Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

realtime: add --realtime to setup #706

Closed
wants to merge 1 commit into from
Closed

realtime: add --realtime to setup #706

wants to merge 1 commit into from

Conversation

dougsland
Copy link
Collaborator

@dougsland dougsland commented Jan 19, 2025
edited
Loading

By default realtime is False but users
will have the option to set it to True
via setup --realtime

@dougsland dougsland force-pushed the realtime branch 6 times, most recently from 36ea309 to a4a6ecf Compare January 19, 2025 15:20
@dougsland
realtime: add --realtime to setup
ff98496 
By default realtime is False but users
will have the option to set it to True
user setup --realtime

Signed-off-by: Douglas Schilling Landgraf <[email protected]>
@dougsland
Copy link
Collaborator Author

error not related to the patch:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   319  100   319    0     0   1556      0 --:--:-- --:--:-- --:--:--  1556
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  2809  100  2809    0     0  14784      0 --:--:-- --:--:-- --:--:-- 14784
usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]
            [command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-D directory] [-g group]
            [-h host] [-p prompt] [-R directory] [-T timeout] [-u user]
            [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group]
            [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...
Trying to pull quay.io/centos-sig-automotive/automotive-image-builder:latest...
Getting image source signatures
Copying blob sha256:cc4a0d118bd21b76a297efe03b219e2a0a9e5bfe29eee35b02b469a6846f1e17
Copying blob sha256:5660300c46234056c00c3564e56111f1128f9228c65f076ae5141aaa60b646fc
Copying blob sha256:9fdcce0ee04af5b227df8a635d44b34cdb3fd75500ab7148ef3b33ca0a4cde76
Copying config sha256:266354bd08adb487aa2e90b885835011f1b4c27ab7d7c895268f7688d5b5cabd
Writing manifest to image destination
Error: host directory cannot be empty
Shared connection to 3.132.214.112 closed.

@dougsland
Copy link
Collaborator Author

@mkemel @Yarboa ^

@Yarboa
Copy link
Collaborator

Yarboa commented Jan 19, 2025

error not related to the patch:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   319  100   319    0     0   1556      0 --:--:-- --:--:-- --:--:--  1556
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  2809  100  2809    0     0  14784      0 --:--:-- --:--:-- --:--:-- 14784
usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]
            [command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-D directory] [-g group]
            [-h host] [-p prompt] [-R directory] [-T timeout] [-u user]
            [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group]
            [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...
Trying to pull quay.io/centos-sig-automotive/automotive-image-builder:latest...
Getting image source signatures
Copying blob sha256:cc4a0d118bd21b76a297efe03b219e2a0a9e5bfe29eee35b02b469a6846f1e17
Copying blob sha256:5660300c46234056c00c3564e56111f1128f9228c65f076ae5141aaa60b646fc
Copying blob sha256:9fdcce0ee04af5b227df8a635d44b34cdb3fd75500ab7148ef3b33ca0a4cde76
Copying config sha256:266354bd08adb487aa2e90b885835011f1b4c27ab7d7c895268f7688d5b5cabd
Writing manifest to image destination
Error: host directory cannot be empty
Shared connection to 3.132.214.112 closed.

@mkemel PTAL

@Yarboa
Copy link
Collaborator

Yarboa commented Jan 19, 2025

By default realtime is False but users will have the option to set it to True via setup --realtime

Can you elaborate on that?
Why seccomp and realtime? should be related?

@dougsland
Copy link
Collaborator Author

By default realtime is False but users will have the option to set it to True via setup --realtime

Can you elaborate on that? Why seccomp and realtime? should be related?

the system calls sched_* cannot be blocked.

@dougsland
Copy link
Collaborator Author

@alexlarsson PTAL

@mkemel
Copy link
Contributor

mkemel commented Jan 20, 2025

/packit retest-failed

@packit-as-a-service Packit-as-a-Service
Copy link

Account mkemel has no write access nor is author of PR!

