Add new action script tmp-files.sh, which allows user to
add files that can be lost between checkpoint and restore to the dump.
User files are stored in .tar.gz archive.
Tar command does all the file paths and attributes related work.
Fixes#65
Signed-off-by: Svyatoslav Vlasov <svloyso@gmail.com>
Signed-off-by: Eugene Batalov <eabatalov89@gmail.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
So, here it is. We planned not only to re-shuffle the code, but
also to provide compel thing to people, but have only managed to
do the former. OK, the compel then would go in 2.1 :)
But, we also change the dev-n-release model, so from now on we
have 2 branches and release stable one every month to show new
stuff earlier.
Have fun!
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
otherwise this mount will not be propagated into non-existant mounts
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
We could do the math on the consuming side (and indeed, I tried), but it
seems much cleaner to just not include this in the first place so that all
consumers of it don't need to do the same thing.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
As the comment says, we don't need to restore speical cpuset props twice,
and indeed it can cause the restore to fail, e.g.:
(00.092356) Error (cgroup.c:1240): cg: Failed writing 0-3 to cpuset//lxc/centoss/cpuset.cpus
(00.582490) 18: Error (cgroup.c:1009): cg: Can't move 18 into systemd//lxc/centos/system.slice/systemd-journald.service/tasks (-1/-1): No such file or directory
(00.582497) 18: Error (cgroup.c:1124): cg: Can't move into systemd//lxc/centos/system.slice/systemd-journald.service/tasks (-1/-1): No such file or directory
(00.582567) 43: Error (cgroup.c:1009): cg: Can't move 43 into systemd//lxc/centos/system.slice/console-getty.service/tasks (-1/-1): No such file or directory
(00.582573) 43: Error (cgroup.c:1124): cg: Can't move into systemd//lxc/centos/system.slice/console-getty.service/tasks (-1/-1): No such file or directory
(00.582886) 1: Error (cr-restore.c:1306): 18 exited, status=1
(00.594670) Error (cr-restore.c:1308): 7906 killed by signal 9
(00.623099) Error (cr-restore.c:2138): Restoring FAILED.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
The errno here is useful information for debugging, we should also print
it.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
Instead of all the flags and checks in dump_task_cgroup, let's just collect
every new non-criu cgset.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
The call to unshare(CLONE_NEWCGROUP) is done unconditionally
in prepare_cgns(), which is wrong -- some detection of the
fact that we have this ns should be there.
This detection (as I see it) -- is whether we've found at
least one cgroup with cgns prefix.
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
The current code doesn't work becuase ghost files and directories
have different formats.
ghost directories are created from a root task, but they are
cleaned up from the criu process, so reg_file_info is allocated
from shared memory and is_dir is added into it.
Fixes#120
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
I suggest to inject a fault and than try to execute the same command
again without a fault to check that it will complete successfully.
v2: skip a parasite blob when we are checking vma-s
v3: remove a loop for two iterations
v4: clean up
v5: call fault hooks from one place
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
Before we were unshare(CLONE_NEWCGROUP)ing in a child task, which meant
that we couldn't c/r this test once we forbid nested cgroup namespaces.
Instead, use a new strategy for testing cgroup namespaces: set up the
namespace before forking the test task so there is no nesting, and then do
a setns back to init's ns to check the cgroup namespace of the test. This
doesn't work in the 'ns' flavor because init in the test's pid ns is the
test itself. There is a bit of a chicken and egg problem here, though,
because if we set it up after test_init(), we can't unshare because that
would be a nested cgroup ns.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
Because we don't support nested cgroup namespaces, we can just grab the
cgns prefixes from the root cgset's prefix list. This means we only have to
query one task for its cgroup file, instead of potentially each of them.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
Basically, instead of --cgroup-root replacing the actual root, when a cgns
is present, it just replaces the namespace prefix. See patch comments for
details.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
We rely on the synchronous-ness of the behavior because we assume that the
task is in all the right cgroups when forking its children. If it's not,
and the child has the same cgroups as its parent but not all the moves are
done, it might end up in /.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
These flags are restored differently, so let's not make extra namespaces
where we don't need them.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
Instead of doing all the work in collect_cgroup() to figure out whether or
not we've collected this cgroup already, let's only call it if we created a
new cgset in the first place.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
After some discussion with Serge Hallyn, it seems that the current
implementation of cgroup namespaces doesn't really support nesting. It's
not a quick fix, so let's disable this for now (not that it matters, since
probably nobody is nesting these anyways right now :)
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
b428a3a2fb allows dumping containers with
multi-headed freezer cgroups, but we can't restore these containers without
some help at restore time too.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
When working with mntns, the absolute path in parent symlink will
not be open-able on restore. However, completely banning this case
is not good.
