[CRIU] namespace and selinux in container(docker) migration with criu
Tycho Andersen
tycho.andersen at canonical.com
Mon Dec 28 16:20:22 PST 2015
On Mon, Dec 28, 2015 at 06:54:18PM +0300, Andrew Vagin wrote:
> On Sat, Dec 26, 2015 at 11:31:07AM +0800, Dengguangxing wrote:
> > Hi all,
> >
> > I am trying to migrate docker container across hosts with boucher's work on C/R.
> > and got these problems below, not sure if they are supported yet:
> >
> > 1. about shared-namespace. docker containers may share namespace(pods in kubernetes especially).
> > I've tested this, and found that the status of shared-namespace can not be kept. Restored
> > process(container) gets totally new namespace.
>
> This isn't supported yet.
>
> >
> > 2. selinux. docker containers support selinux. so can selinux label be dumped and restored?
> > How do criu deal with selinux?
>
> I found this code:
> if (!strstartswith(last, "unconfined_")) {
> pr_err("Non unconfined selinux contexts not supported %s\n", last);
> freecon(ctx);
> return -1;
> }
>
> Looks like only unconfined selinux profiles are supported now.
>
> Tycho, could you give us more details about this question.
Yep, the situation is essentially as I described in the other thread,
that we need someone who really understands SELinux to come along and
complete the LSM support for it.
Tycho
More information about the CRIU
mailing list