Google's RPC client process is in a different pidns and has more privileges --
CRIU can't open its /proc/<pid>/fd/<fd>. For images_dir_fd to be useful here
it would need to refer to a passed or CRIU's fd.
From: Michał Cłapiński <mclapinski@google.com>
Change-Id: Icbfb5af6844b21939a15f6fbb5b02264c12341b1
Signed-off-by: Michał Mirosław <emmir@google.com>
Make it possible to skip network lock to enable uses that break connections
anyway to work without iptables/nftables being present.
Signed-off-by: Michał Mirosław <emmir@google.com>
This commit enables checkpointing and restoring of applications as
non-root.
First goal was to enable checkpoint and restore of the env00 and
pthread00 test case.
This uses the information from opts.unprivileged and opts.cap_eff to
skip certain code paths which do not work as non-root.
Co-authored-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Younes Manton <ymanton@ca.ibm.com>
A file's r/w/x changing between checkpoint and restore does
not necessarily imply that something is wrong. For example,
if a process opens a file having perms rw- for reading and
we change the perms to r--, the process can be restored and
will function as expected.
Therefore, this patch adds an option
--skip-file-rwx-check
to disable this check on restore. File validation is unaffected
and should still function as expected with respect to the content
of files.
Signed-off-by: Younes Manton <ymanton@ca.ibm.com>
We plan to switch to Mounts-v2 engine for restoring mounts by default,
this options is to allow switching to old engine. This patch only adds
an option, no engine behind it yet.
Cherry-picked from Virtuozzo criu:
https://src.openvz.org/projects/OVZ/repos/criu/commits/503f9ad2c
Changes: allow --mntns-compat-mode option only on restore and only if
MOVE_MOUNT_SET_GROUP is supported (this also requires change in
unittest/mock.c), change id in rpc criu_opts.
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
In contrast to the CLI it is not possible to do a single pre-dump via
RPC and thus libcriu. In cr-service.c pre-dump always goes into a
pre-dump loop followed by a final dump. runc already works around this
to only do a single pre-dump by killing the CRIU process waiting for the
message for the final dump.
Trying to implement pre-dump in crun via libcriu it is not as easy to
work around CRIU's pre-dump loop expectations as with runc that directly
talks to CRIU via RPC.
We know that LXC/LXD also does single pre-dumps using the CLI and runc
also only does single pre-dumps by misusing the pre-dump loop interface.
With this commit it is possible to trigger a single pre-dump via RPC and
libcriu without misusing the interface provided via cr-service.c. So
this commit basically updates CRIU to the existing use cases.
The existing pre-dump loop still sounds like a very good idea, but so
far most tools have decided to implement the pre-dump loop themselves.
With this change we can implement pre-dump in crun to match what is
currently implemented in runc.
Signed-off-by: Adrian Reber <areber@redhat.com>
This change is motivated by checkpointing and restoring container in
Pods.
When restoring a container into a new Pod the SELinux label of the
existing Pod needs to be used and not the SELinux label saved during
checkpointing.
The option --lsm-profile already enables changing of process SELinux
labels on restore. If there are, however, tmpfs checkpointed they
will be mounted during restore with the same context as during
checkpointing. This can look like the following example:
context="system_u:object_r:container_file_t:s0:c82,c137"
On restore we want to change this context to match the mount label of
the Pod this container is restored into. Changing of the mount label
is now possible with the new option --mount-context:
criu restore --mount-context "system_u:object_r:container_file_t:s0:c204,c495"
This will lead to mount options being changed to
context="system_u:object_r:container_file_t:s0:c204,c495"
Now the restored container can access all the files in the container
again.
This has been tested in combination with runc and CRI-O.
Signed-off-by: Adrian Reber <areber@redhat.com>
pidfd_store which will be used for reliable pidfd based pid reuse
detection for RPC clients requires two recent syscalls (pidfd_open
and pidfd_getfd).
