For swrk, service, dump, restore we need to to raise
nr_file limit to be able to process containers with
huge number of files opened.
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
It has nothing to do with utils but
rather a separate service engine.
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
It has a different alignment - rework ugly macro RT_SIGFRAME_UC_SIGMASK
into helpers.
Fixes: #666
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
Travis CI with Xenial has 4.15 kernel these days - all support for ia32
C/R should be inplace. Finally :)
Putting it into "allow_failures" to let it soak a bit.
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
due to Android NDK's clang is x86_64-linux-android28-clang --sysroot ${SYSROOT_PATH}
and it's ld is x86_64-linux-android-ld,
it's not able to use a single pattern to discript clang and ld.
and there is a error for x86_64-linux-android-ld.
x86_64-linux-android-ld -L/home/ning/source/criu/protobuf-c/../target/lib -lprotobuf-c -r -z noexecstack -T ./compel/arch/x86/scripts/compel-pack.lds.S -o criu/pie/parasite.built-in.o criu/pie/parasite.o criu/pie/pie.lib.a ./compel/plugins/std.lib.a
./compel/compel-host hgen -f criu/pie/parasite.built-in.o -o criu/pie/parasite-blob.h
Error (compel/src/lib/handle-elf-host.c:335): Unexpected undefined symbol: `'. External symbol in PIE?
criu/pie/Makefile:49: recipe for target 'criu/pie/parasite-blob.h' failed
rebuild with host ld, can pass build.
so support override CC/LD from command line can pass build.
Cc: Chen Hu <hu1.chen@intel.com>
Signed-off-by: Zhang Ning <ning.a.zhang@intel.com>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
criu/log.c:356:16: error: called object type 'int' is not a function or function pointer
int __errno = errno;
^~~~~
/root/android-ndk/toolchains/llvm/prebuilt/linux-x86_64//sysroot/usr/include/errno.h:43:24: note: expanded from macro 'errno'
~~~~~~~^
criu/log.c:391:2: error: called object type 'int' is not a function or function pointer
errno = __errno;
^~~~~
/root/android-ndk/toolchains/llvm/prebuilt/linux-x86_64//sysroot/usr/include/errno.h:43:24: note: expanded from macro 'errno'
in Android NDK's errno.h:
42: int* __errno(void) __attribute_const__;
43: #define errno (*__errno())
so rename __errno to _errno to pass build
Cc: Chen Hu <hu1.chen@intel.com>
Signed-off-by: Zhang Ning <ning.a.zhang@intel.com>
Reviewed-by: Cyrill Gorcunov <gorcunov@gmail.com>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
it reports:
criu/pie/util-vdso-elf32.c:255:8: error: implicit declaration of function 'ELF32_ST_TYPE' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
if (ELF_ST_TYPE(sym->st_info) != STT_FUNC &&
^
criu/include/util-vdso.h:72:21: note: expanded from macro 'ELF_ST_TYPE'
^
/opt/android-ndk/toolchains/llvm/prebuilt/linux-x86_64//sysroot/usr/include/linux/elf.h:114:26: note: expanded from macro 'ELF32_ST_TYPE'
^
criu/include/util-vdso.h:72:21: note: expanded from macro 'ELF_ST_TYPE'
add #ifndef to check whether these macro is already defined.
Cc: Chen Hu <hu1.chen@intel.com>
Signed-off-by: Zhang Ning <ning.a.zhang@intel.com>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
with Android P's Clang versoin: 6.0.2, and Android NDK's Clang version 8.0.2
Clang will report below error:
criu/compel/include/uapi/compel/sigframe-common.h:55:34: error: expected member name or ';' after declaration specifiers
int __unused[32 - (sizeof (k_rtsigset_t) / sizeof (int))];
~~~ ^
it takes __unused as an attribute, not a varible, chang to _unused, pass compile.
Cc: Chen Hu <hu1.chen@intel.com>
Signed-off-by: Zhang Ning <ning.a.zhang@intel.com>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
in Android NDK, <elf.h> doesn't has define for:
NT_X86_XSTATE
NT_PRSTATUS
so add these defines to pass compile.
NOTE: add <linux/elf.h> will have more build errors
Cc: Chen Hu <hu1.chen@intel.com>
Signed-off-by: Zhang Ning <ning.a.zhang@intel.com>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
We want to commit --check-mounts feature to vz-criu. But to maintain
image level compatibility between ms-criu and vz-criu one shouldn't use
the same field id for different data. So add a comment that these id is
reserved.
due to Android NDK's strings.h doesn't have index function.
Declare this function in CRIU, just like povit_root.
still need to provide index function implement, for link CRIU.
