[CRIU] [PATCH] seccomp: add a --no-seccomp option to disable dumping seccomp

Saied Kazemi saied at google.com
Wed Feb 17 10:15:29 PST 2016 

On Wed, Feb 17, 2016 at 9:36 AM, Pavel Emelyanov <xemul at virtuozzo.com>
wrote:

> On 02/17/2016 08:27 PM, Saied Kazemi wrote:
> > I am running the containers with --security-opt seccomp:unconfined
> option,
> > so there should be no security risks.
>
> Ouch. Why does criu then sees some seccomp configured on it?
>

I think I know what happened.  I had a script that would build and install
CRIU and then test Docker checkpoint and restore.  The script was failing
because criu check was failing but somehow I assumed that it was criu dump
that was failing although --security-opt seccomp:unconfined option was
used.  Sorry for the confusion :(



> > Now what can we do to make criu check pass when running on kernels that
> > don't have seccomp?  The section "Checking That It Works" in
> > http://criu.org/Installation says that the users should see "Looks OK".
> > But currently we can't get a "Looks OK" message even with --no-seccomp.
> > Pavel had a suggestion on how to redo criu check.
>
> Yup. We should distinguish tree types of features -- those, that are
> strictly
> required to make things work (/proc/pid/map_files, ptrace PEEKSIGINFO
> ,etc),
> those that are required, but only for "specific cases" (aio remap, tun,
> etc)
> and those that are experimental (e.g. task-diag from Andrey).
>

The 3-mode scheme sounds reasonable but which modes are absolutely
necessary for CRIU to dump and restore successfully.  We maintained in the
past that if users don't get "Looks OK" from criu check they won't be able
to dump/restore.  But that's not the case anymore as criu check fails with
seccomp errors but it successfully dumps and restores.


> But as far as seccomp is concerned, I'm now in doubt -- if there's no
> seccomp
> configured on a task, criu should just dump it even if there's no support
> from kernel to dump seccomp. But this seems not to be the case for Saied.
>

Per my explanation above, sorry for the false alarm!

--Saied


> On Wed, Feb 17, 2016 at 6:50 AM, Tycho Andersen <
> tycho.andersen at canonical.com <mailto:tycho.andersen at canonical.com>> wrote:
> >
> >     On Wed, Feb 17, 2016 at 05:41:28PM +0300, Pavel Emelyanov wrote:
> >     > On 02/17/2016 05:15 PM, Tycho Andersen wrote:
> >     > > On Wed, Feb 17, 2016 at 01:48:37PM +0300, Pavel Emelyanov wrote:
> >     > >> Applied.
> >     > >>
> >     > >> Am I right, that the current behavior of criu is -- no seccomp
> configured
> >     > >> on a process means no attempt to dump one is performed?
> >     > >
> >     > > I think so, just to restate: if no seccomp is configured on the
> >     > > process than no attempt to dump the /seccomp/ stuff is made
> (since
> >     > > there's nothing to dump). The task itself is still dumped as
> usual.
> >     >
> >     > OK :) Then Saied is potentially doing a dangerous thing with this
> option :)
> >     > since tasks will be restored without seccomp stuff configured in.
> >
> >     Yes, exactly. It does a pr_warn when it encounters this, at least.
> >
> >     Tycho
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/criu/attachments/20160217/ee59e096/attachment.html>

More information about the CRIU mailing list