[CRIU] [PATCH] seccomp: add a --no-seccomp option to disable dumping seccomp
Saied Kazemi
saied at google.com
Wed Feb 17 09:27:06 PST 2016
I am running the containers with --security-opt seccomp:unconfined option,
so there should be no security risks.
Now what can we do to make criu check pass when running on kernels that
don't have seccomp? The section "Checking That It Works" in
http://criu.org/Installation says that the users should see "Looks OK".
But currently we can't get a "Looks OK" message even with --no-seccomp.
Pavel had a suggestion on how to redo criu check.
--Saied
On Wed, Feb 17, 2016 at 6:50 AM, Tycho Andersen <
tycho.andersen at canonical.com> wrote:
> On Wed, Feb 17, 2016 at 05:41:28PM +0300, Pavel Emelyanov wrote:
> > On 02/17/2016 05:15 PM, Tycho Andersen wrote:
> > > On Wed, Feb 17, 2016 at 01:48:37PM +0300, Pavel Emelyanov wrote:
> > >> Applied.
> > >>
> > >> Am I right, that the current behavior of criu is -- no seccomp
> configured
> > >> on a process means no attempt to dump one is performed?
> > >
> > > I think so, just to restate: if no seccomp is configured on the
> > > process than no attempt to dump the /seccomp/ stuff is made (since
> > > there's nothing to dump). The task itself is still dumped as usual.
> >
> > OK :) Then Saied is potentially doing a dangerous thing with this option
> :)
> > since tasks will be restored without seccomp stuff configured in.
>
> Yes, exactly. It does a pr_warn when it encounters this, at least.
>
> Tycho
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/criu/attachments/20160217/200c805a/attachment-0001.html>
More information about the CRIU
mailing list