From 1db95afd02c754beea33c6071b4070e3c35cf77b Mon Sep 17 00:00:00 2001 From: Adrian Reber Date: Mon, 3 May 2021 14:14:28 +0000 Subject: Documentation: add details about --unprivileged This adds the non-root section and information about the parameter --unprivileged to the man page. Co-authored-by: Anna Singleton Signed-off-by: Adrian Reber Signed-off-by: Anna Singleton --- Documentation/criu.txt | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/Documentation/criu.txt b/Documentation/criu.txt index 8d2e91443..3b68f16a4 100644 --- a/Documentation/criu.txt +++ b/Documentation/criu.txt @@ -155,6 +155,12 @@ not compatible with *--external* *dev*. notification message contains a file descriptor for the master pty +*--unprivileged*:: + This option tells *criu* to accept the limitations when running + as non-root. Running as non-root requires *criu* at least to have + *CAP_SYS_ADMIN* or *CAP_CHECKPOINT_RESTORE*. For details about running + *criu* as non-root please consult the *NON-ROOT* section. + *-V*, *--version*:: Print program version and exit. @@ -877,6 +883,32 @@ configuration file will overwrite all other configuration file settings or RPC options. *This can lead to undesired behavior of criu and should only be used carefully.* +NON-ROOT +-------- +*criu* can be used as non-root with either the *CAP_SYS_ADMIN* capability +or with the *CAP_CHECKPOINT_RESTORE* capability introduces in Linux kernel 5.9. +*CAP_CHECKPOINT_RESTORE* is the minimum that is required. + +*criu* also needs either *CAP_SYS_PTRACE* or a value of 0 in +*/proc/sys/kernel/yama/ptrace_scope* (see *ptrace*(2)) to be able to interrupt +the process for dumping. + +Running *criu* as non-root has many limitations and depending on the process +to checkpoint and restore it may not be possible. + +In addition to *CAP_CHECKPOINT_RESTORE* it is possible to give *criu* additional +capabilities to enable additional features in non-root mode. + +Currently *criu* can benefit from the following additional capabilities: + + - *CAP_NET_ADMIN* + - *CAP_SYS_CHROOT* + - *CAP_SETUID* + - *CAP_SYS_RESOURCE* + +Independent of the capabilities it is always necessary to use "*--unprivileged*" to +accept *criu*'s limitation in non-root mode. + EXAMPLES -------- To checkpoint a program with pid of *1234* and write all image files into -- cgit v1.2.3