The following error is falsely reported by flake8:
lib/py/images/pb2dict.py:266:24: F821 undefined name 'basestring'
This error occurs because `basestring` is not available in Python 3,
however the if condition on the line above ensures that this error
will not occur at run time.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
In the Fedora tests we install python3-pip only to install flake8.
This is not necessary as there is a Fedora package for flake8.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
More and more python2 packages are being removed from future Fedora
releases. This removes python2 packages explicitly listed in CRIU's
Dockerfiles, which all are not required for the current level of
testing.
Signed-off-by: Adrian Reber <areber@redhat.com>
To be able to run the test containers in scripts/build with podman this
puts the name of the container runtime into $CONTAINER_RUNTIME.
Now it can be overridden with
make fedora-rawhide CONTAINER_RUNTIME=podman
Signed-off-by: Adrian Reber <areber@redhat.com>
Including the version information of CRIU in criu.h is required by
projects that use libcriu to preserve backward compatibility.
Closes#738
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
Since we use _i as a counter in macro declaration
we should use it as a reference. This macro simply
happen to work now because of being called with
variable i declarated in the caller code.
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
To get error message in log if no memory available.
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
To shrink code a bit.
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
When logs are massive it is convenient for grepping.
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
No need to spam on every pmc_init call.
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
- make names more descriptive
- add comments
- use union for nr_priv_pages and rst_priv_size since
former priv_size has been used with different meaning:
number of pages during checkpoint time and size in bytes
on restore moment
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
To eliminate side effects, in particular setting nr_aios
is already missing here.
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
Integer value is too short.
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
We allocate with xzalloc, no need for additional zero assignemtns.
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
In case if we may use previous pipe the pipe_off
get set directly so no need for redundat unconditional
assignment.
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Acked-by: Mike Rapoport <rppt@linux.ibm.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
1. Basic check if property is migrated
2. Check that property is restored for existing children
3. Check that child subreaper does not affect reparenting
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Michał Cłapiński <mclapinski@google.com>
Reviewed-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
1. Checkpoint it via parasite.
2. Restore it after forking.
Signed-off-by: Michał Cłapiński <mclapinski@google.com>
Reviewed-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
The `libprotobuf-c0-dev` virtual package is no longer available
in Debian Buster, but is provided by `libprotobuf-c-dev`, which
is available.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
In zdtm.py, the page size is hardcoded as 4096, but on ppc64le, is is equal
to 64K and all test fail with errors like this:
ERROR: bad page counts, stats = 13 real = 208(0)
Signed-off-by: Andrei Vagin <avagin@gmail.com>
It is inspired by the discussion about inotify fix:
https://github.com/checkpoint-restore/criu/pull/728#issuecomment-506929427
From one point of view, warnings might be important to understand why we
detect some visible change in the environment after c/r-ing the process,
and if this change is expected or not. So we should add "Warn" messages
to the output.
From over point, these warnings if they are expected, can spoil our
final logs with a lot of unnecessary details, so add changes in previous
patches to silence the most noisy of these warnings.
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
We want to grep warnings from zdtm tests to travis final logs.
And I see a lot of these:
Warn (criu/image.c:137): Failed to open parent directory
If there is no parent images directory then there is no previous dump
and no pid-reuse problem with pagemaps possible, so it is fine to have
no parent inventory image at the same time which is used here to fix the
problem. These always hapens on the first iteration of iterative dump.
So don't warn here.
While on it also fix error message in detect_pid_reuse.
v2: add detect_pid_reuse part
v3: improve comments
We want to grep warnings from zdtm tests to travis final logs.
And I see a lot of these:
(00.250989) Warn (criu/pagemap.c:90): Missing 7f84103e3000 in parent pagemap
(00.250999) p 0x7f84103f5000 [1]
We do a lookup of an intersecting pagemap entry with a memory region we
want to dedup, it is expected that sometimes we don't have some subrange
in pagemap entries. So these should not be a warning, make it debug
message.
While on it change the message to save us from been confused with other
"Missing..." error messages, and change abstract "parent image" message
to the IDs of pages image in all messages in dedup_one_iovec().
v2: print image ids
criu-3.12/criu/files-reg.c:774: leaked_storage: Variable "img" going out
of scope leaks the storage it points to.
criu-3.12/criu/files-reg.c:788: leaked_storage: Variable "img" going out
of scope leaks the storage it points to.
criu-3.12/criu/files-reg.c:797: leaked_storage: Variable "img" going out
of scope leaks the storage it points to.
Signed-off-by: Adrian Reber <areber@redhat.com>
criu-3.12/criu/util.c:879:9: warning: Null pointer passed as an argument
to a 'nonnull' parameter
criu-3.12/criu/util.c:1171:3: warning: Value stored to 'ret' is never
read
Signed-off-by: Adrian Reber <areber@redhat.com>
criu-3.12/criu/seize.c:648: leaked_storage: Variable "threads" going out
of scope leaks the storage it points to.
Signed-off-by: Adrian Reber <areber@redhat.com>
criu-3.12/criu/sk-inet.c:575: identical_branches: The same code is
executed when the condition "pb_write_one(img_from_set(glob_imgset,
CR_FD_FILES), &fe, PB_FILE)" is true or false, because the code in the
if-then branch and after the if statement is identical. Should the if
statement be removed?
