denied, your container isn’t privileged
Once it works as root, your problem is within the container, sudo should help.