[CRIU] force socket reset using CRIT

J C jc5453726 at gmail.com
Fri Aug 18 15:22:39 MSK 2017 

Hello CRIU folks,



I’m using CRIU (via docker restore) to restore a process tree with
--tcp-established.


GOAL:


   - Is there a way to force a socket to reset on restore by modifying
   inetsk.img?

SETUP:


   - We are restoring a process tree in node A, which has an open socket
   connected to a remote resource on node B.
   - We have an AWS security group in between nodes A and B, with rules to
   allow traffic from node A to node B.
   - Response traffic from node B to node A is normally allowed through the
   security group because security groups are stateful.
   - AWS has the concept of "connection tracking" described here:
   http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-connection-tracking
   - However, when we restore the process tree on node A well into the
   future, not only will node B reject the incoming traffic from the process
   tree on node A because it has dropped the connection, leading to a TCP
   connection reset (RST), but the stateful connection has also been dropped
   by the security group, meaning the response traffic from B to A is now
   rejected.
   - The end result for this particular application is a long timeout.
   Everything restores correctly and eventually works, but the long timeout is
   not desirable.

POSSIBLE FIX

   - An easy way to fix this issue would be to modify the application to
   reset the socket connection. Both applications in node A and node B can not
   be easily modified.
   - An alternative approach I was considering is modifying the image file
   “inetsk.img” using CRIT in such a manner that the socket restores
   correctly, but will force a TCP RST.
   - Before I try this out, curious if there was a field in the image file
   that would be a good candidate to modify.
   - The socket entry in intesk.img looks like the snippet below.

 Thanks, Joe


/////


   {

         "src_port":41070,

         "family":2,

         "proto":6,

         "opts":{

            "so_passsec":false,

            "so_snd_tmo_sec":0,

            "so_sndbuf":332800,

            "so_passcred":false,

            "so_mark":0,

            "reuseaddr":false,

            "so_rcv_tmo_usec":0,

            "so_priority":0,

            "so_rcvlowat":1,

            "so_no_check":false,

            "so_rcv_tmo_sec":0,

            "so_rcvbuf":372480,

            "so_dontroute":false,

            "so_snd_tmo_usec":0

         },

         "fown":{

            "pid_type":0,

            "signum":0,

            "pid":0,

            "uid":0,

            "euid":0

         },

         "dst_addr":[

            4010041610

         ],

         "state":1,

         "ino":134758,

         "flags":526338,

         "dst_port":13555,

         "src_addr":[

            33559212

         ],

         "type":1,

         "id":2098,

         "backlog":0,

         "ip_opts":{



         }

      },
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/criu/attachments/20170818/fb7f6fe2/attachment.html>

More information about the CRIU mailing list