Cc: Chen Hu <hu1.chen@intel.com>
Signed-off-by: Zhang Ning <ning.a.zhang@intel.com>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
1, do not hardcode libnl's cflags
when cross compile CRIU, libnl's header file should not point to host.
2, remove link to rt
Android NDK doesn't have library rt, and CRIU is not really need it,
so disable it to pass link
Cc: Chen Hu <hu1.chen@intel.com>
Signed-off-by: Zhang Ning <ning.a.zhang@intel.com>
Reviewed-by: Cyrill Gorcunov <gorcunov@gmail.com>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
Restoring a multi-threaded process with CRIU's SELinux support fails
because SELinux does not always support changing the process context of
a multi-threaded process.
Reading the man-page for setcon(), to change the context of a running
process, it states that changing the SELinux context of a multi-threaded
process can only work 'if the new security context is bounded by the old
security context'.
To be able to restore a process without the need to have 'the new
security context [] bounded by the old security context', this sets the
SELinux process context before creating the threads. Thus all threads
are created with the process context of the main process.
Signed-off-by: Adrian Reber <areber@redhat.com>
The flag --security-opt doesn't use the colon separator (:) anymore
to divide keys and values, instead it uses the equal symbol (=) for
consistency with other similar flags, like --storage-opt.
Deprecated in release: v1.11.0
Target for removal in release: v17.06
https://docs.docker.com/engine/deprecated/#653
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
This tests if CRIU can restore a process with the same policy as during
checkpointing.
The test selinux00 is started and if SELinux is available the test
process moves itself to another process context. To make this possible
either a new SELinux policy needs to be available containing:
2d537cabbb
Or for a short time SELinux is switched to permissive mode.
The correct SELinux setup is done by zdtm/static/selinux00.checkskip and
zdtm/static/selinux00.hook and after the test the previous SELinux
policy state is restored.
After the test case is restored the test case checks if it still has the
same SELinux process context as before. If not the test cases fails.
Signed-off-by: Adrian Reber <areber@redhat.com>
If running on a system with SELinux enabled the socket for the
communication between parasite daemon and the main CRIU process needs to
be correctly labeled.
Initially this was motivated by Podman's use case: The container is
usually running as something like '...:...:container_t:...:....' and
CRIU started from runc and Podman will run as
'...:...:container_runtime_t:...:...'. As the parasite will be running
with the same context as the container process: 'container_t'.
Allowing a container process to connect via socket to the outside
of the container ('container_runtime_t') is not desired and therefore
CRIU needs to label the socket with the context of the
container: 'container_t'.
So this first gets the context of the root container process and tells
SELinux to label the next created socket with the same label as the root
container process. For this to work it is necessary to have the correct
SELinux policies installed. For Fedora based systems this is part of the
container-selinux package.
This assumes that all processes CRIU wants to dump are labeled with the
same SELinux context. If some of the child processes have different
labels this will not work and needs additional SELinux policies. But the
whole SELinux socket labeling relies on the correct SELinux being
available.
Signed-off-by: Adrian Reber <areber@redhat.com>
There was support for SELinux process labels in CRIU but because it was
never tested or verified CRIU only supported the 'unconfined_t' process
label. This was basically no SELinux support.
For successful container checkpoint and restore on a SELinux enabled
host it is necessary that the restored container has the same process
context as before checkpointing.
This commit only removes the check if the label is 'unconfined_t' and
now stores any process label to be restored.
For 'normal' processes started from the command-line which are usually
running in the 'unconfined_t' this just works.
For the container use case this needs additional policies. The latest
container-selinux package on Fedora has the necessary policy to allow
CRIU (running as 'container_runtime_t' when used from Podman) to
transition the restored process to 'container_t'.
Restoring a process running under systemd's control (which means
'unconfined_service_t' without additional policies) will fail because
CRIU will be not allowed to change the context of the restored process.
For each additional CRIU use case on SELinux enabled systems, besides
container processes and command-line/shell processes, additional SELinux
policies are required to allow CRIU to do a 'dyntransition' (change the
Signed-off-by: Adrian Reber <areber@redhat.com>
It was never designed to run params in ansync mode,
and i always been against this change because async
here is too fragile.
p.s.:
I think this might be a reason for
https://github.com/checkpoint-restore/criu/issues/647
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
Removed return value assignment statements as they are not referenced or used
anywhere after the assignment is done.
Fixes#334: Removing Unneeded Assignments
Signed-off-by: Mitul Karnik <mitulkarnik.92@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
Use faccessat() in check_path_remap() to check if the file (relative
to root of mnt ns) is accessible or not.
