[CRIU] namespace and selinux in container(docker) migration with criu
Dengguangxing
dengguangxing at huawei.com
Mon Dec 28 19:32:39 PST 2015
在 2015/12/28 23:54, Andrew Vagin 写道:
> On Sat, Dec 26, 2015 at 11:31:07AM +0800, Dengguangxing wrote:
>> Hi all,
>>
>> I am trying to migrate docker container across hosts with boucher's work on C/R.
>> and got these problems below, not sure if they are supported yet:
>>
>> 1. about shared-namespace. docker containers may share namespace(pods in kubernetes especially).
>> I've tested this, and found that the status of shared-namespace can not be kept. Restored
>> process(container) gets totally new namespace.
>
> This isn't supported yet.
>
>>
>> 2. selinux. docker containers support selinux. so can selinux label be dumped and restored?
>> How do criu deal with selinux?
>
> I found this code:
> if (!strstartswith(last, "unconfined_")) {
> pr_err("Non unconfined selinux contexts not supported %s\n", last);
> freecon(ctx);
> return -1;
> }
>
> Looks like only unconfined selinux profiles are supported now.
>
> Tycho, could you give us more details about this question.
>
>
>>
>> 3. container network. this may not be criu related, so cc rboucher for this : )
>> container restore would reserve container IP address, but the network won't work.
>> It will be great to figure out the reason.
>>
>> and maybe there are other factors that affect container migration. it will be great to discuss here.
>
> Which configuration do you use on the host side for container network
> devices?
>
> Thanks,
> Andrew
>
thanks Andrew.
I've tried docker0 in bridge mode, overlay and weave. network won't work in neither situation.
Refer to this issue https://github.com/docker/libnetwork/issues/524.
it seems that they've come to an agreement to achieve this through libnetwork instead of criu.
However, I cannot get any progress of this solution. ping boucher and huikang for some news :)
>>
>> Thanks~
>>
>> Deng Guangxing
>>
>> _______________________________________________
>> CRIU mailing list
>> CRIU at openvz.org
>> https://lists.openvz.org/mailman/listinfo/criu
> .
>
More information about the CRIU
mailing list