We allow checking if pidfd_store is supported using:
1. CLI: criu check --feature pidfd_store
2. RPC: CRIU_REQ_TYPE__FEATURE_CHECK and set pidfd_store to
true in the "features" field of the request
Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
pidfd_store_sk option will be used later to store tasks pidfds
between predumps to detect pid reuse reliably.
pidfd_store_sk should be a fd of a connectionless unix socket.
init_pidfd_store_sk() steals the socket from the RPC client using
pidfd_getfd, checks that it is a connectionless unix socket and
checks if it is not initialized before (i.e. unnamed socket).
If not initialized the socket is first bound to an abstract name
(combination of the real pid/fd to avoid overlap), then it is
connected to itself hence allowing us to store the pidfds in the
receive queue of the socket (this is similar to how fdstore_init()
works).
v2:
- avoid close(pidfd) overriding errno of SYS_pidfd_open in
init_pidfd_store_sk()
- close pidfd_store_sk because we might have leftover from
previous iterations
Signed-off-by: Zeyad Yasser <zeyady98@gmail.com>
This changes the license of all files in the images/ directory from
GPLv2 to the Expat license (so-called MIT).
According to git the files have been authored by:
Abhishek Dubey
Adrian Reber
Alexander Mikhalitsyn
Alice Frosi
Andrei Vagin (Andrew Vagin, Andrey Vagin)
Cyrill Gorcunov
Dengguangxing
Dmitry Safonov
Guoyun Sun
Kirill Tkhai
Kir Kolyshkin
Laurent Dufour
Michael Holzheu
Michał Cłapiński
Mike Rapoport
Nicolas Viennot
Nikita Spiridonov
Pavel Emelianov (Pavel Emelyanov)
Pavel Tikhomirov
Radostin Stoyanov
rbruno@gsd.inesc-id.pt
Sebastian Pipping
Stanislav Kinsburskiy
Tycho Andersen
Valeriy Vdovin
The Expat license (so-called MIT) can be found here:
https://opensource.org/licenses/MIT
According to that link the correct SPDX short identifier is 'MIT'.
https://spdx.org/licenses/MIT.html
Signed-off-by: Adrian Reber <areber@redhat.com>
Conflict register for file "sk-opts.proto": READ is already defined in
file "rpc.proto". Please fix the conflict by adding package name on the
proto file, or use different name for the duplication. Note: enum
values appear as siblings of the enum type instead of children of it.
https://github.com/checkpoint-restore/criu/issues/815
Signed-off-by: Andrei Vagin <avagin@gmail.com>
Two modes of pre-dump algorithm:
1) splicing memory by parasite
--pre-dump-mode=splice (default)
2) using process_vm_readv syscall
--pre-dump-mode=read
Signed-off-by: Abhishek Dubey <dubeyabhishek777@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
Instead of creating cgroup yard in CRIU, now we can create it externally
and pass it to CRIU. Useful if somebody doesn't want to grant
CAP_SYS_ADMIN to CRIU.
Signed-off-by: Michał Cłapiński <mclapinski@google.com>
We want to commit --check-mounts feature to vz-criu. But to maintain
image level compatibility between ms-criu and vz-criu one shouldn't use
the same field id for different data. So add a comment that these id is
reserved.
In rpc.proto the interface to query the CRIU version number uses major
and minor as keywords. This creates errors when using the RPC
definitions with C++: https://github.com/checkpoint-restore/criu/issues/625
In this commit the fields are renamed from major to major_number and
from minor to minor_number.
For existing programs using the RPC protobuf definition this should be a
transparent change. Only for programs importing the latest rpc.proto it
will require code changes.
Signed-off-by: Adrian Reber <areber@redhat.com>
With this commit it is possible to specify a configuration file via
RPC. In python this would look like this:
req.opts.config_file = 'path/to/config_file'
With this commit CRIU's configuration file handling works like this:
* apply_config(global_conf)
* apply_config(user_conf)
* apply_config(environment variable)
* apply_config(config file via CLI)
* apply_rpc_options() or apply_cli_options()
* apply_config(rpc_conf) (only for RPC)
This is at least (probably) the third iteration of the RPC configuration
file code and it still is complicated.
Most CRIU options are correctly used by just writing the new values to
the corresponding fields of the opts structure. For the RPC case there
are, however, a few options (output, work_dir, imgs_dir) which need
special handling.
