[CRIU] Network unlock issue when checkpointing with -R

Andrew Vagin avagin at parallels.com
Wed Oct 30 02:39:20 PDT 2013


On Tue, Oct 29, 2013 at 05:20:03PM -0500, Frederico Araujo wrote:
> Hi there,
> 
> I noticed that when checkpointing with the option -R, the iptables filters are
> not being cleaned. I checked CRIU's log and this is what i have:

-R doesn't work and it's known issue. In one moment we decided that this
option is meaningless, because this options doesn't give a garanty that
the created snapshot will be able to be restored in a future. For example if
you checkpoint apache, you need to create a snapshot of all files, which
apache is used in this moment. CRIU can't unlock TCP connections after
dumping, because most probably they will be restored incorrectly and so on.

Then we added the post-dump action script, where a user can do
additional actions and then he can decide to stop or resume processes.

You can look at test/zdtm.sh and test/post-dump.sh for example.

> 
> ...
> pie: 1067: Restored
> (00.059424) Unlock network
> (00.059454) Running iptables [iptables -t filter -D INPUT --protocol tcp
> --source 10.0.3.1 --sport 50373 --destination 10.0.3.236 --dport 8080 -j DROP]
> iptables: Bad rule (does a matching rule exist in that chain?).
> (00.062168) Error (util.c:574): waitpid() failed: No child processes
> (00.062193) Error (netfilter.c:69): Iptables configuration failed: No child
> processes
> (00.062204) Running iptables [iptables -t filter -D OUTPUT --protocol tcp
> --source 10.0.3.236 --sport 8080 --destination 10.0.3.1 --dport 50373 -j DROP]
> iptables: Bad rule (does a matching rule exist in that chain?).
> ...
> 
> Then, I checked my iptables after checkpointing and the exact rules are in
> there. I manually executed the above iptables commands after checkpointing and
> it successfully cleans the filters. Is this a known issue/bug or am doing
> something wrong?

You must understand that if you unlock tcp connections, they probably
will not restored correctly in the next time. You can do that safely only
if both side of a connection has been dumped.

> 
> I'm using criu to checkpoint a instance of Apache Server. To reproduce the
> scenario, you have to have an established connection to the server.

Do you want to reproduce the state of tcp connections? Do you checkpoint
both sides of connections?
Can you give a bit more details about the use case?

Thanks,
Andrey



More information about the CRIU mailing list