Signed-off-by: Ashutosh Mehra <asmehra1@in.ibm.com>
binfmt_misc.c:168:23: error: ‘sprintf’ may write a terminating nul past the end of the destination [-Werror=format-overflow=]
168 | sprintf(path, "%s/%s", dirname, NAME[i]);
| ^
Signed-off-by: Adrian Reber <areber@redhat.com>
Support for printing early log messages was recently added, which makes this
comment is no longer relevant.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
In rpc.proto the interface to query the CRIU version number uses major
and minor as keywords. This creates errors when using the RPC
definitions with C++: https://github.com/checkpoint-restore/criu/issues/625
In this commit the fields are renamed from major to major_number and
from minor to minor_number.
For existing programs using the RPC protobuf definition this should be a
transparent change. Only for programs importing the latest rpc.proto it
will require code changes.
Signed-off-by: Adrian Reber <areber@redhat.com>
Combine the functionality of socket_set_non_blocking() and
socket_set_blocking() into a new function, and move it in
criu/util.c to enable reusability throughout the code base.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
When the --ps-socket option is specified the provided file descriptor
of a socket will be reused for incoming TCP connection. In such case
the --address and --port options are ignored.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
The variable `len` is used only to calculate the value of `end`. We
already have the static inline function pagemap_len(), which can be
used instead.
Acked-by: Mike Rapoport <rppt@linux.ibm.com>
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
The server socket is marked as nonblocking, and if the client doesn't
connect, accept() will fail and set errno to EAGAIN (or EWOULDBLOCK).
Instead, use poll to wait for POLLIN event on the file descriptor.
Suggested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
Running crit with python2 gives following minimal help message:
$ crit/crit
usage: crit [-h] {decode,encode,info,x,show} ...
crit: error: too few arguments
Using a python3 only system crit shows the following error:
$ crit/crit
Traceback (most recent call last):
File "crit/crit", line 6, in <module>
cli.main()
File "/home/criu/crit/pycriu/cli.py", line 334, in main
opts["func"](opts)
KeyError: 'func'
Using this patch the python3 output changes to:
$ crit/crit
usage: crit [-h] {decode,encode,info,x,show} ...
crit: error: too few arguments
Suggested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: Adrian Reber <areber@redhat.com>
When the --ps-socket option is used with page-server, instead of
--address and --port, this message would appear as:
(00.028440) Disconnect from the page server (null):0
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
From man inet_pton(3):
inet_pton() returns 1 on success (network address was successfully
converted). 0 is returned if src does not contain a character
string representing a valid network address in the specified
address family. If af does not contain a valid address family,
-1 is returned and errno is set to EAFNOSUPPORT.
We can assume that the return value is 1 or 0 (because af is set to
AF_INET4 or AF_INET6), therefore errno will not be set.
If a user attempts to bind a server using invalid network address the
following error message will be shown:
Bad server address: Success
Which is not very clear, with this change the error message will look
like this:
Invalid server address "localhost". The address must be in IPv4 or IPv6 format.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
* "post-resume" was introduced with commit:
2ab599398ddbde3449f1b9d4d3f5152591854cff
cr-restore: "post-resume" hook introduced
This hook is called at the very end, when everything is restored and processes
were resumed.
Can be used for some actions, which require operation container, like
restarting of systemd autofs services.
* "post-setup-namespaces" was introduced with commit:
eec66f3d30f9ccd75a8f1fab6920c20933eecd64
criu [PATCH] post-setup-namespaces
Introduce post-setup-namespaces action script
It needed to have possibility to run cutom script after mount
namespace is configured
* "orphan-pts-master" was introduced with commit:
6afe523d97d59e6bf29621b8aa0e6a4332f710fc
tty: notify about orphan tty-s via rpc
Now Docker creates a pty pair from a container devpts to use is as console.
A slave tty is set as a control tty for the init process and bind-mounted
into /dev/console. The master tty is handled externelly.
Now CRIU can handle external resources, but here we have internal resources
which are used externaly.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
Suppress the false positive fail in criu-live-migration job:
https://ci.openvz.org/job/CRIU/job/criu-live-migration/job/criu-dev/1796/
[criu]# ./test/zdtm.py run -t zdtm/static/overmounted_file -f uns --lazy-migrate
=== Run 1/1 ================ zdtm/static/overmounted_file
=================== Run zdtm/static/overmounted_file in uns ====================
Start test
Test is SUID
./overmounted_file --pidfile=overmounted_file.pid --outfile=overmounted_file.out --dirname=overmounted_file.test
Run criu dump
Test zdtm/static/overmounted_file FAIL at criu dump exited with 1 ######
Send the 9 signal to 49
Wait for zdtm/static/overmounted_file(49) to die for 0.100000
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
The '-R' is short for '--leave-running', which is a boolean option and
does not require an argument.
From getopt(3) man page:
optstring is a string containing the legitimate option characters. If
such a character is followed by a colon, the option requires an
argument, ...
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