So the RPC configuration file is parsed twice. First time to get output,
work_dir and imgs_dir. Once those are read and correctly used, the RPC
code overwrites all options again by values set by the RPC interface. At
the end the RPC configuration file is read a second time and finally
overwrites the values set via RPC.
Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
In this case we can wait it and get an exit code.
For example, it will be useful for p.haul where one connection
is used several times, so we need a way how to understand that
page-server exited unexpectedly.
v2: don't write ps_info if a start descriptor isn't set
Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
To use lazy-pages from runc '--lazy-pages' functionality needs to be
accessible via RPC. This enables lazy-pages via RPC.
The information on which port to listen is taken from the
criu_page_server_info protobuf structure. If the user has enabled
lazy-pages via RPC only criu_page_server_info.port is evaluated
to get the listen port.
With additional patches in runc is it possible to use lazy-restore
with 'runc checkpoint' and 'runc restore'.
travis-ci: success for lazy-pages: enable lazy-pages via RPC
Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
Extend the RPC feature check functionality to also test for lazy-pages
support. This does not check for certain UFFD features (yet). Right now
it only checks if kerndat_uffd() returns non-zero.
The RPC response is now transmitted from the forked process instead of
encoding all the results into the return code. The parent RPC process
now only sends an RPC message in the case of a failure.
Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
Instead of parsing the output of 'criu -V' this offers a RPC interface
to get CRIU's version. In a follow up patch a test script is included
to use the new interface:
./version.py
Connecting to CRIU in swrk mode to check the version:
RPC: Success
CRIU major 2
CRIU minor 12
CRIU gitid v2.12-635-g6d3ae4d
This change exports the following version fields:
* major
* minor
* gitid (optional)
* sublevel (optional)
* extra (optional)
* name (optional)
The optional gitid field is not set when CRIU is not built from git.
Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
Now Docker creates a pty pair from a container devpts to use is as console.
A slave tty is set as a control tty for the init process and bind-mounted
into /dev/console. The master tty is handled externelly.
Now CRIU can handle external resources, but here we have internal resources
which are used externaly.
https://github.com/opencontainers/runc/issues/1202
travis-ci: success for A few fixes to c/r a docker container with a console (rev3)
Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
As runc uses the RPC interface to run criu it is necessary to expose
the newly added status-fd feature via RPC. Using the status-fd interface
makes it possible to use lazy migration with runc.
travis-ci: success for RPC: make status-fd option available via RPC (rev3)
Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
with newer versions of protobuf, I get:
./crit
Traceback (most recent call last):
File "./crit", line 7, in <module>
import pycriu
File "/home/ubuntu/criu/crit/pycriu/__init__.py", line 2, in <module>
import images
File "/home/ubuntu/criu/crit/pycriu/images/__init__.py", line 2, in <module>
from images import *
File "/home/ubuntu/criu/crit/pycriu/images/images.py", line 52, in <module>
from pb import *
File "/home/ubuntu/criu/crit/pycriu/images/pb.py", line 35, in <module>
from packet_sock_pb2 import *
File "/home/ubuntu/criu/crit/pycriu/images/packet_sock_pb2.py", line 18, in <module>
import sk_opts_pb2 as sk__opts__pb2
File "/home/ubuntu/criu/crit/pycriu/images/sk_opts_pb2.py", line 23, in <module>
serialized_pb=_b('\n\rsk-opts.proto\"\xe2\x02\n\rsk_opts_entry\x12\x11\n\tso_sndbuf\x18\x01 \x02(\r\x12\x11\n\tso_rcvbuf\x18\x02 \x02(\r\x12\x16\n\x0eso_snd_tmo_sec\x18\x03 \x02(\x04\x12\x17\n\x0fso_snd_tmo_usec\x18\x04 \x02(\x04\x12\x16\n\x0eso_rcv_tmo_sec\x18\x05 \x02(\x04\x12\x17\n\x0fso_rcv_tmo_usec\x18\x06 \x02(\x04\x12\x11\n\treuseaddr\x18\x07 \x01(\x08\x12\x13\n\x0bso_priority\x18\x08 \x01(\r\x12\x13\n\x0bso_rcvlowat\x18\t \x01(\r\x12\x0f\n\x07so_mark\x18\n \x01(\r\x12\x13\n\x0bso_passcred\x18\x0b \x01(\x08\x12\x12\n\nso_passsec\x18\x0c \x01(\x08\x12\x14\n\x0cso_dontroute\x18\r \x01(\x08\x12\x13\n\x0bso_no_check\x18\x0e \x01(\x08\x12\x14\n\x0cso_bound_dev\x18\x0f \x01(\t\x12\x11\n\tso_filter\x18\x10 \x03(\x06*6\n\x0bsk_shutdown\x12\x08\n\x04NONE\x10\x00\x12\x08\n\x04READ\x10\x01\x12\t\n\x05WRITE\x10\x02\x12\x08\n\x04\x42OTH\x10\x03')
File "/usr/lib/python2.7/dist-packages/google/protobuf/descriptor.py", line 827, in __new__
return _message.default_pool.AddSerializedFile(serialized_pb)
TypeError: Couldn't build proto file into descriptor pool!
