https://projects.osmocom.org/https://projects.osmocom.org/favicon.ico?16647414092019-07-15T06:56:50ZOpen Source Mobile CommunicationsCellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=151482019-07-15T06:56:50Zosmith
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-3 priority-2 priority-default closed" href="/issues/3369">Bug #3369</a>: no automatic testing of Debian/Ubuntu packages</i> added</li></ul> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=166132019-12-01T09:38:00Zlaforge
<ul><li><strong>Priority</strong> changed from <i>Normal</i> to <i>Low</i></li></ul> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=197912020-10-01T14:42:26Zlaforge
<ul></ul><p>Programs like osmo-msc, osmo-sgsn, osmo-cbc, osmo-smlc, osmo-hlr have no real time requirements or special needs in terms of raw networks sockets or tun devices. All of those should be executed as normal, non-privileged user from the start. This could be done via the systemd unit files. This could be done via the systemd unit files, or explicitly inside the osmocom programs via a privilege dropping approach.</p>
the only processes that need special privileges are (AFAICT):
<ul>
<li>osmo-gbproxy requires CAP_NET_RAW if IPPROTO_GTP sockets are required for FR/GRE/IP</li>
<li>osmo-trx, osmo-bts, osmo-pcu requires CAP_SYS_NICE if SCHED_RR is to be used per command line argument (and is not done by e.g. systemd before starting it)</li>
<li>osmo-ggsn requires CAP_NET_ADMIN for setting up the gtp0/tun0 devices (unless this is done externally before starting it)</li>
<li>any program requires CAP_SYS_NICE if it uses the relatively new libosmocore/src/vty/cpu_sched_vty.c code to have user-configured scheduling</li>
</ul>
For those above, we basically have three possible strategies:
<ul>
<li>at least drop all privileges except those we really ever need in the specific proram (CAP_NET_RAW / CAP_NET_ADMIN / CAP_SYS_NICE). We can first constrain the permitted capabilities using <code>cap_set_flag</code>, then use <code>prctl(PR_SET_KEEPCAPS, 1L)</code> to keep capabilities while changing from root to non-root, and then change the user ID / group ID. <a class="external" href="https://stackoverflow.com/a/13186076">https://stackoverflow.com/a/13186076</a> has a nice example</li>
<li>if it is sufficient to perform those privileged operations once on start-up, we could even drop those capabilities after perfoming the operations like creating netdev, binding socket, changing scheduler policy. This would mean that no subsequent changes can be made later on.</li>
</ul> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=197922020-10-01T14:42:37Zlaforge
<ul><li><strong>Assignee</strong> deleted (<del><i>osmith</i></del>)</li><li><strong>Priority</strong> changed from <i>Low</i> to <i>High</i></li></ul> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=200502020-10-20T15:09:23Zkeith
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-3 priority-2 priority-default closed" href="/issues/4821">Bug #4821</a>: Update working dir in systemd unit files </i> added</li></ul> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=211142021-02-06T09:23:22Zlaforge
<ul><li><strong>Assignee</strong> set to <i>osmith</i></li></ul>IMHO, we should start by
<ul>
<li>create an osmocom user during package installation (if it doesn't exist yet)
<ul>
<li>alternatively call it osmo-cni if osmocom is deemed too generic</li>
</ul>
</li>
<li>modify the systemd.service files to run the processes as that user</li>
