<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Sorry, I did not use the utility named ‘runas’ I simply labeled the column that way and was trying to conserve character space in the header to get it to fit in a reasonable space.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Anyway, thanks to your post and some research I just changed my FS unit file to start FS as user root, but specified –u freeswitch –g freeswitch on the command line to FS, and changed the WorkingDirectory=/usr/local/freeswitch/bin (it had been set to ‘run’) and it’s doing the Right Thing, so that is what I will go with. I vaguely remember that FS can (should) start as root, then drops privileges to what is specified on the command line, so it looks like it is doing exactly that.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>‘top’ shows FS running as real and effective user ‘freeswitch’ with Priority=-2 and Nice=-10 so I am a happy camper.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If nobody on the FS core development team has any objection to this approach I will update the Confluence page for the systemd unit file for building from MASTER. The Debian packages have their own file locations.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><a href="https://freeswitch.org/confluence/display/FREESWITCH/FreeSWITCH+1.6+Video#FreeSWITCH1.6Video-systemd">https://freeswitch.org/confluence/display/FREESWITCH/FreeSWITCH+1.6+Video#FreeSWITCH1.6Video-systemd</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Any security concerns doing this?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks!<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Bote<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Shaun Stokes<br><b>Sent:</b> Saturday, 05 September, 2015 03:18<br><b>Subject:</b> Re: [Freeswitch-users] FS priority<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Are you using FreeSwitch to specify the user to runas or is this being done by systemd? <o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>In FreeSwitch you use the -u argument to specify the user and the -g argument to specify the group, if you do this then I assume running the service as root should be ok providing you've given FreeSwitch an alternative user and group (in our environment we use the same for user and group).<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Thanks,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Shaun<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p><div><div class=MsoNormal align=center style='text-align:center'><span style='color:black'><hr size=2 width="100%" align=center></span></div><div id=divRpF364464><p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> Bote Man </span><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#1F497D'><br></span><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Sent:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> 05 September 2015 04:28<br><b>Subject:</b> Re: [Freeswitch-users] FS priority</span><span style='color:black'><o:p></o:p></span></p></div><div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:black'>I'm not sure how much nice level matters compared to scheduler priority. I ran a series of tests to find out what Priority and Nice level are reported by the 'top' utility.<br><br>I ran the first 6 tests by using systemd to start FreeSWITCH, 3 times as user root with each of the FS priority flags, then 3 times as user freeswitch with each of the FS flags. Then I repeated that block of tests from the command line, 3 flags as root, 3 flags as freeswitch. You won't believe what happened next!<br><br>systemd starting FreeSWITCH as 'RUNAS' user with 'FLAG' command line priority flags to FS results in top showing priority 'PRI', nice level 'NICE' on a month-old install of Debian 8 on a bare metal Dell R320 server.<br><br>RUNAS FLAG PRI NICE<br>root -rp -2 -10<br>root -np 39 19<br>root -lp 39 19<br><br>fs -rp -2 19<br>fs -np 39 19<br>fs -lp 39 19<br><br>Run as root from command line<br>root -rp -2 -10<br>root -np 20 0<br>root -lp 39 19<br><br>Run as su=freeswitch from command line<br>fs -rp 20 0<br>fs -np 20 0<br>fs -lp 39 19<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:black'>Most processes show Priority of 20 so I assume that is considered "normal".<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:black'>So it looks like the only way to get truly higher priority for a process is to run it as root, which I expected. Once the scheduler priority is at -2 (higher priority) I don't know whether the nice level even matters.<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:black'>For now, the systemd unit file that I posted on Confluence runs as the freeswitch user so even with the -rp flag to FreeSWITCH it gets niced down to 19 which is the lowest level available for nice. Does this matter?<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:black'>Is there a serious security concern running FreeSWITCH as root?<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:black'>Thanks.<o:p></o:p></span></p></div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:black'>Bote<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='color:black'>On Fri, Sep 4, 2015 at 3:38 PM, Bote Man <<a href="mailto:bote_radio@botecomm.com" target="_blank">bote_radio@botecomm.com</a>> wrote:<o:p></o:p></span></p><div><div><div><div><div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:black'>Thanks for that. I was under the impression that systemd was throwing FreeSWITCH into the generic scheduling group and starving it of resources as a result, but when I manually ran ./freeswitch as root it still showed the same values.