Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRIU: rootless checkpoint and restore on non docker environment #14265

Open
tajila opened this issue Jan 12, 2022 · 6 comments
Open

CRIU: rootless checkpoint and restore on non docker environment #14265

tajila opened this issue Jan 12, 2022 · 6 comments
Assignees
@ymanton
Labels
criu Used to track CRIU snapshot related work

Comments

@tajila
Copy link
Contributor

tajila commented Jan 12, 2022

Requirements:

  • Install rootless criu patch
  • Criu dump in unprivileged mode
    This is only possible via commandline option

So we need to patch criu to enable it via the API

  • add a function to do the same to the criu C api and add a line to J9 to call it
  • make another change to the criu to set the dumpable process control flag on itself when called via the C api
@tajila tajila added criu Used to track CRIU snapshot related work beta Used to track items that will be included in a feature beta release labels Jan 12, 2022
@tajila tajila changed the title CRIU: rootless checkpoint and restore CRIU: rootless checkpoint and restore on non docker environment Jan 12, 2022
@tajila
Copy link
Contributor Author

tajila commented Jan 12, 2022

@ymanton can you please provide a link to your CRIU and J9 commits

@ymanton
Copy link
Member

ymanton commented Jan 19, 2022
edited
Loading

There are two ways to run as non-root. The first is to give criu as many caps as it requires:

setcap cap_sys_time,cap_dac_override,cap_chown,cap_setpcap,cap_setgid,cap_audit_control,cap_dac_read_search,cap_net_admin,cap_sys_chroot,cap_sys_ptrace,cap_fowner,cap_kill,cap_fsetid,cap_sys_resource,cap_setuid,cap_sys_admin=eip /usr/sbin/criu

The second is to use just cap_checkpoint_restore (which is a new cap tailored to saving and restoring processes), but it requires:

In order to check if the kernel and/or libcap supports it, do as follows:

capsh --supports=40 should print nothing and return 0 if the kernel supports it, otherwise cap[40=40] not supported by kernel
capsh --supports=cap_checkpoint_restore should print nothing and return 0 if both the kernel and libcap supports it, otherwise cap[cap_checkpoint_restore] not recognized by library if libcap doesn't, in which case you'll have to check via the numeric value to see if the kernel supports it or not.

@ymanton ymanton self-assigned this Jan 24, 2022
@ymanton ymanton moved this to In Progress in J9 CRIU Support Jan 24, 2022
@ymanton ymanton mentioned this issue Jan 25, 2022
Open
@tajila
Copy link
Contributor Author

tajila commented Jan 26, 2022

@AdamBrousseau FYI

@tajila tajila mentioned this issue Feb 11, 2022
Open
@dsouzai dsouzai mentioned this issue Mar 1, 2022
Open
@tajila tajila removed the beta Used to track items that will be included in a feature beta release label Jun 29, 2022
@fwp20033191
Copy link

when I use criu in non-root mode: criu restore --unprivileged -vvvv --shell-job, I don't know why?

Error (criu/tty.c:832): tty: Can't set tty params on 0x7: Operation not permitted

@tajila
Copy link
Contributor Author

tajila commented Jul 18, 2022

@fwp20033191 Was the criu dump performed with --unprivileged

@ymanton
Copy link
Member

ymanton commented Jul 18, 2022

Try redirecting your std in/out/err to files. Some functionality related to terminals still requires root or CAP_SYS_ADMIN.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ymanton ymanton

Labels
criu Used to track CRIU snapshot related work
Projects
J9 CRIU Support
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ymanton @tajila @fwp20033191