| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
Signed-off-by: Alexander Mikhalitsyn <alexander@mihalicyn.com>
[Added test_author to zdtm test]
Signed-off-by: Dmitry Safonov <dima@arista.com>
|
|
After Centos-8 nft used instead of iptables. But we had never supported nft rules in
CRIU, and after c/r all rules are flushed.
Co-developed-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
Signed-off-by: Alexander Mikhalitsyn <alexander@mihalicyn.com>
Signed-off-by: Dmitry Safonov <dima@arista.com>
|
|
Include warnings that the kernel uses during compilation:
-Wstrict-prototypes: enforces full declaration of functions.
Previously, when declaring extern void func(), one can call func(123)
and have no compilation error. This is dangerous. The correct declaration
is extern void func(void).
Signed-off-by: Nicolas Viennot <Nicolas.Viennot@twosigma.com>
[Generated a commit message from the pull request]
Signed-off-by: Dmitry Safonov <dima@arista.com>
|
|
Include warnings that the kernel uses during compilation:
-Wdeclaration-after-statement: enforces having variables declared at the top of scopes
Signed-off-by: Nicolas Viennot <Nicolas.Viennot@twosigma.com>
[Generated a commit message from the pull request]
Signed-off-by: Dmitry Safonov <dima@arista.com>
|
|
It seems like Ubuntu introduced a overlayfs change which breaks CRIU:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1857257
This disables overlayfs (unfortunately) in most tests by switching to
devicemapper or vfs.
Upstream kernels do not seem to have this problem.
This also adds the 'docker-test' for xenial which still has a working
overlayfs from CRIU's point of view.
Also adjust Podman Ubuntu package location
Podman Ubuntu packages are now available via OBS and no longer via PPA.
Signed-off-by: Adrian Reber <areber@redhat.com>
|
|
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
|
|
TCP keepalive packets can be used to determine if a connection
is still valid. When the SO_KEEPALIVE option is set, TCP packets
are periodically sent to keep the connection alive.
This patch implements checkpoint/restore support for SO_KEEPALIVE,
TCP_KEEPIDLE, TCP_KEEPINTVL and TCP_KEEPCNT options.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
|
|
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
|
|
The py-future package has been renamed to py3-future [1] and py2 package
for yaml has been dropped [2].
[1] https://git.alpinelinux.org/aports/commit/main?id=316d44abaed13964e97eb43c095cd1b64e3943ad
[2] https://git.alpinelinux.org/aports/commit/main?id=e369c1fd7707a73f2c3e2b11b613198d9a4106de
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
|
|
Signed-off-by: Nicolas Viennot <Nicolas.Viennot@twosigma.com>
|
|
Make xfeatures_mask check explicit. We were relying on our guess about
hardware "backward compatibility" and used ">" check here for a long
time. But it looks better to explicitly check that all xfeature bits
available on the source are also available on the destination.
For xsave_size we need to have smaller size on destination than on
source, because xsave operation on small allocated buffer may corrupt
the nearby data. So split up comments about xfeatures_mask and
xsave_size, as having single comment for quiet a different cases is less
understandable.
v2: improve comments, remove extra else-ifs, remove extra typecast
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
|
|
Test checks that if the /proc/sys/net/unix/max_dgram_qlen value has
been changed in process net namespace, then it is saved after c/r.
Signed-off-by: Alexander Mikhalitsyn <alexander@mihalicyn.com>
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
|
|
The /proc/sys/net/unix/max_dgram_qlen is a per-net variable and
we already noticed that systemd inside a container may change its value
(for example it sets it to 512 by now instead of kernel's default
value 10), thus we need keep it inside image and restore then.
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: Alexander Mikhalitsyn <alexander@mihalicyn.com>
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
|
|
When we do clone threads in a later stage of restore procedure
it may race with helpers which do call clone_noasan by self.
Thus we need to walk over each clone_noasan call and figure
out if calling it without last_pid lock is safe.
- open_mountpoint: called by fusectl_dump, dump_empty_fs,
binfmt_misc_dump, tmpfs_dump -- they all are processing
dump stage, thus safe
- call_helper_process: try_remount_writable -- called from
various places in reg-files.c, in particular open_reg_by_id
called in parallel with other threads, needs a lock
remount_readonly_mounts -- called from sigreturn_restore,
so in parallel, needs a lock
- call_in_child_process: prepare_net_namespaces -- called
from prepare_namespace which runs before we start forking,
no need for lock
Thus call_helper_process should use lock_last_pid and
unlock_last_pid helpers and wait for subprocess to finish.
