Currently we wait when a namespace will be restored to get its root.
We need to open a namespace root to open a file to restore a memory mapping.
A process restores mappings and only then forks children. So we can have
a situation, when we need to open a file from a namespace, which will be
"restored" by one of our children.
The root task restores all mount namespaces and opens a file descriptor
for each of them. In this patch we open root for each mntns in the root
task.
If we neeed to get root of a namespace which isn't populated, we can get
it from the root task. After the CR_STATE_FORKING stage, the root task
closes all namespace descriptors ane we know that all namespaces are
populated at this moment.
v2: don't close root_fd for root ns, because it was not opened
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
The native pb engine doesn't accept types other than int or long:
...
File "/root/src/criu/pycriu/images/pb2dict.py", line 264, in dict2pb
pb_val.append(_dict2pb_cast(field, v))
File "/usr/lib/python2.7/site-packages/google/protobuf/internal/containers.py", line 111, in append
self._type_checker.CheckValue(value)
File "/usr/lib/python2.7/site-packages/google/protobuf/internal/type_checkers.py", line 104, in CheckValue
raise TypeError(message)
TypeError: 1.1258999068426252e+16 has type <type 'float'>, but expected one of: (<type 'int'>, <type 'long'>)
In particular, this is seen when encoding back so_filter field from
inetsk image.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Acked-by: Ruslan Kuprieiev <kupruser@gmail.com>
For historical reason we allocate the complete PATH_MAX
here just to fetch a word of freezer state. Lets relax
the stack pressue and rename @path to @state. Same time
make states @frozen, @freezing, @thawed being static,
we don't export them.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Acked-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
It isn't required and it doesn't work in a case when
we want to bind-mount a file.
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
To better understand the content of mm-<ID>.img and pagemap-<ID>.img
additional constant names have been added to better resolve the hex
value to symbolical names.
Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
If a temporary mount is a shared one, a new mount can be
propagated into it.
Fixes: 0e9736ab68e0 ("mount: fix restoring a bind-mount when its root is overmounted)")
Reported-by: Mr Jenkins
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
We need to perform dirty page tracking when dumping shmem but there
we have only const vmas so we need pmc to work with them. Also pmc concept
implies that it won't change its vmas so it would be natural to declared
them as const.
Signed-off-by: Fyodor Bocharov <fbocharov@yandex.ru>
Signed-off-by: Eugene Batalov <eabatalov89@gmail.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
CRIU doesn't save vaddr of each anon shmem page in anon shared mem pagemap img.
It saves page offset from the beginning of anon shared memory area.
CRIU calls page_xfer_dump_pages() with non zero @off argument
to convert dumper virtual addresses to such offsets.
The problem is in page_xfer_dump_pages() code. It substracts @off
only for pages in pagemap but not for holes in pagemap.
Bug is fixed in this patch.
This patch is just a copy-paste of valid code path for pages to code path for holes.
Bug is not currently reproduced in CRIU because:
1. Only anon shmem provides non-zero @off value to page_xfer_dump_pages()
2. Anon shared memory doesn't create holes in its pagemap (for now)
This bugfix is a preparation for anon shared memory deduplication patchset.
Signed-off-by: Fyodor Bocharov <fbocharov@yandex.ru>
Signed-off-by: Eugene Batalov <eabatalov89@gmail.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Its only purpose if to verify that we can show up
a huge number of inotify in fdoutput (before
the kernel v3.18-rc1-7-ga3816ab we can show
only handles which fit page size in summary).
In particular we revealed that hald daemon makes
up to 35 notification marks which kernel can't
show up in a one pass and dump fails.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
When __nonuserns_sysctl_op() hits non-existing it goes to the next
iteration without updating 'req' pointer. Thus it continuously tries
to open non-exitsting entry until breaking out of loop.
We should go to the next sysctl instead.
Fixes: f79f4546cfc0 ("sysctl: move sysctl calls to usernsd")
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Acked-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
GCC now assumes by default that the stack is aligned to a 16-byte boundary.
It's very unlikely that parasite head's first call will contain
an SSE instruction which will segfault, but to be pedantically correct
will lose additional 8 bytes.
See also:
http://sourceforge.net/p/fbc/bugs/659/
Signed-off-by: Dmitry Safonov <dsafonov@odin.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
In LXD, we use the container name in the LSM profile. If the container name
is changed on migrate (on the host side), we want to use a different LSM
profile name (a. la. --cgroup-root). This flag adds that support.
v2: remove unused field, add comment about double detection in
kerndat_lsm()
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Currently decoded with --pretty image cannot be encoded back if there's
an IP address inside. "Just decoded" can.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Currently device numbers are shown as plain integers, but in
pretty output it's nice to see the major:minor pairs.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Acked-by: Ruslan Kuprieiev <rkuprieiev@cloudlinux.com>
The crit tool should decode and encode all images and after
de- and en- sequence the result should be the same as before.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Acked-by: Ruslan Kuprieiev <rkuprieiev@cloudlinux.com>
If someone wants to run all tests in any, but the most
difficult for criu, flavor, the 'best' one is introduced.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Acked-by: Ruslan Kuprieiev <rkuprieiev@cloudlinux.com>
Currently launcher doesn't know that some tests are skipped
and draws incorrect progress bar :)
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Acked-by: Ruslan Kuprieiev <rkuprieiev@cloudlinux.com>
It's used to restore bind-mounts. For example, we cat the common
part of bind-mounts:
Core was generated by `criu restore -vvvv --file-locks --tcp-established --evasive-devices --manage-cg'.
