[CRIU] implementing some kind of --leave-frozen option for c/r in CRIU

Tycho Andersen tycho.andersen at canonical.com
Wed May 11 07:53:02 PDT 2016


On Wed, May 11, 2016 at 03:50:35PM +0300, Pavel Emelyanov wrote:
> On 05/10/2016 08:04 PM, Tycho Andersen wrote:
> > Hi guys,
> > 
> > I'm looking at implementing some kind of --leave-frozen option in
> > CRIU, so that we can have a basic UX in LXD where we can wait for the
> > restore to be successful before we kill the checkpointed container. 
> 
> There's a patchset titled "[PATCHv1 0/2] implement --leave-stopped option 
> for CRIU restorer". Does your one do the same thing or they are different?

Kind of, in that set the task sees an extra SIGSTOP that it othewrise
wouldn't, while with this one it just uses the cgroup freezer. For us
it's easier to just use the freezer (and I think slightly more correct
because the task doesn't see an extra SIGSTOP), but we could use that
one instead and just add some extra code in liblxc to send SIGCONT
when we need it.

However, both patches have the problem that the container isn't
*really* stopped, since once the network is unlocked the kernel will
do some TCP operations on behalf of the task even if it is in the
cgroup freezer or the stopped state.

Tycho

> -- Pavel
> 
> > I know p.haul does this by just using a callback, but it would be sort
> > of painful to absorb just the callback part without doing a lot of
> > extra engineering. We'll get LXD using p.haul someday, though :)
> > 
> > The actual --leave-frozen patch is not so bad (see attached), but I'm
> > not sure what to do about the network locking/unlocking bits.
> > 
> > It seems like it is always safe to do the bits in
> > cpt_unlock_tcp_connections() since that's just disabling tcp repair
> > mode, but all of the iptables rules seem necessary in order to keep
> > the network locked.
> > 
> > So my question is: is there a nice way we can "tag" these rules so
> > that something can come by and delete them later? I was thinking about
> > having criu add a comment (via -m comment --comment "CRIU-LOCK-RULE")
> > to each rule it adds, but I'm not sure if there's a better way, or if
> > I've missed something entirely.
> > 
> > Thanks!
> > 
> > Tycho
> > 
> > 
> > 
> > _______________________________________________
> > CRIU mailing list
> > CRIU at openvz.org
> > https://lists.openvz.org/mailman/listinfo/criu
> > 
> 


More information about the CRIU mailing list