[CRIU] restore perms on cgroups

Tycho Andersen tycho.andersen at canonical.com
Thu Jan 21 21:05:29 PST 2016


On Thu, Jan 21, 2016 at 07:03:06PM -0800, Andrew Vagin wrote:
> On Wed, Jan 20, 2016 at 10:27:32AM -0700, Tycho Andersen wrote:
> > Hi guys,
> > 
> > While on a bike ride yesterday, it occurred to me that we're not restoring
> > permissions on the actual cgroup files as we should be. Here's a set that does
> > it.
> > 
> > Thoughts welcome,
> 
> Hi Tycho,
> 
> The series looks good. I have a question which we should to discuss:
> 
> Currently you dump uid and gid for cgroup dirs and props from a host
> user namespace. In other places we dump uid and gid from a target user
> namespace. Is it ok? Currently if we want to restore a container with
> another set of uid and gid mappings, we need to fix them only in
> userns.img.
> 
> And we will need to fix them for cgroups too, if we add these patches.

Ah, that's interesting. I guess I thought I got lucky because both the
dump and restore happen in the host's ns, so I could dodge that
bullet.

If we want to be able to change the uid maps from the checkpoint host
to the restore host, this approach won't work. Does changing the uid
maps across hosts work today?

r.e. rewriting, what if we made it an option in criu, e.g. --uid-shift
and --gid-shift, so that any user that needed this shifting wouldn't
have to rewrite the images, she could just ask criu to do it on the
fly?

Tycho

> Thanks,
> Andrew
> 
> 
> > 
> > Tycho
> > 
> > _______________________________________________
> > CRIU mailing list
> > CRIU at openvz.org
> > https://lists.openvz.org/mailman/listinfo/criu


More information about the CRIU mailing list