Invalid proto descriptor for file "sk-opts.proto":
NONE: "NONE" is already defined in file "rpc.proto".
NONE: Note that enum values use C++ scoping rules, meaning that enum values are siblings of their type, not children of it. Therefore, "NONE" must be unique within the global scope, not just within "sk_shutdown".
this fixes that.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
CC: Laurent Dufour <ldufour@linux.vnet.ibm.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
When running criu in swrk mode the client typically wants to know
the reason of failure. Right now criu reports back NOTHING but the
fact that dump/restore/etc fails. We've tried to address this by
introducing the cr-errno engine, but it doesn't seem to be informative
enough and is hard to maintain -- adding new errno-s is boring :(
I propose to report back the first message with ERROR level upon
failrure as __typically__ the very first error message indicates
that proceeding is impossible and criu rolls back (generating more
error messages, so it's crucial to know the very first one).
If we ever meet the situation that the first pr_err/pr_perror doesn't
cause criu to exit, this printing should be fixed to be pr_warn.
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
Acked-by: Andrei Vagin <avagin@virtuozzo.com>
For the previously added option to skip in-flight connections this adds
that option to the RPC interface. The skip in-flight connections is also
described in criu.txt.
Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
Needed for container migration, where arguments are
set via p.haul as rpc request.
Signed-off-by: Nikita Spiridonov <nspiridonov@virtuozzo.com>
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
For handling --cgroup-props, --cgroup-props-file and
--cgroup-dump-controller from RPC interface.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
this patch add join-ns option to criu CLI and RPC.
This opt can be used in this fomat:
--join-ns NS:PID|NS_FILE
for example --join-ns net:12345 or --join-ns net:/foo/bar.
pid namespaces is not supported yet. As fork() is needed to make
new pid-namespace work. That makes it hard for criu to track the
child-process through pid because another child process has been
created after fork().
Signed-off-by: Deng Guangxing <dengguangxing@huawei.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
This reverts commit a98014f306be4b4fefdf01af31e1efa5d83e5e4f.
As per Saied Kazemi, actually dump works without seccomp support
from the kernel on non-seccomped tasks. The only problem was with
criu check, but this would be addressed separately.
Reverting the commit not to burden the API with (yet) unneeded stuff.
Conflicts:
lib/c/criu.h
Sometimes we may want to use CRIU on older kernels which don't support
dumping seccomp state where we don't actually care about the seccomp state.
Of course this is unsafe, but it does allow for c/r of things using
seccomp on these older kernels in some cases. When the task is in
SECCOMP_MODE_STRICT or SECCOMP_MODE_FILTER with filters that block the
syscalls criu's parasite code needs, the dump will still fail.
Note that we disable seccomp by simply feigning that we are in mode 0. This
is a little hacky, but avoids distributing ifs throughout the code and
keeps them in this one place.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
CC: Saied Kazemi <saied@google.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
Docker requested an option, when network devices and routes are not
dumped and not restored. Instead of this Docker will call libnetwork
hook to tune netns from the setup-namespaces action.
Cc: Saied Kazemi <saied@google.com>
Tested-by: Ross Boucher <boucher@gmail.com>
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
But keep @protobuf as a symlink: we have
this path encoded in sources. Gonna be
removed with time.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
