[PlanetCCRMA] FC14

Fernando Lopez-Lezcano nando at ccrma.Stanford.EDU
Fri Dec 31 11:32:47 PST 2010 

On 12/31/2010 08:23 AM, Janina Sajka wrote:
> Fernando Lopez-Lezcano writes:
>> ... ... most probably you
>> have to add your user to the proper group to be able to get realtime
>> scheduling enabled. Hmmm, maybe I should add an extra package in Planet
>> CCRMA to enable all users (although some will complain about the
>> security risks of doing so).
>
> I've never understood those purported risks. Seems to me there's far
> more risk of inoperative systems than of actual privacy violations.

The risks (quite low IMHO) are related to the way realtime scheduling 
works. When a process aquires privileges to start executing in the 
realtime scheduling ring (SCHED_FIFO or SCHED_RR instead of the regular 
SCHED_OTHER), it owns the processor it is running on until it decides to 
relinquish it voluntarily. Normal SCHED_OTHER processes can get 
preempted by the scheduler even if they are not done with their work.

If the rt process does not yield the processor then that processor can't 
do anything else. It is, in a way, hung. If that happens on all 
processors the whole computer is "hung" (technically it is not, but it 
will be only running the rt processes and nothing else - I would not 
call that a "crash" although the user does not see the difference).

So, a program with a bug (or an intentional bad design) can hang the 
computer. This can lead to "denial of service" attacks where your 
computer stops responding and has to be reset due to a program that 
intentionally seeks to hang it.

If everybody can access this feature it opens the possibility of bugs 
(or intentional bad design) in any program in the computer (including 
all daemons) hanging the computer. If only a group of accounts has 
access to this feature then the risk is less.

That is the risk. As usual it is a tradeoff between convenience and 
security.

[BTW and to be more precise, the current realtime kernel does not allow, 
on purpose, for SCHED_FIFO processes to actually use up _all_ of a 
processor time, if I remember correctly usage is limited to 95% of the 
processor time so that you can recover from errant rt processes - that 
is also never mentioned in the context of security and DOS attacks]

> And, it also strikes me that there's some kind of heavy prejudice
> underlying it all. Everyone takes for granted the notion that a user
> who sits down at a computer will interact with a monitor, yet there's all
> kinds of  falderal about who gets to hear audio from it. Am I alone in
> seeing a disconnect here?

No, you are not. I agree. In particular the warnings in the "Fedora 
Musician's Guide" against using realtime patched kernels are blown out 
of proportion, IMO. The paragraphs about security and stability fail to 
convey adequately the tradeoffs of using an rt patched kernel (ie: they 
concentrate on what can go wrong as opposed to the very big performance 
gains for professional audio you get out of it).

In particular they dedicate a whole paragraph warning users that CCRMA 
is small compared to Fedora (which is true) but they conveniently ignore 
the fact that the realtime patch is _not_ created at CCRMA, but is 
written, developed and debugged by kernel gurus (some employed full time 
by RedHat - a big enough company I presume - and other companies just to 
do realtime kernel development!). The guide also mentions that you 
should not run realtime processes in server machines because of the 
risks. Ha ha ha, very funny considering that the realtime patch is being 
sold by RedHat in their MRG product line for use in __servers__[*] and 
is being developed because of that reason (not because it benefits audio 
performance in workstations!). It is also right to say that if you buy 
that product you will get support from Redhat you can't get from CCRMA 
and a lot more quality control of the product. Doh!

So, yes, there are more risks. But it is necessary to be exposed to 
those risks if you intend to do low latency audio processing with any 
degree of confidence. As usual YMMV depending on your needs.

-- Fernando

[*] I understand it is being used for doing very fast transaction 
processing in the financial industry (ie: creating money out of nothing 
by gaming the stock markets a bit faster than others can).

More information about the PlanetCCRMA mailing list