<o:p></o:p></span></p></div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:black'>Running FS manually with -np yielded pri=20 nice=0 and System Monitor reports priority "normal"<o:p></o:p></span></p></div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:black'>Running FS manually with -rp yielded pri=-2 nice=-10 and System Monitor reports priority "very high", same results as when FS was started without any priority switch on the command line.<o:p></o:p></span></p></div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:black'>BUT! When I start FS with systemd it maintains priority=-2 but nice all the way down to 19 which is why System Monitor reports "very low". This happens even with the -rp switch specified in the unit file.<o:p></o:p></span></p></div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:black'>I don't know how scheduling priority and nice level interact on Debian, but it looks like I have a new research project for this weekend, assuming this is truly something to be concerned about. Or is it?<o:p></o:p></span></p></div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:black'>Thanks for the tips. I will report my findings to the list if I discover anything substantive.<o:p></o:p></span></p></div><p class=MsoNormal><span style='color:black'>Bote<o:p></o:p></span></p><div><div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:black'><br><br><br><o:p></o:p></span></p></div></div></div></div></div><div><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><div><div><div><p class=MsoNormal><span style='color:black'>On Fri, Sep 4, 2015 at 2:02 PM, Shaun Stokes <<a href="mailto:shaun.stokes@itec-support.co.uk" target="_blank">shaun.stokes@itec-support.co.uk</a>> wrote:<o:p></o:p></span></p></div></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Hi Bote, <o:p></o:p></span></p><div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>I believe priority works in a similar way to metric (i.e. lower comes first), so -20 (most favorable scheduling) to +19 (least favorable scheduling).<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><div style='mso-element:para-border-div;border:dashed #2F6FAB 1.0pt;padding:12.0pt 12.0pt 12.0pt 12.0pt;background:#F9F9F9'><pre style='line-height:15.6pt;background:#F9F9F9;border:none;padding:0in'><span style='font-size:9.5pt;color:black'>-rp -- enable high(realtime) priority settings<o:p></o:p></span></pre><pre style='line-height:15.6pt;background:#F9F9F9;border:none;padding:0in'><span style='font-size:9.5pt;color:black'>-lp -- enable low priority settings<o:p></o:p></span></pre><pre style='line-height:15.6pt;background:#F9F9F9;border:none;padding:0in'><span style='font-size:9.5pt;color:black'>-np -- enable normal priority settings (system default)<o:p></o:p></span></pre></div></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Source: <a href="https://wiki.freeswitch.org/wiki/Command_line" target="_blank">https://wiki.freeswitch.org/wiki/Command_line</a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Hope this helps.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Thanks,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>Shaun<o:p></o:p></span></p><div><div class=MsoNormal align=center style='text-align:center'><span style='color:black'><hr size=2 width="100%" align=center></span></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> <a href="mailto:freeswitch-users-bounces@lists.freeswitch.org" target="_blank">freeswitch-users-bounces@lists.freeswitch.org</a> [<a href="mailto:freeswitch-users-bounces@lists.freeswitch.org" target="_blank">freeswitch-users-bounces@lists.freeswitch.org</a>] on behalf of Bote Man [<a href="mailto:bote_radio@botecomm.com" target="_blank">bote_radio@botecomm.com</a>]<br><b>Sent:</b> 04 September 2015 15:54<br><b>To:</b> FreeSWITCH Users Help<br><b>Subject:</b> [Freeswitch-users] FS priority</span><span style='color:black'><o:p></o:p></span></p></div><div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:black'>I’m trying to set the priority on a new FreeSWITCH installation built from master on Debian 8 running on bare metal. It is currently running at “very low” priority according to Resource Monitor in the GUI and ‘top’ reports FS is running at priority = -2 (that’s negative two) and nice = 19</span><span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:black'>So with the way FreeSWITCH is now launched by systemd is it considered a service or a user application that is simply run in the background? </span><span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:black'>This affects how systemd treats its control groups and priority and how I will go about troubleshooting this.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:black'><br>Thanks.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:black'>Bote<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:16.8pt'><span style='color:black'> </span><o:p></o:p></p></div></div></div></div></div></div></div></div></div></div></div></blockquote></div></div></div></div></div></div></div></div></div></div></body></html>