Program terminated with signal 11, Segmentation fault.
741 BUG_ON(target_root[tok] == '\0');
(gdb) bt
https://jira.sw.ru/browse/PSBM-41932
Reported-by: Virtuozzo QA Team
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Restore a receive queue in cases of:
1)socketpair with closed second end;
2)peer-less socket, who is a peer for others.
We use here a hack, it is the connect() with AF_UNSPEC family,
which clears peer of restoring socket. See unix_dgram_connect()
for the details.
This also makes socket_close_data test working.
SOCK_STREAM is supported in TCP_ESTABLISHED case in the same
function.
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
v2: 1)Add a commentary near connect()
2)Delete test/zdtm/live/static/socket_close_data.desc
v3: delete ui->ue->peer check
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
In this case we mount source mount in a temporary place and use it to
create the bind-mount.
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
This is used to get a mount without over-mounted parts.
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
When we're restoring fsnotify watchees we need to resolve
path to a handle at some mountpoint referred by @s_dev
member (device ID) which is saved inside image. This
ID actually may be changed at the every mount (say
one restores container after machine reboot) or in
case of container's migration.
Thus the test for overmounting in __open_mountpoint
will fail and we get an error.
Lets do a trick: introduce @s_dev_rt member which
is supposed to carry run-time device ID. When dumping
this member simply equal to traditional @s_dev fetched
from the procfs, but when restoring we fetch it from
stat call once mountpoint become alive.
https://jira.sw.ru/browse/PSBM-41610
v2:
- predefine MOUNT_INVALID_DEV
- use fetch_rt_stat instead of assigning device in restore_shared_options
- copy @s_dev_rt in propagate_siblings and propagate_mount
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
So here's the new test class that handles the test from
groups set. The class is inherited from zdtm_test one as
what it does is -- starts the pseudo-init in ns/uns flavors
and asks one to spawn() the sub-tests from the list.
All groups tests can only be run inside ns flavor, so if
the host flavor is asked, just the pseudo-init is spawned.
This is because using ns flavor is the easiest way to spawn
all the sub tests under this init (however, h flavor can be
supported by marking the pseudo-init as sub-reaper).
On stop this pseudo-init is signalled to stop, it in turn
stops all the sub-tests and then exits. When the pid
namespace destruction is complete, the sub-tests .out-s are
checked.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Introduce yet another tests set called 'groups'. Each test
in this set is a list of existing zdtm tests that can be
started side-by-side in an ns flavor.
To 'create' such a test the zdtm.py group action is used,
which lists tests and semi-randomly groups them together.
The grouping possibility is checked by comparing the .desc
files of those -- desc-s should coincide. One exception is
test dependencies, these are just merged together.
After running the group action there appears groups/ dir
with tests each containing just the list of zdtm tests
that are in a group. The respective .desc file is also
generated and this one matches the .desc for tests inside.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
This is -- add ability to pull more than one binary into
mntns root and ability to start zdtm test with more stuff
in the environment than generated in start method itself.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
When starting inside ns flavor the test_init() routine prepares
the binary to be run inside namespaces. In particular this routine
fork()-s an init, execve()-s one to pick up mappings and exe from
the new mntns and then fork()-s the test itself. In order to go
back to test_init() for test initialization the execve() is done
again, but it's actually not required and confuses the reader.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
This one is to set up uids for userns, do ip l s lo up for netns
and do the prepare_mntns(). BTW, the latter's code is shifted one
tab left as this is where it should be.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
This patch implements checkpoint/restore functionality
for binfmt_misc mounts. Both magic and extension types
and "disabled" state are supported.
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
This test is for unix sockets open in DGRAM mode.
Server opens a socket, binds it and waits for a signal.
Client connects to the socket and sends a message.
After the signal server checks that data is readable,
and that it's still possible to connect to the bound
socket.
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
So, first of all we've fixed (I hope) the security issues
spotted by RedHat people. Another big thing of this release
is the huge amount of bug fixes found while testing live
migration. And enhancements for live migration itself is
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Due to security reasons the systemd-spawn mode is no longer
supported in service.
Also fix the default binding address to be in local cwd not
to start global service by chance.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Currently we see that a cgroup yard are not umounted
with the ENOENT error, because cwd was changed.
v2: construct a path to remove a roots yard
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
This conflicts with predefined constants in our own syscalls lib.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Acked-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
We will need it for cr-check.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
iAcked-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
