[CRIU] [PATCH] Allow the veth-pair option to specify a bridge

Pavel Emelyanov xemul at parallels.com
Wed Dec 31 02:37:12 PST 2014 

On 12/31/2014 12:47 AM, Saied Kazemi wrote:
> When restoring a pair of veth devices that had one end inside a namespace
> or container and the other end outside, CRIU creates a new veth pair,
> puts one end in the namespace/container, and names the other end from
> what's specified in the --veth-pair IN=OUT command line option.
> 
> This patch allows for appending a bridge name to the OUT string in the
> form of OUT@<BRIDGE-NAME> in order for CRIU to move the outside veth to
> the named bridge.  For example, --veth-pair eth0=veth1 at br0 tells CRIU
> to name the peer of eth0 veth1 and move it to bridge br0.
> 
> This is a simple and handy extension of the --veth-pair option that
> obviates the need for an action script although one can still do the same
> (and possibly more) if they prefer to use action scripts.

BTW, what do you do in Docker to lock and unlock the networking? Presumably
you allow for TCP migration and thus, since you're working with a container,
you should help CRIU to (un)lock the networking. Do you provide action
scripts for that?

> Signed-off-by: Saied Kazemi <saied at google.com>

> @@ -707,3 +722,38 @@ int collect_net_namespaces(bool for_dump)
>  }
>  
>  struct ns_desc net_ns_desc = NS_DESC_ENTRY(CLONE_NEWNET, "net");
> +
> +int move_veth_to_bridge(void)
> +{
> +	char *brctl_tool_cmd;
> +	char *ip_tool_cmd;
> +	int ret;
> +	struct veth_pair *n;
> +
> +	brctl_tool_cmd = getenv("CR_BRCTL_TOOL");
> +	if (!brctl_tool_cmd)
> +		brctl_tool_cmd = "brctl";
> +
> +	ip_tool_cmd = getenv("CR_IP_TOOL");
> +	if (!ip_tool_cmd)
> +		ip_tool_cmd = "ip";
> +
> +	ret = 0;
> +	list_for_each_entry(n, &opts.veth_pairs, node) {
> +		if (n->bridge == NULL)
> +			continue;
> +
> +		pr_debug("\tRunning brctl addif %s %s\n", n->bridge, n->outside);
> +		ret = cr_system(-1, -1, -1, brctl_tool_cmd, (char *[]) {
> +				"brctl", "addif", n->bridge, n->outside, NULL });
> +		if (ret)
> +			break;
> +
> +		pr_debug("\tRunning ip link set dev %s up\n", n->outside);
> +		ret = cr_system(-1, -1, -1, ip_tool_cmd, (char *[]) {
> +				"ip", "link", "set", "dev", n->outside, "up", NULL });

I don't mind using the ip and brctl tool for that, but can you, when
time permits, check whether it would be extremely hard or not to call
the kernel directly? This step is performed with the container frozen
and even fractions of seconds spent in this state are not welcome.

> +		if (ret)
> +			break;
> +	}
> +	return ret;
> +}
> 

Thanks,
Pavel

More information about the CRIU mailing list