From 1353be885bf7de5418746adb615011e06cc1ba85 Mon Sep 17 00:00:00 2001
From: Radostin Stoyanov <radostin@redhat.com>
Date: Fri, 1 Oct 2021 20:20:59 +0100
Subject: [PATCH 1/3] configure: convert indentation to tabs

Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
---
 configure.ac | 46 +++++++++++++++++++++++-----------------------
 1 file changed, 23 insertions(+), 23 deletions(-)

diff --git a/configure.ac b/configure.ac
index 7b3a5a3f03..6bb1cad0bc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,7 +1,7 @@
 AC_PREREQ([2.69])
 AC_INIT([crun],
-        m4_esyscmd([build-aux/git-version-gen --prefix "" .tarball-version]),
-        [giuseppe@scrivano.org])
+	m4_esyscmd([build-aux/git-version-gen --prefix "" .tarball-version]),
+	[giuseppe@scrivano.org])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
@@ -33,9 +33,9 @@ AC_ARG_ENABLE(embedded-yajl,
 AS_HELP_STRING([--enable-embedded-yajl], [Statically link a modified yajl version]),
 [
 case "${enableval}" in
-  yes) embedded_yajl=true ;;
-  no)  embedded_yajl=false ;;
-  *) AC_MSG_ERROR(bad value ${enableval} for --enable-embedded-yajl) ;;
+	yes) embedded_yajl=true ;;
+	no)  embedded_yajl=false ;;
+	*) AC_MSG_ERROR(bad value ${enableval} for --enable-embedded-yajl) ;;
 esac],[embedded_yajl=false])
 
 AM_CONDITIONAL([HAVE_EMBEDDED_YAJL], [test x"$embedded_yajl" == xtrue])
@@ -57,7 +57,7 @@ AS_IF([test "x$enable_caps" != "xno"], [
 dnl dl
 AC_ARG_ENABLE([dl], AS_HELP_STRING([--disable-dl], [Disable dynamic libraries support]))
 AS_IF([test "x$enable_dl" != "xno"], [
-        AC_SEARCH_LIBS([dlopen], [dl], [AC_DEFINE([HAVE_DLOPEN], 1, [Define if DLOPEN is available])], [])
+	AC_SEARCH_LIBS([dlopen], [dl], [AC_DEFINE([HAVE_DLOPEN], 1, [Define if DLOPEN is available])], [])
 ])
 
 dnl include support for libkrun (EXPERIMENTAL)
@@ -96,11 +96,11 @@ AS_IF([test "x$enable_bpf" != "xno"], [
 				#include <unistd.h>
 				#include <stdint.h>
 				#include <linux/bpf.h>
-                                void foo() {
+				void foo() {
 					uint64_t val = 0x123456789;
 					union bpf_attr attr;
 					attr.insns = val;
-                                }
+				}
 				int program = BPF_PROG_TYPE_CGROUP_DEVICE;
 			]])],
 			[AC_MSG_RESULT(yes)
@@ -112,22 +112,22 @@ AS_IF([test "x$enable_bpf" != "xno"], [
 
 AC_ARG_WITH([python-bindings], AS_HELP_STRING([--with-python-bindings], [build the Python bindings]))
 AS_IF([test "x$with_python_bindings" = "xyes"], [
-            PKG_CHECK_MODULES([PYTHON], [python3], [], [AC_MSG_ERROR([*** python headers not found])])
-            # configure should not touch CFLAGS/LDFLAGS but we need it to propagate it
-            # to libocispec.
-            CFLAGS+=" -fPIC "
-            LDFLAGS+=" -fPIC "
+	PKG_CHECK_MODULES([PYTHON], [python3], [], [AC_MSG_ERROR([*** python headers not found])])
+	# configure should not touch CFLAGS/LDFLAGS but we need it to propagate it
+	# to libocispec.
+	CFLAGS+=" -fPIC "
+	LDFLAGS+=" -fPIC "
 ])
 
