Checking for Linux capabilities to set thread priority

Question

I have a C++ application that uses pthread_setschedparam() to set thread priority. Inside a docker container this fails with EPERM.

How can I detect if my process has the necessary capabilities to set thread priority ?

Answer 1

The correct way to check is simply to try it and see if you get the EPERM error. For one thing, LSMs can set arbitrary rules on the allowable scheduler changes.

So the right thing to do is probably just to log a warning (once!) when this happens.

Answer 2

I guess your C++ application can able to set the thread priority because on host it has the required linux capability cap_sys_nice

All the linux capabilities on host can be figured out using this command capsh --print

Here inside docker conatiner you need to set this capability using --cap-add option.

docker run -it --rm --cap-add SYS_NICE ubuntu bash

If it didn't worked try this

docker run -it --rm --userns host --cap-add SYS_NICE ubuntu bash

Since there might be some issue without --userns option as mentioned here https://github.com/moby/moby/issues/25622

Worst case: If any of this didn't works then try to run container with --privileged option, this will add all the linux capabilities to this container, though it is not recommended.

Give it a try.

Answer 3

In the man of pthread_setschedparam() it states:

For a description of the permissions required to, and the effect of, changing a thread's scheduling policy and priority, and details of the permitted ranges for priorities in each scheduling policy, see sched(7).

In the man of sched it state among other things:

A thread must be privileged (CAP_SYS_NICE) in order to set or modify a SCHED_DEADLINE policy

For more information you can look at http://man7.org/linux/man-pages/man7/sched.7.html