Affects #116
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
nr_gotpcrel is the last variable which name we can't set with piegen's
option. Let's introduce option for that.
It will help for including two generated blobs simultaneously.
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Dmitry Safonov <dsafonov@virtuozzo.com>
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
Some libcs buffer writes to FILE*, which means that we error on fclose
instead of write, which makes it hard to figure out what property actually
failed writing.
Also shorten the error path a bit. Hopefully this patch will help with
debugging #118
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Andrew Vagin <avagin@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
The restore process uses these modules as well, so let's modprobe them.
This prevents:
(00.217856) 1: Running ip rule delete
(00.218970) 1: Running ip rule delete
(00.220059) 1: Running ip rule delete
(00.221695) 1: Running ip rule restore
(00.223068) 1: Running iptables-restore for iptables-restore
(00.439385) 1: Running ip6tables-restore for ip6tables-restore
modprobe: ERROR: could not insert 'ip6_tables': Operation not permitted
ip6tables-restore v1.6.0: ip6tables-restore: unable to initialize table 'filter'
Error occurred at line: 2
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
When we run "make install" the python's setup
script prepares all directories for modules
but if we need to run crit from the source
tree without its install then we fall in trouble
because python doesn't know where the fetch
pycriu from.
Thus simply provide the symlink to the modules
emulating that instalation complete.
Note this is for developers conveniency only
because for end users "make install" always
must has place.
Reported-by: Pavel Emelyanov <xemul@virtuozzo.com>
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
At one point in the cgns patchsets I had removed this, but somehow it got
lost in the shuffle. Since we support this now, let's remove this
restriction.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
We don't have a way to dump proccess blocked in vfork(), hence
mark this test as expected to fail.
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
execlp() fails when we run vfork00 test inside namespace because we don't have
'/bin/true' there. Instead of execlp() in vfork-child we can just _exit().
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
$ echo test//home/avagin/git/criu
test//home/avagin/git/criu
v2: use double quotes to run pwd
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
Consider the case where --freeze-cgroup=/lxc/foo, but (e.g. with systemd in
lxc), all of the tasks actually live in a set of sub cgroups, e.g.
/lxc/foo/init.scope and others. In this case, we will have a multi-headed
controller, since there is nothing in the common parent. We should just
save the freezer value in all of these heads instead of failing.
Note that this doesn't address the larger problem that only the top level
freezer.state file is c/r'd, or waht happens when the container itself has
frozen tasks but not at the top level. After some discussion, there is no
nice way to atomically test-and-set the cgroup freezer, so we'll need some
other kernel help. But I'll ignore this for now :)
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
As with the socket diag modules, since we might be using the
ip*filter_tables modules, we should preload those as well, in case the host
system hasn't already loaded them. Really, I should implement netlink
buffer dumping so we can get rid of this hack :)
v2: remember to close /dev/null fd after using it
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
We better should switch to nmk usage.
But lets c/p for now.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
We can do this, but we need to be sure that all structures
are consistent in any moment and we need to block alarm when
they are inconsistent.
I don't think that we really want to do this now. I suggest to
interrupt a current syscall if an alarm signal is triggered.
v2: print an error message before exiting
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
They are running inside dumpee space so should not
be injected with Gcov instructions.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