Signed-off-by: Adrian Reber <areber@redhat.com>
Instead of using tty_mutex value in atomic context
(which is wrong, since it is not atomic) better move
tty_mutex allocation into cr_restore_tasks where our
all initializers live. Otherwise weird race effect
might be observed.
Reported-by: Deng Guangxing <dengguangxing@huawei.com>
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Segmentation fault was raised while trying to restore a process with
tty. Coredump file says this is caused by uninitialized tty_mutex:
(gdb) where
#0 0x00000000004d7270 in atomic_add_return (i=1, v=0x0) at
include/common/asm/atomic.h:34
#1 0x00000000004d7398 in mutex_lock (m=0x0) at
include/common/lock.h:151
#2 0x00000000004d840c in __pty_open_ptmx_index (index=3, flags=2,
cb=0x4dce50 <open_pty>, arg=0x11, path=0x5562e0 "ptmx") at
criu/tty.c:603
#3 0x00000000004dced8 in pty_create_ptmx_index (dfd=17, index=3,
flags=2) at criu/tty.c:2384
since init_tty_mutex() is reentrantable, just calling it before
mutex_lock()
Signed-off-by: Deng Guangxing <dengguangxing@huawei.com>
Reviewed-by: Cyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
By default, CRIU will verify the certificate of a server (with
gnutls_certificate_verify_peers3()) by providing the value specified
with "--address" as a hostname.
As part of the verification process, this value will be compared
against the common name (CN) included in the TLS certificate of the
server. If the CN doesn't match the TLS handshake will be terminated
and CRIU will exit with an error.
Although, this is an important feature that is used to mitigate MITM
attacks, a user might need to disable such hostname verification for
a particular use case or testing purposes.
For instance, this option is needed when the common name included in
the certificate corresponds to the server's domain name and an IP
address is being used to establish connection.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
This commit adds Transport Layer Security (TLS) support for remote
page-server connections.
The following command-line options are introduced with this commit:
--tls-cacert FILE Trust certificates signed only by this CA
--tls-cacrl FILE CA certificate revocation list
--tls-cert FILE TLS certificate
--tls-key FILE TLS private key
--tls Use TLS to secure remote connections
The default PKI locations are:
CA certificate /etc/pki/CA/cacert.pem
CA revocation list /etc/pki/CA/cacrl.pem
Client/server certificate /etc/pki/criu/cert.pem
Client/server private key /etc/pki/criu/private/key.pem
The files cacert.pem and cacrl.pem are optional. If they are not
present, and not explicitly specified with a command-line option,
CRIU will use only the system's trusted CAs to verify the remote
peer's identity. This implies that if a CA certificate is specified
using "--tls-cacert" only this CA will be used for verification.
If CA certificate (cacert.pem) is not present, certificate revocation
list (cacrl.pem) will be ignored.
Both (client and server) sides require a private key and certificate.
When the "--tls" option is specified, a TLS handshake (key exchange)
will be performed immediately after the remote TCP connection has been
accepted.
X.509 certificates can be generated as follows:
-------------------------%<-------------------------
# Generate CA key and certificate
echo -ne "ca\ncert_signing_key" > temp
certtool --generate-privkey > cakey.pem
certtool --generate-self-signed \
--template temp \
--load-privkey cakey.pem \
--outfile cacert.pem
# Generate server key and certificate
echo -ne "cn=$HOSTNAME\nencryption_key\nsigning_key" > temp
certtool --generate-privkey > key.pem
certtool --generate-certificate \
--template temp \
--load-privkey key.pem \
--load-ca-certificate cacert.pem \
--load-ca-privkey cakey.pem \
--outfile cert.pem
rm temp
mkdir -p /etc/pki/CA
mkdir -p /etc/pki/criu/private
mv cacert.pem /etc/pki/CA/
mv cert.pem /etc/pki/criu/
mv key.pem /etc/pki/criu/private
-------------------------%<-------------------------
Usage Example:
Page-server:
[src]# criu page-server -D <PATH> --port <PORT> --tls
[dst]# criu dump --page-server --address <SRC> --port <PORT> \
-t <PID> -D <PATH> --tls
Lazy migration:
[src]# criu dump --lazy-pages --port <PORT> -t <PID> -D <PATH> --tls
[dst]# criu lazy-pages --page-server --address <SRC> --port <PORT> \
-D <PATH> --tls
[dst]# criu restore -D <PATH> --lazy-pages
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
There are two notable open-source libraries that provide TLS
implementation - OpenSSL and GnuTLS. The license of OpenSSL
is incompatible with CRIU's license, and threfore GnuTLS is
the recommended choice.
GnuTLS offers an API to access secure communication protocols. These
protocols provide privacy over insecure lines, and are designed to
prevent eavesdropping, tampering or message forgery.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
- make sure the alloc_openable is not failed with
memory error, so that we should not lookup via
irmap
- irmap lookup should provide us a copy of the path
instead of reference to irmap entry
https://github.com/checkpoint-restore/criu/issues/698
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
