empty-ns: Don't C/R iptables too (v2)

When C/R-ing a net namespace with --empty-ns net option we should also skip netfilter rules too (as per https://github.com/docker/docker/issues/27597). However, there's one thing to be handled -- local TCP blocking rules are expected to be there on restore by restore_iptables() which is no longer the case, so put them back manually. Test included, checked on zdtm/static/socket-tcpbuf-local :) v2: Full scripts for empty netns setup. https://github.com/xemul/criu/issues/246 Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
2025-08-31 06:15:24 +00:00 · 2016-11-15 17:08:00 +03:00
parent 7251cb3aa9
commit cde33dcb06
5 changed files with 38 additions and 6 deletions
--- a/test/zdtm.py
+++ b/test/zdtm.py
@@ -767,6 +767,7 @@ class criu:
 		self.__page_server = (opts['page_server'] and True or False)
 		self.__restore_sibling = (opts['sibling'] and True or False)
 		self.__join_ns = (opts['join_ns'] and True or False)
+		self.__empty_ns = (opts['empty_ns'] and True or False)
 		self.__fault = (opts['fault'])
 		self.__script = opts['script']
 		self.__sat = (opts['sat'] and True or False)
@@ -893,6 +894,8 @@ class criu:

 		if self.__leave_stopped:
 			a_opts += ['--leave-stopped']
+		if self.__empty_ns:
+			a_opts += ['--empty-ns', 'net']

 		self.__criu_act(action, opts = a_opts + opts)
 		if self.__mdedup and self.__iter > 1:
@@ -914,6 +917,9 @@ class criu:
 		if self.__join_ns:
 			r_opts.append("--join-ns")
 			r_opts.append("net:%s" % join_ns_file)
+		if self.__empty_ns:
+			r_opts += ['--empty-ns', 'net']
+			r_opts += ['--action-script', os.getcwd() + '/empty-netns-prep.sh']

 		self.__prev_dump_iter = None
 		criu_dir = os.path.dirname(os.getcwd())
@@ -1344,7 +1350,7 @@ class launcher:
 		self.__nr += 1
 		self.__show_progress()

-		nd = ('nocr', 'norst', 'pre', 'iters', 'page_server', 'sibling', 'stop',
+		nd = ('nocr', 'norst', 'pre', 'iters', 'page_server', 'sibling', 'stop', 'empty_ns',
 				'fault', 'keep_img', 'report', 'snaps', 'sat', 'script', 'rpc',
 				'join_ns', 'dedup', 'sbs', 'freezecg', 'user', 'dry_run', 'noauto_dedup')
 		arg = repr((name, desc, flavor, {d: self.__opts[d] for d in nd}))
@@ -1590,6 +1596,8 @@ def run_tests(opts):
 			# remove ns and uns flavor in join_ns
 			if opts['join_ns']:
 				run_flavs -= set(['ns', 'uns'])
+			if opts['empty_ns']:
+				run_flavs -= set(['h'])

 			if run_flavs:
 				l.run_test(t, tdesc, run_flavs)
@@ -1781,6 +1789,7 @@ rp.add_argument("-x", "--exclude", help = "Exclude tests from --all run", action

 rp.add_argument("--sibling", help = "Restore tests as siblings", action = 'store_true')
 rp.add_argument("--join-ns", help = "Restore tests and join existing namespace", action = 'store_true')
+rp.add_argument("--empty-ns", help = "Restore tests in empty net namespace", action = 'store_true')
 rp.add_argument("--pre", help = "Do some pre-dumps before dump (n[:pause])")
 rp.add_argument("--snaps", help = "Instead of pre-dumps do full dumps", action = 'store_true')
 rp.add_argument("--dedup", help = "Auto-deduplicate images on iterations", action = 'store_true')