1.4. Obtaining Reatime privileges

There is actually three ways to obtain root privileges for Realtime. The first way is to use the "Realtime LSM" module. But this way is pretty deprecated and should not be used nowdays. The second way is to use a little tool named set_rlimits. This way is ok, but it should only be used when the PAM library does not support "rlimits" operations. The third way is the right way: it consist on using PAM.

1.4.1. Realtime LSM

This way is not recommended.

The Realtime Linux Security Module (LSM) is a loadable extension for Linux 2.6 kernels. It selectively grants realtime permissions to specific user groups or applications.

First, retreive the last CVS version:

$ cvs -d:pserver:anonymous@realtime-lsm.cvs.sourceforge.net:/cvsroot/realtime-lsm login
$ cvs -z3 -d:pserver:anonymous@realtime-lsm.cvs.sourceforge.net:/cvsroot/realtime-lsm co -P realtime-lsm

The apply the rt-lsm-kernel.patch kernel patch on you Linux kernel:

$ cd /usr/src/linux/
$ patch -p1 ../realtime-lsm/rt-lsm-kernel.patch
$ make menuconfig
$ make
$ su -c "make modules_install"
$ su -c "make install"

Your Security options kernel configuration section should be like the following:

  Security options --->
    [ ] Enable access key retention support
    [*] Enable different security models
    [ ]   Socket and Networking Security Hooks
    <M>   Default Linux Capabilities
    < >   Root Plug Support
    < >   BSD Secure Levels
    <M>   Realtime Capabilities

If you do not see the Realtime Capabilities item, then check the end of the kernel's security/Kconfig file and try to fix it (it can have a issue with the depends option).

Reboot with your new kernel.


Do not forget to repeat this step every time you rebuild a new kernel.

Then if you do not care about security, just do modprobe realtime any=1 to load the module and to allow its use for every users of your system. If you want to allow only the audio group to access realtime capacities, check that your current user is in the audio group and load realtime module by passing it the gid of the group to allow:

  # addgroup youruser audio
  # modprobe realtime gid=$(grep audio /etc/group | cut -d':' -f3) any=1

If you want to load this module at boot time on Debian, do the following:

$ su
# echo "options realtime any=1" > /etc/modprobe.d/realtime
# echo "realtime" >> /etc/modules

1.4.2. Using set_rlimits

This way is not recommended.

set_rlimits is a small wrapper program to allow people to take advantage of he realtime resource limit extensions available in Linux kernels 2.6.12 and later without having to resort to using a PAM module. This method was ok when PAM was not supporting kernel's rlimits operations.

Download it here.

First, edit the Makefile file and change the PREFIX variable to /usr/local to /usr/bin. Then uncompress it, rebuild it and install it:

$ make clean
$ make
$ su -c "make install"

Once it is installed, edit the /etc/set_rlimits.conf file and add the following line at the end:

@audio  /usr/bin/qjackctl nice=-1 rtprio=80

Now you will be able to execute qjackctl (see Section 3.2) with all necessary privileges, and it will be able to execute jackd (see Section 3.1) with realtime privileges [1].

1.4.3. Using PAM

This is the right way :-)

PAM configuration is the better choice. Basically it only consists on updating the PAM limits configuration in /etc/security/limits.conf[2] to fit your needs:

@audio  -  rtprio   100
@audio  -  nice     -10
@audio  -  memlock  unlimited

This will allow all software executed by audio group members to access realtime and to consume memory without restriction.




Execute it like that: set_rlimits -r /usr/bin/qjackctl


You should be able to use a more distro friendly solution by creating a directory called /etc/security/limits.d/ and write your configuration in a file called audio.conf.