[re-adding the list] On 09.05.21 13:06, Marco Barletta wrote: > Yes, of course. > I attached "test3.c" that is a basic posix period task ripoff i found on > the web by Marc Le Douarain. I couldn't test with smokey since at the > best of my knowledge I realized it doesn't handles periodic tasks with > timers. > Then I launched Docker with "docker run -itd --name containerName > --volume=/usr/xenomai:/usr/xenomai --volume=/[folder with > proggrams]:/home/test --user 1000:1000 --device=/dev/rtdm:/dev/rtdm > ubuntu /bin/bash" and then I run the periodic task in the container. It > just blocks on waitsiginfo. Moreover I want to precise that adding > --pid=host everything is fine, but it can be just a workaround due to > security issues. I don't think you're also interesed in the server to > translate pid in different namespaces, the syscall just fail, is a wrong > way. > It would be great to add namespace support, and I could contribute to > it, although my experience limits.
You could already help with adding the information and test case to https://gitlab.com/Xenomai/xenomai-hacker-space/-/issues/19 that i just created. One note, though, to avoid the illusion of security: You cannot confine Xenomai by putting it into a namespace. It remains a set of privileged service that can easily be used to lock up the system. Also, its APIs are not consistently checked /wrt security loopholes that could be used for privilege escalation. That's also why you need CAP_SYS_NICE as caller or have to be in the 'allowed_group'. However, I would still consider namespace support a valid feature in order to use containers as deployment tool for Xenomai applications. Jan -- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux
