[CRIU] implementing some kind of --leave-frozen option for c/r in CRIU

Tycho Andersen tycho.andersen at canonical.com
Mon May 16 07:17:01 PDT 2016


On Mon, May 16, 2016 at 03:31:57PM +0300, Pavel Emelyanov wrote:
> On 05/10/2016 08:04 PM, Tycho Andersen wrote:
> > Hi guys,
> > 
> > I'm looking at implementing some kind of --leave-frozen option in
> > CRIU, so that we can have a basic UX in LXD where we can wait for the
> > restore to be successful before we kill the checkpointed container. I
> > know p.haul does this by just using a callback, but it would be sort
> > of painful to absorb just the callback part without doing a lot of
> > extra engineering. We'll get LXD using p.haul someday, though :)
> > 
> > The actual --leave-frozen patch is not so bad (see attached), but I'm
> > not sure what to do about the network locking/unlocking bits.
> 
> There was a patch 8b04551c (restore: restore freezer cgroup state) in 2.0
> that turned cgroup into whatever state it was before dump. Can it be fixed
> to make '--leave-frozen' alter the behavior of add_freezer_state_for_restore()
> and set it to 'frozen' always?

That's basically what this patch does, although in a slightly
different way than what you suggest. I can fix it up if you want to
apply it, though.

> > It seems like it is always safe to do the bits in
> > cpt_unlock_tcp_connections() since that's just disabling tcp repair
> > mode, but all of the iptables rules seem necessary in order to keep
> > the network locked.
> > 
> > So my question is: is there a nice way we can "tag" these rules so
> > that something can come by and delete them later? I was thinking about
> > having criu add a comment (via -m comment --comment "CRIU-LOCK-RULE")
> > to each rule it adds, but I'm not sure if there's a better way, or if
> > I've missed something entirely.
> 
> Yes, there's an issue #45 -- show what's left in the system after dump. Iptables
> rules are in the list :) I know that some gentlemen (Cc) from Saint-Petersburg were
> interested in implementing it in form of 'criu gc' action, so probably tuning this
> option to support '--show-only' would help you?

Well, I could use `criu gc` directly to remove the iptables rules to
unlock the network if that's all that was needed. So I don't really
need a --show-only. What I'm not sure about is how this works with
--leave-running; doesn't it already delete these rules? If not, how is
the network actually unlocked?

I don't mind implementing such a `criu gc` option where it tries to go
through and delete its rules, though. That sounds like exactly what I
want here, and if it's ok with you, I can try to work on it :)

Tycho


More information about the CRIU mailing list