<li>modify /etc/osmocom and its contents to be owned by that user</li>
<li>modify /var/lib/osmocom (HLR + SMS databases) to be owned by that user</li>
</ul>
<p>For some programs, this is a no-brainer (e.g. BSC, MSC, SGSN)</p>
<p>For some others (TRX, BTS but possibly also MGW: SCHED_RR; GGSN: tun devices) we should work with capabilities, as described above.</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=211432021-02-06T11:22:40Zlaforge
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-5 priority-1 priority-lowest closed" href="/issues/2250">Bug #2250</a>: OpenGGSN requires to run as root for no apparent reason</i> added</li></ul> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=212142021-02-08T10:01:48Zosmith
<ul></ul><p>laforge wrote:</p>
<blockquote>
IMHO, we should start by
<ul>
<li>modify /etc/osmocom and its contents to be owned by that user</li>
</ul>
</blockquote>
<p>That's untypical - do we want the programs to be able to change their own configs?</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=212182021-02-08T11:35:14Zpespin
<ul></ul><p>osmith wrote:</p>
<blockquote>
<p>laforge wrote:</p>
<blockquote>
IMHO, we should start by
<ul>
<li>modify /etc/osmocom and its contents to be owned by that user</li>
</ul>
</blockquote>
<p>That's untypical - do we want the programs to be able to change their own configs?</p>
</blockquote>
<p>We should, otherwise the user cannot store back the running-config to the .cfg file through VTY command.</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=247392022-08-24T14:35:31Zlaforge
<ul><li><strong>Assignee</strong> changed from <i>osmith</i> to <i>msuraev</i></li></ul><p>re-assinging to msuraev as this has been without progress for too long.</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=247752022-08-29T13:06:15Zmsuraev
<ul></ul><p>osmith wrote in <a href="#note-8">#note-8</a>:</p>
<blockquote>
<p>That's untypical - do we want the programs to be able to change their own configs?</p>
</blockquote>
<p>Some configs in /etc has non-root group. Assuming we also create osmocom group, we can have /etc/osmocom owned by root:osmocom while /etc/osmocom/osmo.bsc.cfg owned by osmocom:osmocom - that's similar to how transmission-daemon handle its config files.</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=247872022-08-30T08:10:18Zmsuraev
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-1 priority-2 priority-default" href="/issues/5669">Bug #5669</a>: Test .deb packages built by our OBS</i> added</li></ul> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=248042022-08-30T15:42:41Zmsuraev
<ul></ul><p>laforge wrote in <a href="#note-6">#note-6</a>:</p>
<blockquote>
<ul>
<li>modify /var/lib/osmocom (HLR + SMS databases) to be owned by that user</li>
</ul>
</blockquote>
<p>Once <a class="issue tracker-1 status-3 priority-2 priority-default closed" title="Bug: Update working dir in systemd unit files (Resolved)" href="https://projects.osmocom.org/issues/4821">#4821</a> is resolved, this point will be done automatically: systemd autoadjust the state dir permissions to match unit's User=/Group= settings.</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=248792022-09-09T14:52:36Zmsuraev
<ul></ul><p>To make sure no project is left behind let's summarize the current state</p>
<table>
<tr>
<th>Repo</th>
<th>Service</th>
<th>Status</th>
<th>Comment</th>
<th>Implementation</th>
</tr>
<tr>
<td>osmo-hlr</td>
<td> osmo-hlr </td>
<td> review </td>
<td></td>
<td><a class="external" href="https://gerrit.osmocom.org/c/osmo-hlr/+/29311">https://gerrit.osmocom.org/c/osmo-hlr/+/29311</a></td>
</tr>
<tr>
<td>osmo-ggsn</td>
<td> osmo-ggsn </td>
<td> WIP </td>
<td>kernel GTP untested</td>
<td><a class="external" href="https://gerrit.osmocom.org/c/osmo-ggsn/+/29412">https://gerrit.osmocom.org/c/osmo-ggsn/+/29412</a></td>
</tr>
<tr>
<td>osmo-msc</td>
<td> osmo-msc </td>
<td>review </td>
<td></td>
<td><a class="external" href="https://gerrit.osmocom.org/c/osmo-msc/+/29709">https://gerrit.osmocom.org/c/osmo-msc/+/29709</a></td>
</tr>
<tr>
<td>osmo-gbproxy</td>
<td> osmo-gbproxy </td>
<td> WIP </td>
<td>FR HDLC untested</td>
<td><a class="external" href="https://gerrit.osmocom.org/c/osmo-gbproxy/+/29834">https://gerrit.osmocom.org/c/osmo-gbproxy/+/29834</a></td>
</tr>
<tr>
<td>osmo-bsc</td>
<td> osmo-bsc </td>
<td> review </td>
<td></td>
<td><a class="external" href="https://gerrit.osmocom.org/c/osmo-bsc/+/29710">https://gerrit.osmocom.org/c/osmo-bsc/+/29710</a></td>
</tr>
<tr>
<td>osmo-mgw</td>
<td> osmo-mgw </td>
<td> WIP </td>
<td>SCHED_RR untested with TTCN3</td>
<td><a class="external" href="https://gerrit.osmocom.org/c/osmo-mgw/+/30094">https://gerrit.osmocom.org/c/osmo-mgw/+/30094</a></td>
</tr>
<tr>
<td>osmo-sgsn</td>
<td> osmo-sgsn </td>
<td> review </td>
<td></td>
<td><a class="external" href="https://gerrit.osmocom.org/c/osmo-sgsn/+/29711">https://gerrit.osmocom.org/c/osmo-sgsn/+/29711</a></td>
</tr>
<tr>
<td>osmo-sgsn</td>
<td> osmo-gtphub </td>
<td> review </td>
<td></td>
<td><a class="external" href="https://gerrit.osmocom.org/c/osmo-sgsn/+/29711">https://gerrit.osmocom.org/c/osmo-sgsn/+/29711</a></td>
</tr>
<tr>
<td>osmo-hnbgw</td>
<td> osmo-hnbgw </td>
<td> review </td>
<td></td>
<td><a class="external" href="https://gerrit.osmocom.org/c/osmo-hnbgw/+/29712">https://gerrit.osmocom.org/c/osmo-hnbgw/+/29712</a></td>
</tr>
<tr>
<td>osmo-hnodeb</td>
<td> osmo-hnodeb </td>
<td> review </td>
<td></td>
<td><a class="external" href="https://gerrit.osmocom.org/c/osmo-hnodeb/+/29713">https://gerrit.osmocom.org/c/osmo-hnodeb/+/29713</a></td>
</tr>
<tr>
<td>osmo-upf</td>
<td> osmo-upf </td>
<td> review </td>
<td></td>
<td><a class="external" href="https://gerrit.osmocom.org/c/osmo-upf/+/29716">https://gerrit.osmocom.org/c/osmo-upf/+/29716</a></td>
</tr>
<tr>
<td>osmo-cbc</td>
<td> osmo-cbc </td>
<td> review </td>
<td></td>
<td><a class="external" href="https://gerrit.osmocom.org/c/osmo-cbc/+/29717">https://gerrit.osmocom.org/c/osmo-cbc/+/29717</a></td>
</tr>
<tr>
<td>libosmo-sccp</td>
<td> osmo-stp </td>
<td> review </td>
<td></td>
<td><a class="external" href="https://gerrit.osmocom.org/c/libosmo-sccp/+/29722">https://gerrit.osmocom.org/c/libosmo-sccp/+/29722</a></td>
</tr>
<tr>
<td>osmo-bts</td>
<td> *-mgr </td>
<td> </td>
<td></td>
<td></td>
</tr>
<tr>
<td>osmo-bts</td>
<td> osmo-bts-* </td>
<td> WIP </td>
<td>only trx and virtual variants are updated</td>
<td><a class="external" href="https://gerrit.osmocom.org/c/osmo-bts/+/30133">https://gerrit.osmocom.org/c/osmo-bts/+/30133</a></td>
</tr>
<tr>
<td>osmo-pcu</td>
<td> osmo-pcu </td>
<td> WIP </td>
<td>SCHED_RR untested with TTCN3</td>
<td><a class="external" href="https://gerrit.osmocom.org/c/osmo-pcu/+/30132">https://gerrit.osmocom.org/c/osmo-pcu/+/30132</a></td>
</tr>
<tr>
<td>osmo-trx</td>
<td> osmo-trx-* </td>
<td>WIP </td>
<td>SCHED_RR untested with TTCN3</td>
<td><a class="external" href="https://gerrit.osmocom.org/c/osmo-trx/+/30131">https://gerrit.osmocom.org/c/osmo-trx/+/30131</a></td>
</tr>
<tr>
<td>osmo-pcap</td>
<td>osmo-pcap-*</td>
<td>review</td>
<td></td>
<td><a class="external" href="https://gerrit.osmocom.org/c/osmo-pcap/+/29724">https://gerrit.osmocom.org/c/osmo-pcap/+/29724</a></td>
</tr>
<tr>
<td>osmo-smlc</td>
<td>osmo-smlc</td>
<td>review</td>
<td></td>
<td><a class="external" href="https://gerrit.osmocom.org/c/osmo-smlc/+/29720">https://gerrit.osmocom.org/c/osmo-smlc/+/29720</a> </td>
</tr>
<tr>
<td>osmo-sip-connector</td>
<td>osmo-sip-connector</td>
<td>review</td>
<td></td>
<td><a class="external" href="https://gerrit.osmocom.org/c/osmo-sip-connector/+/29721">https://gerrit.osmocom.org/c/osmo-sip-connector/+/29721</a></td>
</tr>
<tr>
<td>osmo-python-tests</td>
<td> osmo-ctrl2cgi </td>
<td> WONTFIX </td>
<td>See comment in <a class="issue tracker-1 status-3 priority-2 priority-default closed" title="Bug: Update working dir in systemd unit files (Resolved)" href="https://projects.osmocom.org/issues/4821">#4821</a> </td>
<td></td>
</tr>
<tr>
<td>osmo-python-tests</td>
<td> osmo-trap2cgi </td>
<td> WONTFIX </td>
<td>See comment in <a class="issue tracker-1 status-3 priority-2 priority-default closed" title="Bug: Update working dir in systemd unit files (Resolved)" href="https://projects.osmocom.org/issues/4821">#4821</a> </td>
<td></td>
</tr>
</table>
<p>Have I missed anything?</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=248802022-09-09T15:01:36Zfixeria
<ul></ul><p>We may also want to run osmo-pcu with SCHED_RR.</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=248812022-09-09T15:15:21Zpespin
<ul></ul><p>This may be of use to list the projects: <a class="external" href="https://osmocom.org/projects/cellular-infrastructure/wiki/Make_a_new_release#Dependency-graph">https://osmocom.org/projects/cellular-infrastructure/wiki/Make_a_new_release#Dependency-graph</a></p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=249092022-09-18T13:35:21Zmsuraev
<ul></ul><p>The example code adding user/group is available in <a class="external" href="https://gerrit.osmocom.org/c/osmo-hlr/+/29311">https://gerrit.osmocom.org/c/osmo-hlr/+/29311</a></p>
The following tests were made:
<ul>
<li>clean install</li>
<li>upgrade from previous ("root") version</li>
<li>upgrade from previous ("user") version</li>
<li>writing config file via telnet</li>
<li>package uninstall</li>
<li>piuparts:<br /><code><br />sudo piuparts osmo-hlr_1.5.0_amd64.deb libosmo-gsup-client0_1.5.0_amd64.deb libosmo-mslookup0_1.5.0_amd64.deb libosmocore19_1.7.0_amd64.deb libosmogsm18_1.7.0_amd64.deb<br />...<br />PASS: Installation, upgrade and purging tests.<br /></code></li>
</ul>
<p>In general, possible source of problem is mix-n-match between "root" and "user" packages where "root" package is installed after the "user", overriding permissions and disabling read/write access to config files. I'm not sure if it's worth investing time into dealing with that - seems like coordinating release so root->user transition happens simultaneously is easier.</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=249102022-09-18T14:43:16Zmsuraev
<ul></ul><p>laforge wrote in <a href="#note-3">#note-3</a>:</p>
<blockquote>
<ul>
<li>osmo-ggsn requires CAP_NET_ADMIN for setting up the gtp0/tun0 devices (unless this is done externally before starting it)</li>
</ul>
</blockquote>