Same time put a warning text into clone_noasan comment
so next time we need to use it we would recall the pitfalls.
v2:
- fix unitialized ret variable
v3:
- use exit_code instead of ret
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
|
|
We've seen ppoll interrupted with signal in VZ7 CT migration tests, that
is because in the beggining of CR_STATE_RESTORE_SIGCHLD zombies and
helpers die, and that can trigger SIGCHILDs sent to their parents.
Adding additional debug (printing "Task..." for zombies and helpers) in
sigchld_handler I see:
(15.644339) pie: 1: Task 10718 exited, status= 0
(15.644349) pie: 1: Cleaning inotify events from 29
(15.644359) pie: 1: Cleaning inotify events from 19
(15.644367) pie: 1: Cleaning inotify events from 10
And previousely we had:
(05.718449) pie: 104: Cleaning inotify events from 5
(05.718835) pie: 330: Cleaning inotify events from 3
(05.719046) pie: 1: Cleaning inotify events from 23
(05.719164) pie: 80: Cleaning inotify events from 7
(05.719185) pie: 1: Error (criu/pie/restorer.c:1287): Failed to poll from inotify fd: -4
(05.719202) pie: 95: Cleaning inotify events from 6
(05.719269) pie: 1: Error (criu/pie/restorer.c:1890): Restorer fail 1
So reordering cleanup and wait should fix it.
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
|
|
We will continue accepting patches.
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
It doesn't require to create a temporary directory and mount the proc
file system in it.
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
It doesn't require to create a temporary directory and mount the proc
file system in it.
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
It doesn't require to create a temporary directory and mount the proc
file system in it.
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
until it will not be fixed.
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
Signed-off-by: Nidhi Gupta <itsnidhi16@gmail.com>
|
|
Fixes the following compile-error:
> CC socket-tcp-fin-wait1.o
> socket-tcp-fin-wait1.c:144:26: error: adding 'int' to a string does not append to the string [-Werror,-Wstring-plus-int]
> if (write(fd, TEST_MSG + 2, sizeof(TEST_MSG) - 2) != sizeof(TEST_MSG) - 2) {
> ~~~~~~~~~^~~
> socket-tcp-fin-wait1.c:144:26: note: use array indexing to silence this warning
> if (write(fd, TEST_MSG + 2, sizeof(TEST_MSG) - 2) != sizeof(TEST_MSG) - 2) {
> ^
> & [ ]
> 1 error generated.
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
The original/old guide probably doesn't work anymore:
- the patch isn't accessible;
- criu now depends on more libraries not only protobuf
Still, keep it as it might be helpful for someone.
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
Fixes: #455
Based-on-patch-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
Helps to cross-compile zdtm tests in case somebody needs it.
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
The very same hack to build aarch32 zdtm tests on armv8 Travis-CI
as in the commit dfa0a1edcbcb ("Makefile hack for travis
aarch64/armv8l")
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
Maybe not that useful, but only little change needed.
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
Instead of doing additional `uname -m` - use provided $(SUBARCH) to detect
what architecture flavour the build should produce the result for.
Fixes two things:
- zdtm make now correctly supplies $(USERCFLAGS)
- subtly fixes cross compilation by providing a way to specify $(SUBARCH)
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
It's always equal ARCH and not very useful (so nothing actually uses it).
Time for a change: SUBARCH now is meaningful and gives a way to detect
what kind of ARCH flavor build is dealing with.
Also, for cross-compiling sake don't set SUBARCH if the user supplied it.
(and don't call useless uname during cross compilation)
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
It's not used anywhere now.
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
SRCARCH is always equal ARCH. There are no rules when to use one or
another and architectures may forget to set one of them up.
No need for a second variable meaning the same and confusing people.
Remove it completely.
Self-correction [after some debug]: SRCARCH was different in one place:
zdtm Makefile by some unintentional mistake:
> ifeq ($(ARCH),arm64)
> ARCH ?= aarch64
> SRCARCH ?= aarch64
> endif
That meant to be "ARCH := aarch64" because "?=" would never work inside
that ifeq. Fix up this part of mess too.
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
Update zdtm tests to verify that CRIU does not require the --root
path to be accessible to the unprivileged user being restored when
restoring user namespace.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
|
|
Replacing the if->continue pattern with if->elif->else
reduces the number of lines while preserving the logic.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
|
|
These requirements have been described in
https://github.com/opencontainers/runc/blob/b133feae/libcontainer/container_linux.go#L1265
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
|
|
When restoring a container with user namespace, CRIU fails to create
a temporary directory for proc. The is because the unprivileged user
that has been just restored does not have permissions to access the
working directory used by CRIU.
