-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rootless preempt-rt mode (Work in Progress) #918
base: master
Are you sure you want to change the base?
Conversation
Signed-off-by: Damian Wrobel <[email protected]>
Signed-off-by: Damian Wrobel <[email protected]>
The code tries to unify the codebase of using FIFO_SCHED between root and non-root as being a root is not a prerequisite to set FIFO_SCHED scheduler policy (see capabilities(7)). Signed-off-by: Damian Wrobel <[email protected]>
Signed-off-by: Damian Wrobel <[email protected]>
Temporarily disable executing iptables. Signed-off-by: Damian Wrobel <[email protected]>
Also print out both linuxcnc_debug.txt and linuxcnc_print.txt in case of failure. Signed-off-by: Damian Wrobel <[email protected]>
Things to make sure of as you work on this:
I don't know what's the point of protecting a system against a setuid binary but allowing a binary with cap_sys_rawio, but linux security decisions are a land of contrasts. |
It's been quite a while, but this might still be a good idea. Any comments? |
It sound like a great idea to reduce the privileges needed to run linuxcnc. Any hope to get this patch out of draft / work in progress mode? |
Allows to run linuxcnc in
preempt-rt
mode without root (setuid bit).Benefits:
SCHED_FIFO
policy (on both rt and non-rt kernels),CI
flow can use and tests exactly the same code flow as will be used on the production,latency-test
(on modern hardware) should return much more reliable results on non-rt kernel,linuxcnc
in Fedora (see: setuid removal) and maybe other distros wheresetuid
binaries are not welcome.How to run it:
TODO list:
make setcap
target to set capabilities onrtapi_app
,iptables
in hm2_eth.c (it's much easier and more reliable to configure the rules using firewalld/NetworkManager e.g. on Fedora >=32 firewalld switched from iptables to nftables backend),