<p>At least for tun0 device we can install corresponding .network file in addition to .service with proper User/Group settings.</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=249112022-09-18T14:43:31Zmsuraev
<ul><li><strong>% Done</strong> changed from <i>0</i> to <i>10</i></li></ul> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=249142022-09-19T02:09:42Zmsuraev
<ul></ul><p>How should we deal with .spec files? Shall I update those as well?</p>
<p>Creating user during package install is a distro-specific thing. Are there some other distros we care about?</p>
<p>What about OE?</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=249152022-09-19T08:44:02Zosmith
<ul></ul><p>msuraev wrote in <a href="#note-20">#note-20</a>:</p>
<blockquote>
<p>How should we deal with .spec files? Shall I update those as well?</p>
<p>Creating user during package install is a distro-specific thing. Are there some other distros we care about?</p>
<p>What about OE?</p>
</blockquote>
<p>As I understand, the systemd files get adjusted to expect the user to exist, and these systemd files are used in the rpms and on OE too. So we would need to make sure that the user exists there as well or else the systemd services wouldn't work there anymore.</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=249172022-09-19T13:16:55Zmsuraev
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-4 priority-2 priority-default" href="/issues/5685">Bug #5685</a>: Dropping debian 10 (buster)</i> added</li></ul> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=249212022-09-20T09:11:34Zmsuraev
<ul></ul><p>Do we have some kind of hierarchy with regards to realtime scheduling? Like "osmo-pcu should have higher priority than osmo-trx" and such?</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=249222022-09-20T09:20:21Zpespin
<ul></ul><p><a class="user active" href="https://projects.osmocom.org/users/119">msuraev</a> I personally use:<br />osmo-trx-uhd.cfg: "policy rr 18" <br />osmo-bts-trx.cfg: "policy rr 1" <br />osmo-pcu.cfg: "policy rr 1"</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=249272022-09-20T12:54:31Zlaforge
<ul></ul><p>On Tue, Sep 20, 2022 at 09:11:35AM +0000, msuraev wrote:</p>
<blockquote>
<p>Do we have some kind of hierarchy with regards to realtime scheduling? Like "osmo-pcu should have higher priority than osmo-trx" and such?</p>
</blockquote>
no, but I think for CNI it's relatively "obvious" to me:
<ul>
<li>osmo-trx should be higher than anything else</li>
<li>osmo-bts-* below osmo-trx</li>
<li>osmo-mgw below osmo-bts-*</li>
<li>osmo-pcu below osmo-bts-*</li>
<li>everything else isn't really timing critical.</li>
</ul> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=249322022-09-20T14:21:38Zmsuraev
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-5 priority-2 priority-default closed" href="/issues/5687">Bug #5687</a>: Document and implement realtime scheduling hierarchy</i> added</li></ul> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=249352022-09-20T14:34:19Zpespin
<ul></ul><p><a class="user active" href="https://projects.osmocom.org/users/7">laforge</a> osmo-pcu now depends on getting FNs on time to calculate when to send stuff regarding scheduling, that's why I use same prio for osmo-bts and osmo-pcu.</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=249362022-09-20T14:44:32Zmsuraev
