criu: Add support for shared ipc,uts,time ns

When a container config specifies path for an existing namespace, CRIU should use this namespace during restore. This patch is make use of the criu_join_ns_add() libcriu API to specify the shared container namespace to be used on restore. Signed-off-by: Radostin Stoyanov <[email protected]>
containers · Oct 4, 2021 · 3afcc4b · 3afcc4b
1 parent e2c3d8c
commit 3afcc4b
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 2 deletions.
diff --git a/configure.ac b/configure.ac
@@ -124,6 +124,8 @@ AC_ARG_ENABLE([criu], AS_HELP_STRING([--disable-criu], [Disable CRIU based check
 AS_IF([test "x$enable_criu" != "xno"], [
 	PKG_CHECK_MODULES([CRIU], [criu >= 3.15], [have_criu="yes"], [have_criu="no"
 		AC_MSG_NOTICE([CRIU headers not found, building without CRIU support])])
+	PKG_CHECK_MODULES([CRIU], [criu > 3.16], [have_criu_join_ns="yes"], [have_criu_join_ns="no"
+		AC_MSG_NOTICE([CRIU version doesn't support join-ns API])])
 		AS_IF([test "$have_criu" = "yes"], [
 			AC_DEFINE([HAVE_CRIU], 1, [Define if CRIU is available])
 			AC_SEARCH_LIBS(criu_init_opts, [criu])
@@ -170,6 +172,7 @@ AC_SEARCH_LIBS([argp_parse], [argp], [], [AC_MSG_ERROR([*** argp functions not f
 
 AM_CONDITIONAL([PYTHON_BINDINGS], [test "x$with_python_bindings" = "xyes"])
 AM_CONDITIONAL([CRIU_SUPPORT], [test "x$have_criu" = "xyes"])
+AM_CONDITIONAL([CRIU_JOIN_NS_SUPPORT], [test "x$have_criu_join_ns" = "xyes"])
 
 AC_CONFIG_FILES([Makefile rpm/crun.spec])
 

diff --git a/src/libcrun/criu.c b/src/libcrun/criu.c
@@ -42,6 +42,10 @@
 #  define CRIU_EXT_NETNS "extRootNetNS"
 #  define CRIU_EXT_PIDNS "extRootPidNS"
 
+#ifndef CLONE_NEWTIME
+#  define CLONE_NEWTIME 0x00000080 /* New time namespace */
+#endif
+
 static const char *console_socket = NULL;
 
 static int
@@ -645,8 +649,11 @@ libcrun_container_restore_linux_criu (libcrun_container_status_t *status, libcru
       goto out_umount;
     }
 
-  /* If there is a PID or network namespace defined in config.json we are telling
-   * CRIU to restore the process into that namespace.
+  bool join_ns_support = criu_check_version(31601) == 1;
+
+  /* If a namespace defined in config.json we are telling
+   * CRIU use that namespace when restoring the process tree.
+   *
    * CRIU expects the information about the namespace like this:
    * --inherit-fd fd[<fd>]:<key>
    * The <key> needs to be the same as during checkpointing (extRootNetNS). */
@@ -665,6 +672,7 @@ libcrun_container_restore_linux_criu (libcrun_container_status_t *status, libcru
           criu_add_inherit_fd (inherit_new_net_fd, CRIU_EXT_NETNS);
         }
 
+
       if (value == CLONE_NEWPID && def->linux->namespaces[i]->path != NULL)
         {
           inherit_new_pid_fd = open (def->linux->namespaces[i]->path, O_RDONLY);
@@ -673,6 +681,38 @@ libcrun_container_restore_linux_criu (libcrun_container_status_t *status, libcru
 
           criu_add_inherit_fd (inherit_new_pid_fd, CRIU_EXT_PIDNS);
         }
+
+#ifdef CRIU_JOIN_NS_SUPPORT
+      /* criu_join_ns_add() API was introduced with CRIU version 3.16.1
+       * Here we check if this API is available at build time to support
+       * compiling with older version of CRIU, and at runtime to support
+       * running crun with older versions of libcriu.so.2.
+       */
+      if (value == CLONE_NEWTIME && def->linux->namespaces[i]->path != NULL)
+        {
+          if (join_ns_support)
+            criu_join_ns_add("time", def->linux->namespaces[i]->path, NULL);
+          else
+            return crun_make_error (err, 0, "Shared time namespace restore is supported in CRIU >= 3.16.1");
+        }
+
+      if (value == CLONE_NEWIPC && def->linux->namespaces[i]->path != NULL)
+        {
+          if (join_ns_support)
+            criu_join_ns_add("ipc", def->linux->namespaces[i]->path, NULL);
+          else
+            return crun_make_error (err, 0, "Shared ipc namespace restore is supported in CRIU >= 3.16.1");
+        }
+
+      if (value == CLONE_NEWUTS && def->linux->namespaces[i]->path != NULL)
+        {
+          if (join_ns_support)
+            criu_join_ns_add("uts", def->linux->namespaces[i]->path, NULL);
+          else
+            return crun_make_error (err, 0, "Shared uts namespace restore is supported in CRIU >= 3.16.1");
+        }
+#endif
+
     }
 
   /* Tell CRIU if cgroup v1 needs to be handled. */