[CRIU] I can't dump mysqld

Tycho Andersen tycho.andersen at canonical.com
Mon Aug 8 15:18:52 PDT 2016 

On Mon, Aug 08, 2016 at 01:39:47PM -0700, Andrew Vagin wrote:
> On Sun, Aug 07, 2016 at 10:50:52AM +0900, Yohei Kamitsukasa wrote:
> > On 8/2/16 03:08, Andrew Vagin wrote:
> > 
> > > > > Could you apply the following patch [1] and try again?
> > > > > [1]: https://patchwork.criu.org/patch/1136/mbox/
> > > > > 
> > > > > This patch will not fix the problem, but it will show more info about an
> > > > > error in a log file.
> > > > > 
> > > > > Thanks,
> > > > > Andrew
> > > > Thank you for writing the patch.
> > > > I applied the patch and show the result.
> > > > 
> > > > (00.074960) Dump private signals of 1191
> > > > (00.075032) Dump private signals of 1192
> > > > (00.075103) Dump shared signals of 1093
> > > > (00.075308) Parasite syscall_ip at 0x400000
> > > > (00.076765) Set up parasite blob using memfd
> > > > (00.076806) Putting parasite blob into 0x7f0174cd9000->0x7fead3688000
> > > > (00.076866) Dumping GP/FPU registers for 1093
> > > > (00.076905) Warn  (arch/x86/crtools.c:133): Will restore 1093 with
> > > > interrupted system call
> > > > (00.076979) xsave runtime structure
> > > > (00.077017) -----------------------
> > > > (00.077061) cwd:37f swd:0 twd:0 fop:0 mxcsr:1fa0 mxcsr_mask:ffff
> > > > (00.077101) magic1:0 extended_size:0 xstate_bv:0 xstate_size:0
> > > > (00.077139) xstate_bv: 0
> > > > (00.077176) -----------------------
> > > > (00.077215) Putting tsock into pid 1093
> > > > (00.077604) Error (parasite-syscall.c:528): Unable to connect a transport
> > > > socket: Permission denied
> > > Do you use a kernel security module (selinux, apparmor)? I think this
> > > error may be reported due to their rules. Could you try to disable the
> > > kernel security module and try to dump the mysql service? We need to
> > > proof that the problem is really about security modules.
> > > 
> > > Thanks,
> > > Andrew
> > > 
> > I'm sorry to reply late. I had a fever for a few days and was not able to do
> > anything.
> > I tried to turn off apparmor. I could dump mysqld!!
> > Thank you for your cooperation:)
> 
> I think we need something like PTRACE_O_SUSPEND_SECCOMP for apparmor.
> Tycho, what do you think about this?

Yes, we probably do (for all LSMs, not just selinux). I'll add it to
my TODO list to look into it.

Yohei, if you still want to use apparmor, if you post your profile I
can probably tell you what you need to drop to allow CRIU's parasite
code to work.

Tycho

More information about the CRIU mailing list