@mkemel
Copy link
Contributor

mkemel commented Jan 20, 2025

Reproduced it locally, looking

@alexlarsson
Copy link
Collaborator

I don't think this change is right, for a few reasons:

  1. It always disables the realtime limit when using the rpm package without setup, and this is our primary deployment mechanism.
  2. It tightly ties the seccomp file to the realtime scheduler option, which limits our ability to use the seccomp file for other things in qm in the future while still allowing options on realtime.
  3. It doesn't allow changing this option easily at a later time (i.e. by just changing an option in qm.container)

I think we should instead:

  1. Always generate the rewritten seccomp policy, but call the file /usr/share/qm/seccomp-no-rt.json or something like that.
  2. By default, set SeccompProfile=usr/share/qm/seccomp-no-rt.json in qm.conf
  3. Allow overriding SeccompProfile by the end user. I think setting it to nothing might make it pick the default, or otherwise you'd have to change it to /usr/share/containers/seccomp.json

@dougsland
Copy link
Collaborator Author

I don't think this change is right, for a few reasons:

  1. It always disables the realtime limit when using the rpm package without setup, and this is our primary deployment
    mechanism.
  2. It tightly ties the seccomp file to the realtime scheduler option, which limits our ability to use the seccomp file for other things in qm in the future while still allowing options on realtime.
  3. It doesn't allow changing this option easily at a later time (i.e. by just changing an option in qm.container)

I think we should instead:

  1. Always generate the rewritten seccomp policy, but call the file /usr/share/qm/seccomp-no-rt.json or something like that.
  2. By default, set SeccompProfile=usr/share/qm/seccomp-no-rt.json in qm.conf
  3. Allow overriding SeccompProfile by the end user. I think setting it to nothing might make it pick the default, or otherwise you'd have to change it to /usr/share/containers/seccomp.json

@alexlarsson probably just a documentation instead?

@mkemel
Copy link
Contributor

mkemel commented Jan 20, 2025

The problem is with running auto-image-builder.sh as root, following a new change to the script introduced last week.
Created a merge request to fix it
https://gitlab.com/CentOS/automotive/sample-images/-/merge_requests/582
@michalskrivanek PTAL

@dougsland
Copy link
Collaborator Author

The problem is with running auto-image-builder.sh as root, following a new change to the script introduced last week. Created a merge request to fix it https://gitlab.com/CentOS/automotive/sample-images/-/merge_requests/582 @michalskrivanek PTAL

Thanks @mkemel

@alexlarsson
Copy link
Collaborator

I don't think this change is right, for a few reasons:

  1. It always disables the realtime limit when using the rpm package without setup, and this is our primary deployment
    mechanism.
  2. It tightly ties the seccomp file to the realtime scheduler option, which limits our ability to use the seccomp file for other things in qm in the future while still allowing options on realtime.
  3. It doesn't allow changing this option easily at a later time (i.e. by just changing an option in qm.container)

I think we should instead:

  1. Always generate the rewritten seccomp policy, but call the file /usr/share/qm/seccomp-no-rt.json or something like that.
  2. By default, set SeccompProfile=usr/share/qm/seccomp-no-rt.json in qm.conf
  3. Allow overriding SeccompProfile by the end user. I think setting it to nothing might make it pick the default, or otherwise you'd have to change it to /usr/share/containers/seccomp.json

@alexlarsson probably just a documentation instead?

Documentation, and rename the current seccomp file to make it clear that it has the "disallow rt" part added. We may then later add other seccomp file versions with a different name.

@dougsland
Copy link
Collaborator Author

/packit retest-failed

@dougsland
Copy link
Collaborator Author

I am not going to forward with this patch, going to write a documentation. Just testing if @mkemel patch made the trick in CI/CD.

@Yarboa
Copy link
Collaborator

Yarboa commented Jan 21, 2025
edited
Loading

  1. en seccomp polic

@dougsland, MHO @alexlarsson suggestion has strong points
suggest to have another seccomp file like the current one should be renamed to
/usr/share/qm/seccomp-no-rt.json

And for rt, install /usr/share/qm/seccom-rt.json
Or for other use cases that will arrive in the future
Anyway one file used for setup script or for autosd

@dougsland dougsland closed this Jan 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhatdan rhatdan Awaiting requested review from rhatdan rhatdan is a code owner

@lsm5 lsm5 Awaiting requested review from lsm5 lsm5 is a code owner

@Yarboa Yarboa Awaiting requested review from Yarboa Yarboa is a code owner

@sandrobonazzola sandrobonazzola Awaiting requested review from sandrobonazzola sandrobonazzola is a code owner

@nsednev nsednev Awaiting requested review from nsednev nsednev is a code owner

@aesteve-rh aesteve-rh Awaiting requested review from aesteve-rh aesteve-rh is a code owner

@pengshanyu pengshanyu Awaiting requested review from pengshanyu pengshanyu is a code owner

@kleinffm kleinffm Awaiting requested review from kleinffm kleinffm is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dougsland @Yarboa @mkemel @alexlarsson