[CRIU] namespace and selinux in container(docker) migration with criu

[Dengguangxing]

在 2015/12/29 8:20, Tycho Andersen 写道:
> On Mon, Dec 28, 2015 at 06:54:18PM +0300, Andrew Vagin wrote:
>> On Sat, Dec 26, 2015 at 11:31:07AM +0800, Dengguangxing wrote:
>>> Hi all,
>>>
>>> I am trying to migrate docker container across hosts with boucher's work on C/R.
>>> and got these problems below, not sure if they are supported yet:
>>>
>>> 1. about shared-namespace. docker containers may share namespace(pods in kubernetes especially).
>>> I've tested this, and found that the status of shared-namespace can not be kept. Restored
>>> process(container) gets totally new namespace.
>>
>> This isn't supported yet.
>>
>>>
>>> 2. selinux. docker containers support selinux. so can selinux label be dumped and restored?
>>> How do criu deal with selinux?
>>
>> I found this code:
>> if (!strstartswith(last, "unconfined_")) {
>> 	pr_err("Non unconfined selinux contexts not supported %s\n", last);
>> 	freecon(ctx);
>> 	return -1;
>> }
>>
>> Looks like only unconfined selinux profiles are supported now.
>>
>> Tycho, could you give us more details about this question. 
> 
> Yep, the situation is essentially as I described in the other thread,
> that we need someone who really understands SELinux to come along and
> complete the LSM support for it.
> 
> Tycho
> 
Thanks Tycho, I made a mistake and duplicate the thread :(

here is you comment, to make others clear:

"
 I can say that I don't know enough to confidently say what would be
required to checkpoint/restore stuff other than the label, which
should be very similar to how apparmor does it (i.e. just remembering
/proc/<pid>/attr/current for each task). That said SELinux has some
other stuff besides the LSM label that might need to be restored,
which is why we explicitly disallow it for now, in hope that someone
who understands it will come along and implement it

Tycho"

really appreciate it, thanks again!