I have a docker container, which has CPP code in it.
void SetRealtimeThreadPriority()
{
sched_param const param{ThreadPriorities::Priority()};
int result = pthread_setschedparam(pthread_self(), ThreadPriorities::Policy(), ¶m);
printf("SetRealtimeThreadPriority - result checked for assertion %d \n", result);
assert(result == 0); (void) result;
}
when I run the exe which has this code in ubuntu machine it works fine, where result printed is 0(zero). but when I run it in container, the assert is failing.
I have gone through multiple threads, man pages, docker run documentation and articles and tried running the container with below options, but no luck.
docker run -it --rm --cap-add SYS_NICE MyContainer
docker run --cap-add=ALL --privileged MyContainer
docker run --cap-add=ALL MyContainer
docker run -it --rm --userns host --cap-add SYS_NICE MyContainer
How can I debug this issue? Im running docker on wsl ubuntu 16.04.
You could insert some code. Perhaps you can tell what is different? For example, #include <sys/capability.h>, and link with ... -lcap, put this:
std::cout << cap_to_text(cap_get_proc(), NULL) << std::endl;
just before the call to pthread_setschedparam(2). Does it display something different inside and outside the container?
Related
I am trying to grant reboot capability to my appimage using setcap. Using following command on a simple application (all it does is to reboot the machine) works, however it does not work with my actual app's appimage.
Both applications essentially do the same thing for rebooting:
sync();
if(reboot(RB_AUTOBOOT) == -1) {
// handle errno
}
(In case you want to try the code, include <unistd.h> and <sys/reboot.h>)
Output with minimal test app:
sudo setcap -v cap_sys_boot+ep ./main
./main: OK
Output with appimage:
sudo setcap -v cap_sys_boot+ep ./app.AppImage
./app.AppImage differs in [pe]
Any idea what can I do?
Some container 101 here please. I can't see messages written to std::cout in the console like i would expect, when it's run in a windows server core container. I've tried the same scenario with a C# console app and it outputs unlike the example below. I feel that narrows it down to something on the C++ side of things.
The code
#include <iostream>
int main()
{
std::cout << "Hello World\n";
}
The Dockerfile
FROM mcr.microsoft.com/windows/servercore:ltsc2019
ADD Debug/ /
ENTRYPOINT [ "cmd.exe" ]
The commands
docker build -t cppnet .
docker run -it cppnet
The results, first running in the container and second running locally
I've got a very basic proof-of-concept C++ application, shown below:
#include <iostream>
int main()
{
std::cout << "test" << std::endl;
return 0;
}
When this is run locally, it prints test to the Console, as expected. However, when run on a Docker container, nothing is printed.
I'm using the microsoft/windowsservercore as for my container. Since this is still proof-of-concept, my Dockerfile consists of copying the exe of my C++ into the image, and then I'm manually running it interactively.
Am I missing something that prevents C++ applications from printing to the console inside of a Windows Docker image?
Dockerfile:
FROM microsoft/windowsservercore
COPY ./Resources /
Resources folder contains only the exe of the C++ application
Docker command:
docker run --rm -it proofconcept:latest, where proofconcept is the name given during build
This question already has answers here:
Piping (or command chaining) with QProcess
(5 answers)
Closed 8 years ago.
I want to restart the computer by running a command in linux using QProcess. I have hard-coded my root password in my application.
When i run the following in a terminal it works perfect:
echo myPass | sudo -S shutdown -r now
When i put the command in a shell script and call it via QProcess it is also successful :
QProcess process;
process.startDetached("/bin/sh", QStringList()<< "myScript.sh");
But i can not run it by directly passing to QProcess:
process.startDetached("echo myPass | sudo -S shutdown -r now ");
It will just print myPass | sudo -S shutdown -r now
How is it possible to run such relatively complex commands directly using QProcess. (Not putting in a shell script).
The key methods that exist for this purpose established in QProcess:
void QProcess::setProcessChannelMode(ProcessChannelMode mode)
and
void QProcess::setStandardOutputProcess(QProcess * destination)
Therefore, the following code snippet would be the equivalence of command1 | command2 without limiting yourself to one interpreter or another:
QProcess process1
QProcess process2;
process1.setStandardOutputProcess(&process2);
process1.start("echo myPass");
process2.start("sudo -S shutdown -r now");
process2.setProcessChannelMode(QProcess::ForwardedChannels);
// Wait for it to start
if(!process1.waitForStarted())
return 0;
bool retval = false;
QByteArray buffer;
// To be fair: you only need to wait here for a bit with shutdown,
// but I will still leave the rest here for a generic solution
while ((retval = process2.waitForFinished()));
buffer.append(process2.readAll());
if (!retval) {
qDebug() << "Process 2 error:" << process2.errorString();
return 1;
}
You could drop the sudo -S part because you could run this small program as root, as well as setting up the rights. You could even set setuid or setcap for the shutdown program.
What we usually do when building commercial Linux systems is to have a minimal application that can get setuid or setcap for the activity it is trying to do, and then we call that explicitly with system(3) or QProcess on Linux. Basically,
I would write that small application to avoid giving full root access to the whole application, so to restrict the access right against malicious use as follows:
sudo chmod u+s /path/to/my/application
First, you could configure sudo to avoid asking you the password. For instance by being member of the sudo group and having the line
%sudo ALL=NOPASSWD: ALL
in your /etc/sudoers file. Of course not asking the password lowers the security of your system.
To answer your question about Qt, remember that bash(1), like all Posix shells, hence /bin/sh, accept the -c argument with a string (actually system(3) is forking a /bin/sh -c). So just execute
process.startDetached("/bin/sh", QStringList()<< "-c"
<< "echo myPass | sudo -S shutdown -r now");
As AntiClimacus answered, puting your root password inside an executable is a bad idea.
You must put your command in a shell script and execute sh or bash with QProcess with your shell script as argument, because your command contains |, which must be interpreted by sh or bash.
However, it's just my opinion, but: I don't think it is a good solution to do what you are doing, i.e. include your root password in an executable.
I have a git repository that needs to run a post-receive hook as sudo. The binary that I compiled to test this looks like:
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
int main() {
int ret;
ret = setuid(geteuid());
if(!ret) {
fprintf(stderr, "error setting uid %d \n", ret);
}
system("[...command only sudo can access...]");
return 0;
}
The geteuid() retrieves the owner id of post-receive, then tries to setuid. When running this with any user(including the super user) it runs the script correctly as root. However, when triggered by the git hook the systems fail to set the uid. I have tried running chmod u+s post-receive I also tried some other configurations, but I am running out of ideas. Any reason why it would work in all cases except when git triggers it?
btw, platform Ubuntu Server 9.04(2.6.28-15), git1.6.0.4, gcc version 4.3.3 (Ubuntu 4.3.3-5ubuntu4)
The file system where the git repo is stored may be mounted with the nosuid option
If you are pushing over ssh the suid capability may be disabled for commands invoked with ssh (no CAP_SETUID)
In any case, what you are trying to do is very inadvisable.
Run your program as a daemon.
Wait for input on a socket/named pipe/msgq.
In the hook, send a message to your daemon with whatever info it needs to perform the operation.
If needed, send a message back to the hook with status.
This will likely be easier to manage and secure properly.
try running your program from the command prompt
Try writing a bootstrap script. ie
#/usr/bin/sh
./your_program
Then make make the script the hook.