[CRIU] Problem in Seizing Open File Descriptors?

Saied Kazemi saied at google.com
Mon Jul 14 23:30:00 PDT 2014 

Hi Pavel,

There seems to be a problem in or below parasite_drain_fds_seized() when
seizing a process's open file descriptors.  Here is the problem I ran into:

When a Docker container is started in the detached mode (-d flag), its
stdin inside its own mount namespace is set to its /dev/null as you can see
below:

$ docker run -d ubuntu:latest /bin/sh -c 'ls -l /proc/self/fd >> /LOG; stat
/dev/null >> /LOG; sleep 3000'
64bb55e56db391c11d3d8442fdb2f960252ce4c8edc6349d59d73b692d1b0b6c
$

$ sudo cat
/var/lib/docker/vfs/dir/64bb55e56db391c11d3d8442fdb2f960252ce4c8edc6349d59d73b692d1b0b6c/LOG
total 0
lr-x------ 1 root root 64 Jul 15 05:59 0 -> /dev/null
l-wx------ 1 root root 64 Jul 15 05:59 1 -> /LOG
l-wx------ 1 root root 64 Jul 15 05:59 2 -> pipe:[47269]
lr-x------ 1 root root 64 Jul 15 05:59 3 -> /proc/9/fd
  File: '/dev/null'
  Size: 0         Blocks: 0          IO Block: 4096   character special file
Device: 2ah/42d Inode: 47496       Links: 1     Device type: 1,3
Access: (0666/crw-rw-rw-)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2014-07-15 05:59:48.235291004 +0000
Modify: 2014-07-15 05:59:48.235291004 +0000
Change: 2014-07-15 05:59:48.235291004 +0000
 Birth: -
$

Apparently, what is recorded as the open file descriptor 0 during dump is
the system's /dev/null in the global mount namespace, not the /dev/null in
the container's mount namespace.  As a result, we get the following error
in check_map_remap():

(00.061198) Error (files-reg.c:605): Unaccessible path ./dev/null opened
42:47496, need 5:5294

Notice that 5:5294 is system's /dev/null in the global mount namespace (see
the stat command below) whereas 42:47496 is the container's /dev/null.

$ stat /dev/null
  File: ‘/dev/null’
  Size: 0         Blocks: 0          IO Block: 4096   character special file
Device: 5h/5d Inode: 5294        Links: 1     Device type: 1,3
Access: (0666/crw-rw-rw-)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2014-07-14 11:20:13.847273000 -0700
Modify: 2014-07-14 11:20:13.847273000 -0700
Change: 2014-07-14 11:20:13.847273000 -0700
 Birth: -
$

Attached is dump.log.  Does this analysis make sense or am I missing
something?

--Saied
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/criu/attachments/20140714/053be913/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dump.log
Type: application/octet-stream
Size: 15038 bytes
Desc: not available
URL: <http://lists.openvz.org/pipermail/criu/attachments/20140714/053be913/attachment.obj>

More information about the CRIU mailing list