There can be a more sophisticated security policy, but right now
generic non-root user doesn't have any bits in there, so requiring
them to be zero is a sane starting point.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
There's ... a number of places where we want to do something
with /proc/self/fd/%d path. Each time we guess buffer size
that is enough for this. Make standard constant for this and
save some space on stack and drop args for some functions.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
CRIU puts wd-s for one inotify in one row (one after another),
so when collecting next wd, we can find the ify to attach them
to faster.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
The inotify_add_watch generates wd-s one-by one. We cannot
request for one, thus we call this syscall till the required
wd is generated.
Thus, if we want to restore several wd-s for an inotify, we
have to put them in ascending order. Otherwise we may restore
watch with higher wd earlier and will thus not be able to
generate the lower wd in a reasonable time.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Hi!
Added "has_log_level = true" to test.c, so "log_level = 4" would have effect.
Also added log_level to test.py, for symmetry with test.c.
Signed-off-by: Ruslan Kuprieiev <kupruser@gmail.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
In case if we hit error returned from syscall, better
to print error code for easier understanding of the
protblem.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
To get more detailed error desciption. Also print watchdog
number if it exceed expected, for better error output.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
This kind of netdevice will serve for external
links such as venet, macvlan/vlan and etc.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Don't carry it around in a static global variable. Would
be useful for pidns leaks (processes entered one) scan.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
There is no much point to strdup this value
obtained from command line. It sits in environment
and we don't modify it at all.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
The maximal size which may be used in the kernel for sending TCP data
on restore is varies depending on how many memory installed on the
system, moreover the memory allocated for "read queue" is bigger than
used for "write queue". Thus when we checkpointed a big slab of data
we need to figure out which size is allowed for sending data on restore.
For this we read /proc/sys/net/ipv4/tcp_[wmem|rmem] on restore and calculate
the size needed, then we simply chop data to segements and send it
in a loop.
Typical output on restore is something like
| (00.013001) 30110: TCP queue memory limits are 2097152:3145728
https://bugzilla.openvz.org/show_bug.cgi?id=2751
[xemul: moved stuff to kerndat.c]
Reported-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
We usually print error messages starting with capital letter.
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
It was written but wasn't included into standard run because
ip tool with needed functionality wasn't available "upstream".
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
By default just use the iptables-save and iptables-restore commands.
User may define CR_IPTABLES variable, in this case the "sh -c $CR_IPTABLES"
would be called.
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Lets use one default log filename. User can set if in request, if needed.
Signed-off-by: Ruslan Kuprieiev <kupruser@gmail.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
We need to detect parasite crashes to not hangs on socket operations.
CRIU ptraces parasite. So if it crashes, SIGCHLD is received.
If a parasite daemon crashed, we can to do nothing. The state of current
process can't be restored, because we can't to drop the signal. The
state of other processes are consistent. Probably the best choise in
this case is to exit.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
