mir/criu
2
0
Fork 0
mirror of https://github.com/checkpoint-restore/criu synced 2025-08-28 21:07:43 +00:00
Code Issues Releases Wiki Activity

criu: add --network-lock option to allow nftables alternative

Browse Source 
This adds the option to choose the networking locking method.

CRIU currently uses iptables-restore cli for network locking/unlocking
but nftables support will be added later.

There have been reports from users that iptables-restore fails in some
way and an nftables based approach using libnftables could avoid this
external dependency.

v2: remove dependency details in man page for --network-lock.
v3: remove --network-lock from restore section in docs because it is
    automatically detected from the inventory image now.
v4: add message that --network-lock will be ignored during restore
    and value from dump will be used.
v5: run make indent

Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
This commit is contained in:
Zeyad Yasser 2021-07-09 14:16:52 +02:00 committed by Andrei Vagin
parent ef7af1dd15
commit 2e30db5c3d
4 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Documentation/criu.txt
View File

@ -420,6 +420,19 @@ The 'mode' may be one of the following:
build-ID cannot be obtained, 'chksm-first' method will be build-ID cannot be obtained, 'chksm-first' method will be
used. This is the default if mode is unspecified. used. This is the default if mode is unspecified.
*--network-lock* ['mode']::
Set the method to be used for network locking/unlocking. Locking is done
to ensure that tcp packets are dropped between dump and restore. This is
done to avoid the kernel sending RST when a packet arrives destined for
the dumped process.
+
The 'mode' may be one of the following:
*iptables*::: Use iptables rules to drop the packets.
This is the default if 'mode' is not specified.
*nftables*::: Use nftables rules to drop the packets.
*restore* *restore*
~~~~~~~~~ ~~~~~~~~~
Restores previously checkpointed processes. Restores previously checkpointed processes.

19
criu/config.c
View File

@ -428,6 +428,7 @@ void init_opts(void)
opts.log_level = DEFAULT_LOGLEVEL; opts.log_level = DEFAULT_LOGLEVEL;
opts.pre_dump_mode = PRE_DUMP_SPLICE; opts.pre_dump_mode = PRE_DUMP_SPLICE;
opts.file_validation_method = FILE_VALIDATION_DEFAULT; opts.file_validation_method = FILE_VALIDATION_DEFAULT;
opts.network_lock_method = NETWORK_LOCK_DEFAULT;
} }
bool deprecated_ok(char *what) bool deprecated_ok(char *what)
@ -606,6 +607,7 @@ int parse_options(int argc, char **argv, bool *usage_error, bool *has_exec_cmd,
char *cfg_file = NULL; char *cfg_file = NULL;
char **_argv = NULL; char **_argv = NULL;
int _argc = 0; int _argc = 0;
bool has_network_lock_opt = false;
#define BOOL_OPT(OPT_NAME, SAVE_TO) \ #define BOOL_OPT(OPT_NAME, SAVE_TO) \
{ OPT_NAME, no_argument, SAVE_TO, true }, \ { OPT_NAME, no_argument, SAVE_TO, true }, \
@ -694,6 +696,7 @@ int parse_options(int argc, char **argv, bool *usage_error, bool *has_exec_cmd,
{ "pre-dump-mode", required_argument, 0, 1097 }, { "pre-dump-mode", required_argument, 0, 1097 },
{ "file-validation", required_argument, 0, 1098 }, { "file-validation", required_argument, 0, 1098 },
{ "lsm-mount-context", required_argument, 0, 1099 }, { "lsm-mount-context", required_argument, 0, 1099 },
{ "network-lock", required_argument, 0, 1100 },
{}, {},
}; };
@ -1018,6 +1021,17 @@ int parse_options(int argc, char **argv, bool *usage_error, bool *has_exec_cmd,
case 1099: case 1099:
SET_CHAR_OPTS(lsm_mount_context, optarg); SET_CHAR_OPTS(lsm_mount_context, optarg);
break; break;
case 1100:
has_network_lock_opt = true;
if (!strcmp("iptables", optarg)) {
opts.network_lock_method = NETWORK_LOCK_IPTABLES;
} else if (!strcmp("nftables", optarg)) {
opts.network_lock_method = NETWORK_LOCK_NFTABLES;
} else {
pr_err("Invalid value for --network-lock: %s\n", optarg);
return 1;
}
break;
case 'V': case 'V':
pr_msg("Version: %s\n", CRIU_VERSION); pr_msg("Version: %s\n", CRIU_VERSION);
if (strcmp(CRIU_GITID, "0")) if (strcmp(CRIU_GITID, "0"))
@ -1031,6 +1045,11 @@ int parse_options(int argc, char **argv, bool *usage_error, bool *has_exec_cmd,
} }
} }
if (has_network_lock_opt && !strcmp(argv[optind], "restore")) {
pr_warn("--network-lock will be ignored in restore command\n");
pr_info("Network lock method from dump will be used in restore\n");
}
return 0; return 0;
bad_arg: bad_arg:

3
criu/crtools.c
View File

@ -354,6 +354,9 @@ usage:
" in lazy-pages mode: 'criu lazy-pages -D DIR'\n" " in lazy-pages mode: 'criu lazy-pages -D DIR'\n"
" --lazy-pages and lazy-pages mode require userfaultfd\n" " --lazy-pages and lazy-pages mode require userfaultfd\n"
" --stream dump/restore images using criu-image-streamer\n" " --stream dump/restore images using criu-image-streamer\n"
" --network-lock METHOD\n"
" network locking/unlocking method; argument\n"
" can be 'nftables' or 'iptables' (default).\n"
"\n" "\n"
"* External resources support:\n" "* External resources support:\n"
" --external RES dump objects from this list as external resources:\n" " --external RES dump objects from this list as external resources:\n"

11
criu/include/cr_options.h
View File

@ -59,6 +59,16 @@ struct cg_root_opt {
#define CG_MODE_DEFAULT (CG_MODE_SOFT) #define CG_MODE_DEFAULT (CG_MODE_SOFT)
/*
* Network locking method
*/
enum NETWORK_LOCK_METHOD {
NETWORK_LOCK_IPTABLES,
NETWORK_LOCK_NFTABLES,
};
#define NETWORK_LOCK_DEFAULT NETWORK_LOCK_IPTABLES
/* /*
* Ghost file size we allow to carry by default. * Ghost file size we allow to carry by default.
*/ */
@ -152,6 +162,7 @@ struct cr_options {
int tcp_skip_in_flight; int tcp_skip_in_flight;
bool lazy_pages; bool lazy_pages;
char *work_dir; char *work_dir;
int network_lock_method;
/* /*
* When we scheduler for removal some functionality we first * When we scheduler for removal some functionality we first