Resolves #828
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
|
|
When restoring a runc container with enabled user namespace CRIU fails
to mount the specified root directory because the path is under
/run/runc which is inaccessible to unprivileged users.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
|
|
Suggested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
|
|
Kernels 5.4 and higher will restrict availability of UFFD_EVENT_FORK only
for users with SYS_CAP_PTRACE. This prevents running --lazy-pages tests
with 'uns' flavor.
Disable 'uns' for lazy pages testing in travis for newer kernels.
Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
|
|
The amount of lazy-pages options keeps growing, let's put the common ones
into a variable.
Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
|
|
Before this change CRIU would checkpoint all controllers, even the ones
not specified in --cgroup-dump-controller. That becomes a problem if
there's a cgroup controller on the checkpointing machine that doesn't
exist on the restoring machine even if CRIU is instructed not to dump
that controller. After that change everything works as expected.
Signed-off-by: Michał Cłapiński <mclapinski@google.com>
|
|
All those compel functions can fail by various reasons.
It may be status of the system, interruption by user or anything else.
It's really desired to handle as many PIE related errors as possible
otherwise it's hard to analyze statuses of parasite/restorer
and the C/R process.
At least warning for logs should be produced or even C/R stopped.
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
Currently if anything fails after network has been unlocked tasks aren't
killed. Which doesn't work anyway: any stage sets `ret` and nothing
later gets called. Which means the tasks aren't resumed properly.
Furthermore, functions like catch_tasks() and compel_stop_on_syscall()
return failure on the first error.
Let's do the cleanup even when the network is unlocked.
If we want to keep the mess and ignore failures - a cli option should be
introduced for that (and existing code should be reworked with decisions
what is critical and what can be ignored).
Move "Restore finished successfully" message accordingly where
everything is evidently good.
While at here, any late failure will result not only in cleanup but in
criu returning error code.
Which in result makes tests to fail in such case:
> ======================= Run zdtm/static/inotify04 in ns ========================
> Start test
> ./inotify04 --pidfile=inotify04.pid --outfile=inotify04.out --dirname=inotify04.test
> Run criu dump
> =[log]=> dump/zdtm/static/inotify04/84/1/dump.log
> ------------------------ grep Error ------------------------
> (00.119763) fsnotify: openable (inode match) as zdtm/static/inotify04.test/inotify-testfile
> (00.119766) fsnotify: Dumping /zdtm/static/inotify04.test/inotify-testfile as path for handle
> (00.119769) fsnotify: id 0x00000b flags 0x000800
> (00.119787) 88 fdinfo 5: pos: 0 flags: 4000/0
> (00.119796) Warn (criu/fsnotify.c:336): fsnotify: The 0x00000c inotify events will be dropped
> ------------------------ ERROR OVER ------------------------
> Run criu restore
> =[log]=> dump/zdtm/static/inotify04/84/1/restore.log
> ------------------------ grep Error ------------------------
> (00.391582) 123 was stopped
> (00.391667) 106 was trapped
> (00.391674) 106 (native) is going to execute the syscall 11, required is 11
> (00.391697) 106 was stopped
> (00.391720) Error (compel/src/lib/infect.c:1439): Task 123 is in unexpected state: b7f
> (00.391736) Error (compel/src/lib/infect.c:1447): Task stopped with 11: Segmentation fault
> ------------------------ ERROR OVER ------------------------
> 5: Old maps lost: set([])
> 5: New maps appeared: set([u'10000-1a000 rwxp', u'1a000-24000 rw-p'])
> ############### Test zdtm/static/inotify04 FAIL at maps compare ################
> Send the 9 signal to 106
> Wait for zdtm/static/inotify04(106) to die for 0.100000
> ======================= Test zdtm/static/inotify04 PASS ========================
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
Unknown state means that the task in the end may be not in wanted state.
Return err code.
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
Maybe expected, hopefully never happens - let's warn in any case.
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
Too late to stop restore: it's already printed that restore was
successful. Oh, well warn aloud about infection.
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
Probably, not the worst that could happen, but still unexpected.
Preparing the ground to make compel_cure*() functions __must_check.
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
On daemon stop or threads dump failures it's still desired to remove
parasite from the remote (if possible). Try best and keep hopeing.
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
|
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
|
