Both never worked, we need to pass them as explicit parameter.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
This will separate clean process on two parts:
- deleting binaries/objects/temp
- deleting generated files
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Dmitry Safonov <dsafonov@virtuozzo.com>
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
We define own SYS_memfd_create in case if it's missing
in libc, but we need it for user-namespace restore.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
Add new action script tmp-files.sh, which allows user to
add files that can be lost between checkpoint and restore to the dump.
User files are stored in .tar.gz archive.
Tar command does all the file paths and attributes related work.
Fixes#65
Signed-off-by: Svyatoslav Vlasov <svloyso@gmail.com>
Signed-off-by: Eugene Batalov <eabatalov89@gmail.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
Travis uses cpusets in such a way [1] that we can't actually write to
cpuset.cpu_exclusive ever, so none of these tests will work. They'll still
work in jenkins, though, so disabling them is probably ok.
Closes#118
[1]: https://github.com/travis-ci/worker/blob/master/backend/docker.go#L66
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
CC: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
The problem with --no-print-directory set by default is when we
run :make from vim and compilation performed by a sub-make fails,
vim can't figure out the correct path to a file with error, so
instead of jumping to the position of the first error, it opens
a new empty file.
When make prints "Entering directory ..." and "Leaving directory ..."
messages, vim :make works as intended.
[Alternatively, we could add -w to $(MAKE) invocations where needed,
but the problem is --no-print-directory overrides -w even if -w comes
later in the options list, so -w is not working. I was also thinking
about detecting whether we are running from vim, but when we'll need
to add detection for emacs etc., so let's keep things simple.]
Cc: Andrey Vagin <avagin@openvz.org>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Acked-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
With GNU make, using .PHONY leads to the same result as using
the "FORCE" hack, but unlike FORCE is not a hack. Since we do not
plan to use any other make implementation than GNU make, let's not
provide FORCE in nmk.
For more details about why PHONY is better than FORCE, see
http://www.gnu.org/software/make/manual/make.html#index-FORCE
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
With GNU make, using .PHONY leads to the same result as using
the "FORCE" hack, but unlike FORCE is not a hack. Since we do not
plan to use any other make than GNU make, let's just mark phony
targets as such.
For more details about why PHONY is better than FORCE, see
http://www.gnu.org/software/make/manual/make.html#index-FORCE
[v2: rebased and splitted]
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
This is usual to reference PowerPC 64 bits architectures as 'ppc64',
and let 'powerpc' define PowerPC 32 bits ones.
Acked-by: Cyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
These packages are needed for proper build:
* git-core: to get CRIU version (see Makefile)
* pkg-config, libselinux-dev: to check for selinux
(see criu/Makefile.config)
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
Acked-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
Make the Makefile leaner and cleaner.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
Acked-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
We can't execute userns tests, because a kernel is too old there.
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
That will complement existing CFLAGS_ and ASFLAGS_.
As no one use it yet (I will use it, do not remove) - no need
for convert-everything patch.
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Dmitry Safonov <dsafonov@virtuozzo.com>
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
Fixes: afae962c668d ("dockerfile: extract a common part in one file")
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
To add a new feature test - add it to FEATURES_LIST.
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Dmitry Safonov <dsafonov@virtuozzo.com>
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
map is very good at generating rules.
Just map gen function to array of it's parameters.
Don't forget to eval the result.
I'll use it in feature-tests generation and in someday coming
compat 32-bit mode - in x86 makefiles.
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Dmitry Safonov <dsafonov@virtuozzo.com>
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
As was intended from the scratch.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Acked-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
Some places in criu need printing support, but do not need
common variables redefining, therefore separate msg printing
to msg.mk
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Dmitry Safonov <dsafonov@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
Just got a situation inside VM where pretty new
kernel with memfd has been installed (and as result
__NR_memfd_create shipped with kernel headers
is provided as well) but libc was old having no
SYS_memfd_create defined. Thus we've got an error
because we use exactly SYS_ number for calls.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
This is initial import of NMK engine which we gonna use for
CRIU and related tools building.
It's very tiny and while here we merge it as is in future
it gonna be rather a submodule from
https://github.com/cyrillos/nmk
An idea is to have unified build engine for most tools
we're gonna use.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
We don't need it without systemd configs.
Signed-off-by: Ruslan Kuprieiev <rkuprieiev@cloudlinux.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
As it is not recomended to run criu as a root system service, lets
remove service file to stop encouraging people to do it.
Signed-off-by: Ruslan Kuprieiev <rkuprieiev@cloudlinux.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
This patch change the build chain to not use pie objects in the crtools
executable.
This done by building the shared source files twice:
1. for parasite/restorer as '<file>-pie-build.o'
2. for crtools as '<file>.o'
Signed-off-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
linux/seccomp.h may not be available, and the seccomp mode might not be
listed in /proc/pid/status, so let's not assume those two things are
present.
v2: add a seccomp.h with all the constants we use from linux/seccomp.h
v3: don't do a compile time check for PTRACE_O_SUSPEND_SECCOMP, just let
ptrace return EINVAL for it; also add a checkskip to skip the
seccomp_strict test if PTRACE_O_SUSPEND_SECCOMP or linux/seccomp.h
aren't present.
v4: use criu check --feature instead of checkskip to check whether the
kernel supports seccomp_suspend
Reported-by: Mr. Jenkins
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Andrew Vagin <avagin@odin.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Unfortunately, SECCOMP_MODE_FILTER is not currently exposed to userspace,
so we can't checkpoint that. In any case, this is what we need to do for
SECCOMP_MODE_STRICT, so let's do it.
This patch works by first disabling seccomp for any processes who are going
to have seccomp filters restored, then restoring the process (including the
seccomp filters), and finally resuming the seccomp filters before detaching
from the process.
v2 changes:
* update for kernel patch v2
* use protobuf enum for seccomp type
* don't parse /proc/pid/status twice
v3 changes:
* get rid of extra CR_STAGE_SECCOMP_SUSPEND stage
* only suspend seccomp in finalize_restore(), just before the unmap
* restore the (same) seccomp state in threads too; also add a note about
how this is slightly wrong, and that we should at least check for a
mismatch
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Currently it is not possible to enable criu service after "make install",
as it has no [Install] section in criu.service file.
Signed-off-by: Ruslan Kuprieiev <kupruser@gmail.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
This patch adds support for checkpoint and restore of two linux security
modules (apparmor and selinux). The actual checkpoint or restore code isn't
that interesting, other than that we have to do the LSM restore in the restorer
blob since it may block any number of things that we want to do as part of the
restore process.
I tried originally to get this to work using libraries in the restorer blob,
but I could _not_ get things to work correctly (I assume I was doing something
wrong with all the static linking, you can see my draft attempts here:
https://github.com/tych0/criu/commits/apparmor-using-libraries ). I can try to
resurrect this if it makes more sense, to do it that way, though.
v2: lsm_profile lives in creds.proto instead of the task core, look in a more
canonical place for selinuxfs and don't try to special case any selinux
profile names.
v3: only allow unconfined selinux profiles
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