<ul></ul><p>Seems like it's not that obvious so the topic deserve ticket of its own - see <a class="issue tracker-1 status-5 priority-2 priority-default closed" title="Bug: Document and implement realtime scheduling hierarchy (Closed)" href="https://projects.osmocom.org/issues/5687">#5687</a>.</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=249592022-09-24T01:50:06Zmsuraev
<ul></ul><p>Tested osmo-hlr.rpm built via <a class="external" href="https://obs.osmocom.org/project/show/home:msuraev:rpmtest">https://obs.osmocom.org/project/show/home:msuraev:rpmtest</a> on OpenSUSE Tumbleweed. User:Group are created as expected, the permissions are properly set during install time. The .rpm support matches that of .deb</p>
<p>Tested with:<br /><code><br />zypper ar https://people.osmocom.org/packages/home:/msuraev:/rpmtest/openSUSE_Tumbleweed/ osmo<br />zypper in osmo-hlr<br />getent passwd osmocom<br />getent group osmocom<br />ls -alh /etc/osmocom<br />ls -alh /etc/ | grep osmo<br /></code></p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=251052022-10-13T14:41:12Zmsuraev
<ul></ul><p>laforge wrote in <a href="#note-3">#note-3</a>:</p>
<blockquote>
<ul>
<li>osmo-gbproxy requires CAP_NET_RAW if IPPROTO_GTP sockets are required for FR/GRE/IP</li>
</ul>
</blockquote>
<p>Looking through the code I couldn't find where this is used. It's also unclear why gbproxy would require it but OsmoSGSN and OsmoGGSN wouldn't. Could you please clarify?</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=251612022-10-18T17:53:23Zlaforge
<ul></ul><p>msuraev wrote in <a href="#note-30">#note-30</a>:</p>
<blockquote>
<p>laforge wrote in <a href="#note-3">#note-3</a>:</p>
<blockquote>
<ul>
<li>osmo-gbproxy requires CAP_NET_RAW if IPPROTO_GTP sockets are required for FR/GRE/IP</li>
</ul>
</blockquote>
<p>Looking through the code I couldn't find where this is used. It's also unclear why gbproxy would require it but OsmoSGSN and OsmoGGSN wouldn't. Could you please clarify?</p>
</blockquote>
<p>osmo-gbproxy is the only network element that "officially" supports Gb over frame relay over E1. We use it to convert from legacy RAN/BSS Gb/FR/E1 to Gb/UDP/IP, so that the SGSN can use normal Gb/UDP/IP.</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=251652022-10-18T19:51:57Zmsuraev
<ul></ul><p>laforge wrote in <a href="#note-31">#note-31</a>:</p>
<blockquote>
<p>osmo-gbproxy is the only network element that "officially" supports Gb over frame relay over E1. We use it to convert from legacy RAN/BSS Gb/FR/E1 to Gb/UDP/IP, so that the SGSN can use normal Gb/UDP/IP.</p>
</blockquote>
<p>How does that look like to Linux? Some specific network interface?</p>
<p>And how do we test it?</p>
<p>Would be nice to try and ensure it works instead of simply slapping CAN_NET_RAW and hoping it's enough.</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=251662022-10-18T20:23:05Zlaforge
<ul></ul><p>hdlcX net device. There's a wiki page documenting this, including how to set up a virtual loop back device like we use in Jenkins testing. libosmogb simply uses AF_PACKET sockets, so CAP_NET_RAW should do the trick.</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=251852022-10-21T17:43:48Zmsuraev
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-1 priority-1 priority-lowest" href="/issues/5722">Feature #5722</a>: Migrate jenkins build slaves from docker to podman</i> added</li></ul> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=252982022-11-04T16:24:01Zmsuraev