 dnl criu
 AC_ARG_ENABLE([criu], AS_HELP_STRING([--disable-criu], [Disable CRIU based checkpoint/restore support]))
 AS_IF([test "x$enable_criu" != "xno"], [
-            PKG_CHECK_MODULES([CRIU], [criu >= 3.15], [have_criu="yes"], [have_criu="no"
-			       AC_MSG_NOTICE([CRIU headers not found, building without CRIU support])])
-	    AS_IF([test "$have_criu" = "yes"], [
-		   AC_DEFINE([HAVE_CRIU], 1, [Define if CRIU is available])
-		   AC_SEARCH_LIBS(criu_init_opts, [criu])
-	    ])
+	PKG_CHECK_MODULES([CRIU], [criu >= 3.15], [have_criu="yes"], [have_criu="no"
+		AC_MSG_NOTICE([CRIU headers not found, building without CRIU support])])
+		AS_IF([test "$have_criu" = "yes"], [
+			AC_DEFINE([HAVE_CRIU], 1, [Define if CRIU is available])
+			AC_SEARCH_LIBS(criu_init_opts, [criu])
+		])
 ], [AC_MSG_NOTICE([CRIU support disabled per user request])])
 
 FOUND_LIBS=$LIBS
@@ -138,10 +138,10 @@ AC_COMPILE_IFELSE(
 	[AC_LANG_SOURCE([[
 			#include <linux/mount.h>
 			int cmd = FSCONFIG_CMD_CREATE;
-		]])],
-		[AC_MSG_RESULT(yes)
+	]])],
+	[AC_MSG_RESULT(yes)
 		 AC_DEFINE([HAVE_FSCONFIG_CMD_CREATE], 1, [Define if FSCONFIG_CMD_CREATE is available])],
-		[AC_MSG_RESULT(no)])
+	[AC_MSG_RESULT(no)])
 
 AC_MSG_CHECKING([for seccomp notify API])
 AC_COMPILE_IFELSE(
@@ -163,7 +163,7 @@ AC_SUBST([RPM_VERSION])
 
 AC_CHECK_TOOL(GPERF, gperf)
 if test -z "$GPERF"; then
-       AC_MSG_NOTICE(gperf not found - cannot rebuild signal parser code)
+	AC_MSG_NOTICE(gperf not found - cannot rebuild signal parser code)
 fi
 
 AC_SEARCH_LIBS([argp_parse], [argp], [], [AC_MSG_ERROR([*** argp functions not found - install libargp or argp_standalone])])

From e334260acc35f06930b852b2bd13027558fd2560 Mon Sep 17 00:00:00 2001
From: Radostin Stoyanov <radostin@redhat.com>
Date: Fri, 1 Oct 2021 01:18:17 +0100
Subject: [PATCH 2/3] criu: Add support for shared ipc,uts,time ns

When a container config specifies path for an existing namespace,
CRIU should use this namespace during restore.

This patch is make use of the criu_join_ns_add() libcriu API to
specify the shared container namespace to be used on restore.

Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
---
 configure.ac       |  3 +++
 src/libcrun/criu.c | 44 ++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 45 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 6bb1cad0bc..93521ecd96 100644
--- a/configure.ac
+++ b/configure.ac
@@ -124,6 +124,8 @@ AC_ARG_ENABLE([criu], AS_HELP_STRING([--disable-criu], [Disable CRIU based check
 AS_IF([test "x$enable_criu" != "xno"], [
 	PKG_CHECK_MODULES([CRIU], [criu >= 3.15], [have_criu="yes"], [have_criu="no"
 		AC_MSG_NOTICE([CRIU headers not found, building without CRIU support])])
+	PKG_CHECK_MODULES([CRIU], [criu > 3.16], [have_criu_join_ns="yes"], [have_criu_join_ns="no"
+		AC_MSG_NOTICE([CRIU version doesn't support join-ns API])])
 		AS_IF([test "$have_criu" = "yes"], [
 			AC_DEFINE([HAVE_CRIU], 1, [Define if CRIU is available])
 			AC_SEARCH_LIBS(criu_init_opts, [criu])
@@ -170,6 +172,7 @@ AC_SEARCH_LIBS([argp_parse], [argp], [], [AC_MSG_ERROR([*** argp functions not f
 
 AM_CONDITIONAL([PYTHON_BINDINGS], [test "x$with_python_bindings" = "xyes"])
 AM_CONDITIONAL([CRIU_SUPPORT], [test "x$have_criu" = "xyes"])
+AM_CONDITIONAL([CRIU_JOIN_NS_SUPPORT], [test "x$have_criu_join_ns" = "xyes"])
 
