Non-root Xorg, with Nvidia driver

Honestly, I’m not sure if this is the best place to post this, but hopefully someone can help, or at least point me in the right direction.

For security/accounting reasons, I want to be able to run Xorg as a non-root user on my RHEL-6 HPC cluster (some of the nodes have Tesla k80s), while still using the Nvidia driver, libgl, etc, to accelerate the processing. This is for a Paraview worker (pvworker, I think), which needs an OpenGL context to do its work, but doesn’t actually need to display anything. I’ve been able to build Xorg and run it as a non-root user, using the ‘void’ input drivers, and the ‘dummy’ video driver. But when I switch that config to use the ‘nvidia’ driver, it fails with this error:

“xf86OpenConsole: Cannot open /dev/tty0 (No such file or directory)”

Now, since this doesn’t happen with the dummy driver, I’m assuming this has something to do with the nvidia driver software, and not Xorg itself. But I don’t know. I could be completely wrong. The complexity of Xorg has stymied better people than me.

I don’t know how significant this will be for this discussion, but the cluster nodes are running RHEL 6.6, kernel 2.6.32-504.16.2.el6.x86_64, and Nvidia driver 340.29 (though that could be updated easily enough).

I think I grabbed Xorg 1.17 to build, but there were so many packages, each with their own version numbers, that I’m not 100% sure.

The nodes in question have 2 Intel Haswell CPUs, 64 GB of RAM, and 2 Tesla k80s. They’ve been great for the users using CUDA. We just haven’t had to deal with Xorg like this before.

From my experience this is only possible with the open source drivers, since they support server managed fds.

If you want to use a LoginManager it also has to support non-root X. At the moment only GDM 3.16 can do that or you have to use “startx” to start the x server.

I running the latest nvidia driver with the latest Gnome and xorg still runs as root.

There are a few different intertwined features here that make this topic really confusing. The NVIDIA driver itself does not require that the X server run as root, but it does require access to the /dev/nvidia* device nodes.

The /dev/tty0 thing is in the X server itself. The reason the dummy driver works is because it sets a flag that disables that behavior. Unfortunately, we can’t enable that flag in the NVIDIA driver because we’d have to set it too early during initialization, before we know whether we need the display or not.

The “server managed fds” thing is part of the new handshake with systemd-logind. Unfortunately, that code incorrectly assumes that all graphics drivers use DRI, so we can’t plug into that infrastructure.

You might be able to get the server to start as a non-root user with some combination of the -keeptty, -novtswitch, and -sharevts options.

I really appreciate the info, here. Unfortunately, the “-keeptty” option apparently requires that the binary be suid root. And so far, no combination of those other two ("-novtswitch", which I think I already had in the config file, and “-sharevts”), seems to work. They all still give me the “Cannot open /dev/tty0” message.

So, if I understand it correctly, the fundamental issue is that the NVIDIA driver cannot set the appropriate flag (HW_SKIP_CONSOLE or similar?), to avoid Xorg trying to open /dev/tty0. So, I either need to patch/hack our way around that open() call, or somehow change permissions/ownersip on /dev/tty0, to allow the non-root user to open it. Is that basically correct?

For reference, this is still RHEL 6.6, so I doubt any interaction with systemd is likely to be an option in the near future. HPC facilities like ours tend to be somewhat slow to upgrade, since it inevitably breaks our users’ code in some way. Security fixes, yes, but major features, not so much.

I confess, I wish that XVFB, or similar, was able to manage the OpenGL contexts for this kind of program, while still getting us the acceleration from the Tesla k80s. My understanding (which could still be very wrong), is that it cannot. But at least I can run that as a user without any trouble.

Right, that’s pretty much the crux of it. Xorg by itself ought to be able to run without /dev/tty0 on its own without the HW_SKIP_CONSOLE flag, but nobody has put the effort into making it actually work except for the systemd people, and they tied it heavily to systemd-logind and the DRM device nodes.

Hey, I know this is a very old thread, but I think I am running into this exact issue. Has anything changed in the last 3 years that would allow me to get around it?

What exactly is your problem? Running Paraview (without X) or running X without root?