Run CRIU as a non-root user

[anjumfatima90]

These are the findings:

There is a pull request in CRIU repository which allows CRIU to run as non-root user by setting CAP_SYS_ADMIN or CAP_CHECKPOINT_RESTORE capabilities.

• I built the PR branch following the instructions in the readme.
• It creates a criu executable (/path_to_criu_repo/criu/criu)
• To set the CAP_SYS_ADMIN, I used sudo setcap cap_sys_admin=eip /path/to/criu/executable
• To set the CAP_CHECKPOINT_RESTORE, I had to upgrade the ubuntu to at least 21.04, and use sudo setcap cap_checkpoint_restore=eip /path/to/criu/executable
• When running the CRIU dump and restore command, use --unprivileged

[ymanton]

Further to what @anjumfatima90 already did, I tried the same experiment, following the above but running Liberty rather than a simpler process. I needed CAP_CHECKPOINT_RESTORE, CAP_SYS_PTRACE, and CAP_NET_ADMIN to successfully dump/restore the process. That suggests that we can substitute the more granular CAP_SYS_PTRACE and CAP_NET_ADMIN caps for CAP_SYS_ADMIN.

[tjwatson]

The actual work to make this happen is in the ci.docker repo as well as the criu repo to add unprivileged support to criu itself. Closing this issue. New issues can be created for future issues we may find with running unprivileged.