net: remember the name of the lock chain (nftables)

Using libnftables the chain to lock the network is composed of
("CRIU-%d", real_pid). This leads to around 40 zdtm tests failing
with errors like this:

Error: No such file or directory; did you mean table 'CRIU-62' in family inet?
delete table inet CRIU-86

The reason is that as soon as a process is running in a namespace the
real PID can be anything and only the PID in the namespace is restored
correctly. Relying on the real PID does not work for the chain name.

Using the PID of the innermost namespace would lead to the chain be
called 'CRIU-1' most of the time which is also not really unique.

With this commit the change is now named using the already existing CRIU
run ID. To be able to correctly restore the process and delete the
locking table, the CRIU run id during checkpointing is now stored in the
inventory as dump_criu_run_id.

Signed-off-by: Adrian Reber <areber@redhat.com>

criu/image.c

@@ -25,6 +25,7 @@ bool img_common_magic = true;
 TaskKobjIdsEntry *root_ids;
 u32 root_cg_set;
 Lsmtype image_lsm;
+char dump_criu_run_id[RUN_ID_HASH_LENGTH];
 
 struct inventory_plugin {
 	struct list_head node;
@@ -120,6 +121,24 @@ int check_img_inventory(bool restore)
 					goto out_err;
 			}
 		}
+
+		/**
+		 * This contains the criu_run_id during dumping of the process.
+		 * For things like removing network locking (nftables) this
+		 * information is needed to identify the name of the network
+		 * locking table.
+		 */
+		if (he->dump_criu_run_id) {
+			strncpy(dump_criu_run_id, he->dump_criu_run_id, sizeof(dump_criu_run_id) - 1);
+			pr_info("Dump CRIU run id = %s\n", dump_criu_run_id);
+		} else {
+			/**
+			 * If restoring from an old image this is a marker
+			 * that no dump_criu_run_id exists.
+			 */
+			dump_criu_run_id[0] = NO_DUMP_CRIU_RUN_ID;
+		}
+
 	}
 
 	ret = 0;
@@ -367,6 +386,17 @@ int prepare_inventory(InventoryEntry *he)
 	he->has_network_lock_method = true;
 	he->network_lock_method = opts.network_lock_method;
 
+	/**
+	 * This contains the criu_run_id during dumping of the process.
+	 * For things like removing network locking (nftables) this
+	 * information is needed to identify the name of the network
+	 * locking table.
+	 */
+	he->dump_criu_run_id = xstrdup(criu_run_id);
+
+	if (!he->dump_criu_run_id)
+		return -1;
+
 	return 0;
 }
 

criu/include/util.h

@@ -424,6 +424,8 @@ extern int run_command(char *buf, size_t buf_size, int (*child_fn)(void *), void
  */
 extern char criu_run_id[RUN_ID_HASH_LENGTH];
 extern void util_init(void);
+#define NO_DUMP_CRIU_RUN_ID 0x7f
+extern char dump_criu_run_id[RUN_ID_HASH_LENGTH];
 
 extern char *resolve_mountpoint(char *path);
 

criu/netfilter.c

@@ -299,7 +299,25 @@ int nftables_lock_connection(struct inet_sk_desc *sk)
 
 int nftables_get_table(char *table, int n)
 {
-	if (snprintf(table, n, "inet CRIU-%d", root_item->pid->real) < 0) {
+	int ret;
+
+	switch(dump_criu_run_id[0]) {
+	case 0:
+		/* This is not a restore.*/
+		ret = snprintf(table, n, "inet CRIU-%s", criu_run_id);
+		break;
+	case NO_DUMP_CRIU_RUN_ID:
+		/**
+		 * This is a restore from an older image with no
+		 * dump_criu_run_id available. Let's use the old ID.
+		 */
+		ret = snprintf(table, n, "inet CRIU-%d", root_item->pid->real);
+		break;
+	default:
+		ret = snprintf(table, n, "inet CRIU-%s", dump_criu_run_id);
+	}
+
+	if (ret < 0) {
 		pr_err("Cannot generate CRIU's nftables table name\n");
 		return -1;
 	}

images/inventory.proto

@@ -29,4 +29,8 @@ message inventory_entry {
 	optional bool			tcp_close	= 10;
 	optional uint32			network_lock_method	= 11;
 	optional plugins_entry		plugins_entry = 12;
+	// Remember the criu_run_id when CRIU dumped the process.
+	// This is currently used to delete the correct nftables
+	// network locking rule.
+	optional string                 dump_criu_run_id        = 13;
 }