 AC_CONFIG_FILES([Makefile rpm/crun.spec])
 
diff --git a/src/libcrun/criu.c b/src/libcrun/criu.c
index f3d73c7673..07af8abc29 100644
--- a/src/libcrun/criu.c
+++ b/src/libcrun/criu.c
@@ -42,6 +42,10 @@
 #  define CRIU_EXT_NETNS "extRootNetNS"
 #  define CRIU_EXT_PIDNS "extRootPidNS"
 
+#  ifndef CLONE_NEWTIME
+#    define CLONE_NEWTIME 0x00000080 /* New time namespace */
+#  endif
+
 static const char *console_socket = NULL;
 
 static int
@@ -645,8 +649,18 @@ libcrun_container_restore_linux_criu (libcrun_container_status_t *status, libcru
       goto out_umount;
     }
 
-  /* If there is a PID or network namespace defined in config.json we are telling
-   * CRIU to restore the process into that namespace.
+#  ifdef CRIU_JOIN_NS_SUPPORT
+  /* criu_join_ns_add() API was introduced with CRIU version 3.16.1
+   * Here we check if this API is available at build time to support
+   * compiling with older version of CRIU, and at runtime to support
+   * running crun with older versions of libcriu.so.2.
+   */
+  bool join_ns_support = criu_check_version (31601) == 1;
+#  endif
+
+  /* If a namespace defined in config.json we are telling
+   * CRIU use that namespace when restoring the process tree.
+   *
    * CRIU expects the information about the namespace like this:
    * --inherit-fd fd[<fd>]:<key>
    * The <key> needs to be the same as during checkpointing (extRootNetNS). */
@@ -673,6 +687,32 @@ libcrun_container_restore_linux_criu (libcrun_container_status_t *status, libcru
 
           criu_add_inherit_fd (inherit_new_pid_fd, CRIU_EXT_PIDNS);
         }
+
+#  ifdef CRIU_JOIN_NS_SUPPORT
+      if (value == CLONE_NEWTIME && def->linux->namespaces[i]->path != NULL)
+        {
+          if (join_ns_support)
+            criu_join_ns_add ("time", def->linux->namespaces[i]->path, NULL);
+          else
+            return crun_make_error (err, 0, "Shared time namespace restore is supported in CRIU >= 3.16.1");
+        }
+
+      if (value == CLONE_NEWIPC && def->linux->namespaces[i]->path != NULL)
+        {
+          if (join_ns_support)
+            criu_join_ns_add ("ipc", def->linux->namespaces[i]->path, NULL);
+          else
+            return crun_make_error (err, 0, "Shared ipc namespace restore is supported in CRIU >= 3.16.1");
+        }
+
+      if (value == CLONE_NEWUTS && def->linux->namespaces[i]->path != NULL)
+        {
+          if (join_ns_support)
+            criu_join_ns_add ("uts", def->linux->namespaces[i]->path, NULL);
+          else
+            return crun_make_error (err, 0, "Shared uts namespace restore is supported in CRIU >= 3.16.1");
+        }
+#  endif
     }
 
   /* Tell CRIU if cgroup v1 needs to be handled. */

From 762269c1b194b79f6149b0aec1e4d6fe5823df00 Mon Sep 17 00:00:00 2001
From: Radostin Stoyanov <radostin@redhat.com>
Date: Fri, 1 Oct 2021 01:23:08 +0100
Subject: [PATCH 3/3] test/criu: enable external ipc,uts,time namespaces

Signed-off-by: Radostin Stoyanov <radostin@redhat.com>
---
 tests/test_checkpoint_restore.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tests/test_checkpoint_restore.py b/tests/test_checkpoint_restore.py
index f9aecd9fa5..ed4a47f6e5 100755
--- a/tests/test_checkpoint_restore.py
+++ b/tests/test_checkpoint_restore.py
@@ -99,6 +99,12 @@ def test_cr_with_ext_ns():
             ns.update({'path': os.path.join(ns_path, 'pid')})
         if ns['type'] == 'network':
             ns.update({'path': os.path.join(ns_path, 'net')})
+        if ns['type'] == 'ipc':
+            ns.update({'path': os.path.join(ns_path, 'ipc')})
+        if ns['type'] == 'uts':
+            ns.update({'path': os.path.join(ns_path, 'uts')})
+        if ns['type'] == 'time':
+            ns.update({'path': os.path.join(ns_path, 'time')})
 
     return run_cr_test(conf)