[CRIU] Cannot restore from regular user when RPC service running as root

Jason L. Turner jlturner at mdacorporation.com
Mon Jan 19 12:55:33 PST 2015 

Hi Ruslan , Pavel

Just an update, I reverted CRIU back to v1.3.1 and set the +suid bit on the criu binary and the dump and restore works fine.  The problem where the program is restored as <defunct> still occurs when running CRIU v1.4 though.

Jason 

-----Original Message-----
From: Ruslan Kuprieiev [mailto:kupruser at gmail.com] 
Sent: Monday, January 19, 2015 2:05 PM
To: Pavel Emelyanov; Jason L. Turner
Cc: criu at openvz.org
Subject: Re: [CRIU] Cannot restore from regular user when RPC service running as root


On 01/19/2015 12:02 PM, Pavel Emelyanov wrote:
> On 01/16/2015 11:33 PM, Jason L. Turner wrote:
>> Hi Ruslan,
>>
>> That's no problem, hopefully my answers can help.
>>
>> Yes that restore log is the original from when I ran my program.
>>
>> I built CRIU from source, it is not from a package.
>>
>> When running "which criu" it shows,
>>
>> 	"/opt/CRIU-v1-4/criu/deps/criu-x86_64/criu"
>>
>> When running "ls -la $(which criu)" it shows,
>>
>> 	"-rwxrwxr-x 1 jturner dev 904201 2015-01-18 09:09 /opt/CRIU-v1-4/criu/deps/criu-x86_64/criu"
> I guess this is the reason for failure.
>
> The thing is that criu_restore_child() doesn't use the service, 
> because in Linux it's not possible to create a process with 
> _arbitrary_ parent and if we ask service to restore from images it will restore the tree as _its_ child, not as requester's one.
>
> So the criu_restore_child() fork()-s and exec()-s CRIU binary and ask 
> _it_ to restore the tree with special flag called CLONE_PARENT. The 
> result of this action is the tree restored as criu's sibling, i.e. -- the caller's kid.
>
> So, since criu binary is owned by non-root it doesn't have the required capabilities.
>
> To fix that criu should be owned by root and the suid bit should be set.
>
>
> I guess we've paid too little attention to our C-API recently :) Time 
> to improve. Ruslan, may I ask you to fix the documentation (and when 
> required the code) according to what we find with Jason's help?

Sure, I will take a look at libcriu and its docs.

>
>> I am sure that the service was started with the correct criu as the 
>> "which criu" command returns the same when run from the root user as 
>> well as my linking as it links to the lib directory in the path shown above.
>>
>> Jason
> Thanks,
> Pavel
>

More information about the CRIU mailing list