In particular, we won't be able to do memory tracking and
zero page detection.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Looks-good-to-me: Andrew Vagin <avagin@virtuozzo.com>
Kernel doesn't allow to read /proc/pid/map_files. This file
is used to get pseudo device for anon shmem mappings, but
this info can be get by scanning /proc/self/maps file.
This works slower, but still.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Looks-good-to-me: Andrew Vagin <avagin@virtuozzo.com>
When run from regular user criu will get EACCES/EPERM from
opening proc, but in some situations criu will now how to
deal with it. So this patch makes it possible not to print
error message in logs for such cases.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Looks-good-to-me: Andrew Vagin <avagin@virtuozzo.com>
We will need an extra space for memfd based
syscall (without poking the stack since it's
not that safe without additional tests).
So add @pad argument which will be used
to find proper memory for seized syscall
execution.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Looks-good-to-me: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Right now we only get first 31 symbols of it, but in the
next patches full path would be required.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Looks-good-to-me: Andrew Vagin <avagin@virtuozzo.com>
We no longer support root-mode service and suid binaries, so
any artificial restrictions no longer make sense.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Looks-good-to-me: Andrew Vagin <avagin@virtuozzo.com>
To test c/r of creds we need more precise way,
so lets add a few additional creds to test.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Otherwise we will not able to access /proc/pid/* for the process.
v2: s/__NR_WAIT4/__NR_setresuid
Cc: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Modification time changes after cpt/rst file_attr test in VZ7CT:
CT-102 criu# cat test/zdtm/live/static/file_attr.out
15:05:05.315: 146: FAIL: file_attr.c:101: modification time has
changed (errno = 11 (Resource temporarily unavailable))
https://jira.sw.ru/browse/PSBM-41401
v2: add timeval message, test seem to pass now - remove noauto
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
This as well as restore requires several steps to reach per-thread
support during dump stage
- @creds area to be fetched from the parasite is embedded into
parasite_dump_structure
- when test for task to be dumpable we no longer compare caps
because we now allow them to be different (and I renamed
proc_status_creds_eq to proc_status_creds_dumpable for this
sake)
- have to extend dump_thread_common to support dumping of
creds (we call for dump_thread_common in several places,
in particular when we need to fetch misc params we don't
need creds, here @creds option comes into the play)
- after this patch no creds-X.img file be generated anymore,
I guess we might drop it off with time from descriptors
https://jira.sw.ru/browse/PSBM-41416
v2:
- In dump_task_creds() don't mangle the call for parasite_dump_creds
and collect_lsm_profile
- PARASITE_MAX_GROUPS takes parasite_dump_thread into account because
dump_thread_common now serves two cases: for plain misc parameters
fetching and for creds as well (depending on the context)
- when test for dumpable we still require the seccomp filters
to match, they can be different and we need to support such
configuration too but not in this series
v3:
- Rip off dump_task_creds completely, together with PARASITE_CMD_DUMP_CREDS,
we dump creds unconditionally in dump_thread_common
- the group leader thread data is fetched via new
parasite_dump_thread_leader_seized helper
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Acked-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Because the creds parameters are to be passed inside pie/restorer
code but read before thread_restore_args and task_restore_args
structures are allocated we need a small trick and prepare
creds int several stages
- collect all creds data into separate private memory blobs
- once all memory needed for restorer is allocated we relocate
pointers in this blocks and setup
thread_restore_args::thread_creds_args to appropriate
address
- restorer works as usual and setup creds parameters as before
v2:
- fix addressing in positioning of rst_ memory (I've occasionally
zap pointers and when been sending patches forgot to merge changes
back, so while I've the series successfully restoring containers
with different creds, if been merged the series won't work. So
all changes are merged as appropriate)
- drop module's global @cap_last_cap from pie/restorer.c
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Acked-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
For easier comparision which gonna be addressed in next patch.
https://jira.sw.ru/PSBM-41416
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Acked-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Creds are per-thread data, declare them appropriately.
We will need this data to restore threads with different
credentials.
(In a scope of https://jira.sw.ru/browse/PSBM-41416)
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Acked-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
The mountpoints.c test creates such mount and criu will try to
kerndat-check one, so this fs should be on "host".
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
The mountpoints.c test creates such mount and criu will try to
kerndat-check one, so this fs should be on "host".
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
A static test should not change its state during C/R
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Similar to devtmpfs and devpts, skip binfmt_misc
mount if it's not virtual.
Signed-off-by: Kirill Tkhai <ktkhai@odin.com>
Acked-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
A static test should not change its state during C/R.
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Otherwise we can see this error:
5: Old files lost: set([])
5: New files appeared: set(['5', '6'])
Reported-by: Mr Jenkins
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Do so as in user-namespace on mainstream kernel writing to file
with suid bit set always cleares these bit, regardless to CAP_FSETID.
(see in should_remove_suid plane capable() is used, and same in VZ7)
Also we have an alternative to wait while several patches will get
in MS kernel:
[PATCH v4 0/7] Initial support for user namespace owned mounts
https://lkml.org/lkml/2015/9/23/591
[PATCH v2 12/18] fs: Don't remove suid for CAP_FSETID in s_user_ns
http://www.spinics.net/lists/linux-fsdevel/msg92533.html
Got error while suspending/resuming file_attr test in VZ7CT:
CT-102 criu# cat test/zdtm/live/static/file_attr.out
13:11:01.952: 30635: FAIL: file_attr.c:96: permissions have changed
(errno = 11 (Resource temporarily unavailable))
https://jira.sw.ru/browse/PSBM-41401
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Currently criu dump may hang indefinitely. E.g. in wait for task
that blocked in vfork() or task could be in D state for some other
reason. This patch adds time limit on collecting tasks during the
dump operation. If collecting processes takes too long, the dump
process will be terminated. Timeout is 5 seconds by default, but
it could be changed via parameter.
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
This moves cleanup code from cr_dump_tasks()/cr_pre_dump_tasks()
into separte functions. No functional changes here.
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Obviously we should print pre_dump_ret value if pre-dump failed.
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Use 'goto err;' everywhere. Remove 'pstree_switch_state(root_item, TASK_ALIVE)'
on error path as all collect_pstree() callers do this if collect_pstree()
failed.
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
1. Use PROC_SELF instead pid as prepare_pid_* used on restore only to
set value to current process.
2. Do not set default values.
Signed-off-by: Dmitry Safonov <dsafonov@odin.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
