Closed vembacher closed 2 years ago
The pull-request has expanded a bit because I wasn't aware it always points to the most recent commit of the branch instead of the most recent when creating the pull-request. So I will explain all the other changes here:
docker run
command from --privileged
to --cap-add=SYS_NICE --cap-add=IPC_LOCK
The capabilities should cover all the privileges the runtime needs. (Source)
- Lower the process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes; - set real-time scheduling policies for calling process, and set scheduling policies and priorities for arbitrary processes (sched_setscheduler(2), sched_setparam(2), sched_setattr(2)); - set CPU affinity for arbitrary processes (sched_setaffinity(2)); - set I/O scheduling class and priority for arbitrary processes (ioprio_set(2)); - apply migrate_pages(2) to arbitrary processes and allow processes to be migrated to arbitrary nodes; - apply move_pages(2) to arbitrary processes; - use the MPOL_MF_MOVE_ALL flag with mbind(2) and move_pages(2).
- Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)); - Allocate memory using huge pages (memfd_create(2), mmap(2), shmctl(2)).
Issue
refer to #158. This pull request should fix this issue. Note: this also affected many other services like
enip
,dnp3s
, etc.Cause
This example should explain the issue:
Fix
It is fixed by making sure we're only concatenating bytes to bytes and we're introducing more precise exception handling so we are not blind to unexpectedly raised exceptions.