[CRIU] namespace and selinux in container(docker) migration with criu
Andrew Vagin
avagin at virtuozzo.com
Mon Dec 28 07:54:18 PST 2015
On Sat, Dec 26, 2015 at 11:31:07AM +0800, Dengguangxing wrote:
> Hi all,
>
> I am trying to migrate docker container across hosts with boucher's work on C/R.
> and got these problems below, not sure if they are supported yet:
>
> 1. about shared-namespace. docker containers may share namespace(pods in kubernetes especially).
> I've tested this, and found that the status of shared-namespace can not be kept. Restored
> process(container) gets totally new namespace.
This isn't supported yet.
>
> 2. selinux. docker containers support selinux. so can selinux label be dumped and restored?
> How do criu deal with selinux?
I found this code:
if (!strstartswith(last, "unconfined_")) {
pr_err("Non unconfined selinux contexts not supported %s\n", last);
freecon(ctx);
return -1;
}
Looks like only unconfined selinux profiles are supported now.
Tycho, could you give us more details about this question.
>
> 3. container network. this may not be criu related, so cc rboucher for this : )
> container restore would reserve container IP address, but the network won't work.
> It will be great to figure out the reason.
>
> and maybe there are other factors that affect container migration. it will be great to discuss here.
Which configuration do you use on the host side for container network
devices?
Thanks,
Andrew
>
> Thanks~
>
> Deng Guangxing
>
> _______________________________________________
> CRIU mailing list
> CRIU at openvz.org
> https://lists.openvz.org/mailman/listinfo/criu
More information about the CRIU
mailing list