moby: Setting sched_setscheduler for SCHED_FIFO in a container. Getting EPERM error.

I am trying to run a group of programs (all fairly old, originated in QNX 4/6, then ported to RHEL5/6) in a CentOS container. All call sched_setscheduler(). All fail.

All information I can find on the internet regarding why/what to do is wrong (as far as I can see) or outdated.

There should be some definitive guidance ‘somewhere’ regarding this.

I have previously posted to https://forums.docker.com/t/centos-based-container-unable-to-sched-setscheduler/9513. This is unanswered, so I thought I’d open it as a full bug report.

For initial development purposes I am working on my OSX El-Capitan Macbook Pro which is running the latest Toolbox 1.11.0. I am also running b2d under parallels 11 pro (fully up-to-date), rather than VirtualBox.

The parallels VM is started from the command line:

Bobs-MacBook-Pro:~ bob$ docker-machine start prl-dev
Bobs-MacBook-Pro:~ bob$ docker-machine env prl-dev
export DOCKER_TLS_VERIFY="1"
export DOCKER_HOST="tcp://10.211.55.11:2376"
export DOCKER_CERT_PATH="/Users/bob/.docker/machine/machines/prl-dev"
export DOCKER_MACHINE_NAME="prl-dev"
# Run this command to configure your shell: 
# eval $(docker-machine env prl-dev)
Bobs-MacBook-Pro:~ bob$

Consider the following trivial application:

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <errno.h>
#include <sched.h>

int main(int ac, char *av[]) {
    /*********************\
     * set up scheduling *
    \*********************/

    struct sched_param sched;

    sched.sched_priority = 8;        /* set priority */

    if ( sched_setscheduler(getpid(), SCHED_FIFO, &sched) < 0 )
        fprintf(stderr, "SETSCHEDULER failed - err = %s\n", strerror(errno));
    else
        printf("Priority set to \"%d\"\n", sched.sched_priority);

    exit(0);
}

This fails thusly:

[root@8e1091098444 c]# cc ss.c 
[root@8e1091098444 c]# ./a.out 
SETSCHEDULER failed - err = Operation not permitted

I am uid==0:

[root@8e1091098444 c]# id
uid=0(root) gid=0(root) groups=0(root)

My compiler is the most recent (being freshly installed):

[root@8e1091098444 c]# cc -v
Using built-in specs.
Target: x86_64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-bootstrap --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk --disable-dssi --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre --enable-libgcj-multifile --enable-java-maintainer-mode --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --disable-libjava-multilib --with-ppl --with-cloog --with-tune=generic --with-arch_32=i686 --build=x86_64-redhat-linux
Thread model: posix
gcc version 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) 
[root@8e1091098444 c]#

Start information:

Bobs-MacBook-Pro:digscan bob$ docker run --rm --privileged --name digscan -p 6688:6688 digscan

Container information:

[root@8e1091098444 c]# cat /etc/issue
CentOS release 6.7 (Final)
Kernel \r on an \m

[root@8e1091098444 c]# uname -a
Linux 8e1091098444 4.1.19-boot2docker #1 SMP Thu Apr 7 02:41:05 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@8e1091098444 c]# ulimit
unlimited
[root@8e1091098444 c]# capsh --print
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,34,35,36,37+eip
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,34,35,36,37
Securebits: 00/0x0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0

Version/Info output for reference:

Bobs-MacBook-Pro:~ bob$ eval $(docker-machine env prl-dev)
Bobs-MacBook-Pro:~ bob$ docker version
Client:
 Version:      1.11.0
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   4dc5990
 Built:        Wed Apr 13 18:13:28 2016
 OS/Arch:      darwin/amd64

Server:
 Version:      1.11.0
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   4dc5990
 Built:        Wed Apr 13 19:36:04 2016
 OS/Arch:      linux/amd64
Bobs-MacBook-Pro:~ bob$ docker info
Containers: 32
 Running: 1
 Paused: 0
 Stopped: 31
Images: 354
Server Version: 1.11.0
Storage Driver: aufs
 Root Dir: /mnt/sda1/var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 311
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: null host bridge
Kernel Version: 4.1.19-boot2docker
Operating System: Boot2Docker 1.11.0 (TCL 7.0); HEAD : 32ee7e9 - Wed Apr 13 20:06:49 UTC 2016
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 5.82 GiB
Name: prl-dev
ID: XZWP:5U7R:PXLY:GLDY:A2MB:AEOP:JKPX:ATZG:TQDM:GSUW:OSFV:RYDH
Docker Root Dir: /mnt/sda1/var/lib/docker
Debug mode (client): false
Debug mode (server): true
 File Descriptors: 22
 Goroutines: 55
 System Time: 2016-04-28T01:33:20.563718565Z
 EventsListeners: 0
Registry: https://index.docker.io/v1/
Labels:
 provider=parallels
Bobs-MacBook-Pro:~ bob$

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Comments: 38 (17 by maintainers)

Commits related to this issue

Most upvoted comments

I’ve started working on patches to docker to support supplying rt_runtime_us and rt_period_us.

It occurred to me though, if you’re not concerned with allocating a specific amount of runtime to each container or cgroup, only access to real-time threads, you can either run --privileged or add the --cap-add=sys_nice capability. Then just disable CONFIG_RT_GROUP_SCHED in the kernel. This will fallback to /proc/sys/kernel/sched_rt_runtime_us to configure the total runtime for all realtime threads rather than having cgroup specific allocations.

This would also explain why this ticket seems to effect some users but not others. This is likely based on whether or not CONFIG_RT_GROUP_SCHED is enabled. Example: grep CONFIG_RT_GROUP_SCHED /boot/config-$(uname -r), zcat /proc/config.gz | grep CONFIG_RT_GROUP_SCHED, etc.

+1
erikstmartin on May 13, 2016
Read more comments on GitHub
← moby: Setting Ports in a container config no longer compiles
moby: Setting up iptables rules with nftables is a multitude slower than with iptables  →