<ul><li><strong>% Done</strong> changed from <i>10</i> to <i>20</i></li></ul><p>Testing OsmoGGSN in user mode (non GTP mode) <a class="external" href="https://gerrit.osmocom.org/c/osmo-ggsn/+/29412/">https://gerrit.osmocom.org/c/osmo-ggsn/+/29412/</a> revealed following:</p>
<p>pass GGSN_Tests.TC_pdp4_act_deact<br />pass GGSN_Tests.TC_pdp4_act_deact_ipcp<br />pass GGSN_Tests.TC_pdp4_act_deact_ipcp_pap_broken<br />pass GGSN_Tests.TC_pdp4_act_deact_pcodns<br />pass GGSN_Tests.TC_pdp4_act_deact_gtpu_access<br />pass->FAIL GGSN_Tests.TC_pdp4_clients_interact_with_txseq<br />pass->FAIL GGSN_Tests.TC_pdp4_clients_interact_without_txseq<br />pass GGSN_Tests.TC_pdp4_act_deact_with_single_dns<br />pass GGSN_Tests.TC_pdp4_act_deact_with_separate_dns<br />pass GGSN_Tests.TC_pdp6_act_deact<br />pass GGSN_Tests.TC_pdp6_act_deact_pcodns<br />pass GGSN_Tests.TC_pdp6_act_deact_icmp6<br />pass->FAIL GGSN_Tests.TC_pdp6_act_deact_gtpu_access<br />pass GGSN_Tests.TC_pdp6_clients_interact<br />pass GGSN_Tests.TC_pdp46_act_deact<br />pass GGSN_Tests.TC_pdp46_act_deact_ipcp<br />pass GGSN_Tests.TC_pdp46_act_deact_icmp6<br />pass GGSN_Tests.TC_pdp46_act_deact_pcodns4<br />pass GGSN_Tests.TC_pdp46_act_deact_pcodns6<br />pass GGSN_Tests.TC_pdp46_act_deact_gtpu_access<br />pass GGSN_Tests.TC_pdp46_clients_interact<br />pass GGSN_Tests.TC_pdp46_act_deact_apn4<br />pass GGSN_Tests.TC_echo_req_resp<br />pass GGSN_Tests.TC_pdp_act2_recovery<br />pass GGSN_Tests.TC_act_deact_retrans_duplicate<br />pass GGSN_Tests.TC_pdp_act_restart_ctr_echo<br />NEW: PASS GGSN_Tests.TC_pdp4_act_deact_gtpu_access_wrong_saddr<br />NEW: PASS GGSN_Tests.TC_pdp4_act_deact_gtpu_access_ipv6_apn4<br />NEW: PASS GGSN_Tests.TC_pdp4_act_update_teic<br />NEW: PASS GGSN_Tests.TC_pdp4_act_update_teid<br />NEW: PASS GGSN_Tests.TC_pdp6_act_deact_gtpu_access_wrong_ll_saddr<br />NEW: PASS GGSN_Tests.TC_pdp6_act_deact_gtpu_access_wrong_global_saddr<br />NEW: PASS GGSN_Tests.TC_pdp6_act_deact_gtpu_access_ipv4_apn6<br />NEW: PASS GGSN_Tests.TC_pdp46_act_deact_gtpu_access_wrong_saddr_ipv4<br />NEW: PASS GGSN_Tests.TC_pdp46_act_deact_gtpu_access_wrong_ll_saddr_ipv6<br />NEW: PASS GGSN_Tests.TC_pdp46_act_deact_gtpu_access_wrong_global_saddr_ipv6<br />NEW: PASS GGSN_Tests.TC_echo_req_resp_gtpu<br />NEW: FAIL GGSN_Tests.TC_lots_of_concurrent_pdp_ctx<br />NEW: FAIL GGSN_Tests.TC_addr_pool_exhaustion</p>
<p>Summary:<br /> pass->FAIL: 3<br /> NEW: FAIL: 2<br /> pass: 23<br /> NEW: PASS: 11</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=253632022-11-11T15:01:29Zmsuraev
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li></ul> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=253812022-11-13T18:58:45Zmsuraev
<ul><li><strong>% Done</strong> changed from <i>20</i> to <i>40</i></li></ul><p>Note: realtime scheduling can be verified for a service with <code>tuna --show_threads | grep RR</code></p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=257092022-12-05T17:06:37Zmsuraev
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Stalled</i></li></ul><p>Blocked by subtask.</p> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=283672023-10-31T09:34:01Zlaforge
<ul><li><strong>Assignee</strong> changed from <i>msuraev</i> to <i>osmith</i></li><li><strong>Priority</strong> changed from <i>High</i> to <i>Normal</i></li></ul> Cellular Network Infrastructure - Feature #4107: Start systemd services as non-root userhttps://projects.osmocom.org/issues/4107?journal_id=286062023-11-22T18:08:32Zlaforge
<ul><li><strong>Priority</strong> changed from <i>Normal</i> to <i>High</i></li></ul>