diff options
| author | Adrian Reber <areber@redhat.com> | 2021-05-03 17:14:28 +0300 |
|---|---|---|
| committer | Andrei Vagin <avagin@gmail.com> | 2022-10-25 17:26:42 +0300 |
| commit | 1db95afd02c754beea33c6071b4070e3c35cf77b (patch) | |
| tree | e61cad11c07c030ad64ebe36e4be736cc5a70b32 | |
| parent | 2cb3da2ff5367e43581b316f50c15e79fc9817c0 (diff) | |
Documentation: add details about --unprivileged
This adds the non-root section and information about the parameter
--unprivileged to the man page.
Co-authored-by: Anna Singleton <annabeths111@gmail.com>
Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Anna Singleton <annabeths111@gmail.com>
| -rw-r--r-- | Documentation/criu.txt | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/Documentation/criu.txt b/Documentation/criu.txt index 8d2e91443..3b68f16a4 100644 --- a/Documentation/criu.txt +++ b/Documentation/criu.txt @@ -155,6 +155,12 @@ not compatible with *--external* *dev*. notification message contains a file descriptor for the master pty +*--unprivileged*:: + This option tells *criu* to accept the limitations when running + as non-root. Running as non-root requires *criu* at least to have + *CAP_SYS_ADMIN* or *CAP_CHECKPOINT_RESTORE*. For details about running + *criu* as non-root please consult the *NON-ROOT* section. + *-V*, *--version*:: Print program version and exit. @@ -877,6 +883,32 @@ configuration file will overwrite all other configuration file settings or RPC options. *This can lead to undesired behavior of criu and should only be used carefully.* +NON-ROOT +-------- +*criu* can be used as non-root with either the *CAP_SYS_ADMIN* capability +or with the *CAP_CHECKPOINT_RESTORE* capability introduces in Linux kernel 5.9. +*CAP_CHECKPOINT_RESTORE* is the minimum that is required. + +*criu* also needs either *CAP_SYS_PTRACE* or a value of 0 in +*/proc/sys/kernel/yama/ptrace_scope* (see *ptrace*(2)) to be able to interrupt +the process for dumping. + +Running *criu* as non-root has many limitations and depending on the process +to checkpoint and restore it may not be possible. + +In addition to *CAP_CHECKPOINT_RESTORE* it is possible to give *criu* additional +capabilities to enable additional features in non-root mode. + +Currently *criu* can benefit from the following additional capabilities: + + - *CAP_NET_ADMIN* + - *CAP_SYS_CHROOT* + - *CAP_SETUID* + - *CAP_SYS_RESOURCE* + +Independent of the capabilities it is always necessary to use "*--unprivileged*" to +accept *criu*'s limitation in non-root mode. + EXAMPLES -------- To checkpoint a program with pid of *1234* and write all image files into |