[CRIU] [PATCH v4 00/41] Nested pid namespaces support
Kirill Tkhai
ktkhai at virtuozzo.com
Fri May 5 08:32:44 PDT 2017
On 05.05.2017 04:11, Andrei Vagin wrote:
> Hi Kirill,
>
> I tried to modify our test lib to run tests in a sub-pidns
> https://github.com/avagin/criu/commit/be6c5bfc023eb3fe8fe730ec891fca84cb9d5bdf
>
> and I get a lot of errors like this:
> ====================== Run zdtm/static/file_locks06 in h =======================
> LINK file_locks06
> Start test
> ./file_locks06 --pidfile=file_locks06.pid --outfile=file_locks06.out --filename=file_locks06.test
> Run criu dump
> =[log]=> dump/zdtm/static/file_locks06/29/1/dump.log
> ------------------------ grep Error ------------------------
> (00.015153) Fetched ack: 2 2 0
> (00.015185) Parasite 29 has been switched to daemon mode
> (00.015227) Sent msg to daemon 72 0 0
> pie: 1: __fetched msg: 72 0 0
> pie: 1: Error (criu/pie/parasite.c:395): can't dump unpriviliged task whose />
It's because of you created a root_item, which has uid != 0, i.e. it has no
CAP_SYS_ADMIN permissions. There is setuid() function in test_init(), and
it sets not-zero uid. So, the mount does not working.
According to the code design in dump_one_task(), where parasite_get_proc_fd_seized()
is called, we were not going to support such cases:
if (root_ns_mask & CLONE_NEWPID && root_item == item) {
int pfd;
pfd = parasite_get_proc_fd_seized(parasite_ctl);
It's for root_item only. I suppose, if we wanted to support such cases
we've written something else here.
You may try to comment setuid() in test_init() and this helps.
> pie: 1: proc doesn't belong to it
> pie: 1: proc doesn't belong to it
> pie: 1: Error (criu/pie/parasite.c:411): Can't get /proc fd
> pie: 1: __sent ack msg: 72 72 -1
> pie: 1: Close the control socket for writing
> (00.016399) Error (criu/parasite-syscall.c:445): Can't retrieve FD from socket
> pie: 1: Daemon waits for command
> (00.016465) Wait for ack 72 on daemon socket
> (00.016514) Error (compel/src/lib/infect-rpc.c:46): Message reply from daemon is trimmed (12/0)
> (00.016527) Error (criu/cr-dump.c:1301): Can't get proc fd (pid: 29)
> (00.018010) 29 was stopped
> (00.018500) Unlock network
> (00.018522) Unfreezing tasks into 1
> (00.018531) Unseizing 29 into 1
> (00.018554) Error (criu/cr-dump.c:1733): Dumping FAILED.
>
> On Thu, May 04, 2017 at 07:04:54PM +0300, Kirill Tkhai wrote:
>> Hi,
>>
>> this is the fourth version of nested pid namespaces support.
>> The most signify change in this version are support for zombies
>> from child pid namespaces, and collecting NSpids during seize
>> of a task (instead of collecting on dump-time).
>>
>> Also, there are other small changes from the discussion
>> to previous version.
>>
>> ---
>>
>> Kirill Tkhai (41):
>> pstree: Implement vpgid(), vsid() and vtid()
>> pstree: Implement free_pstree_item() helper
>> ns: Do not change net_ns in prepare_net_namespaces()
>> mnt: Put root fd to fdstore
>> cr-restore: Open transport socket earlier
>> zdtm: Add pidns00 test
>> zdtm: Add pidns01 test
>> pid_ns: Implement pid_ns_root_off()
>> pstree: Change arguments in parse_pid_status()
>> pstree: Introduce PID_SIZE() helper
>> pstree: Use thread group leader level of pid to allocate threads
>> pstree: Move thread allocation up and do cleanup
>> pstree: Pre-dump ns ids before tasks
>> pstree: Collect NSpid, NSsid and NStgid when possible
>> pstree: Skip zombie dumping tricks if there is kdat.has_nspid
>> zombie: Kill by last_level_pid, not by vpid
>> images: Add NSpids pstree descriptions
>> pstree: Dump and restore NSpid, NSsid etc
>> pstree: Make get_free_pid() work for different pid_ns and export it
>> pstree: Extract __pstree_item_by_virt() to act on any pid_ns
>> ns: Reserve pid_ns helpers
>> restore: Implement set_next_pid() helper
>> pid: Always lock last pid file on clone()
>> pid: Add fdstore id for pid_ns descriptor
>> fdstore: Init fdstore earlier
>> pid: Save created pid_ns fd to fdstore
>> ns: Always start usernsd
>> pid: Add pid ns futex helper_created
>> ns: Install transport fd socket in usernsd
>> cr-restore: Add argument to criu_signals_setup()
>> ns: Add usernsd signal handler
>> pid: Create pid_ns helpers
>> pid: Wait till pid_ns created before we create a child of this ns
>> pid: Set pid_ns before we create a child
>> pid_ns: Set user_ns before creation of pid_ns
>> pid: Teach set_next_pid() working with nested pid_ns
>> restorer: Close transport socket later
>> restorer: Set NStids in all pid_ns for thread before we create it.
>> pid: Check for equality of getpid() of child to last_level_pid
>> pstree: Use CLONE_NEWPID only to create child reaper of pid_ns
>> ns: Nested pid_ns support
>>
>>
>> criu/cr-dump.c | 70 ++++++--
>> criu/cr-restore.c | 349 +++++++++++++++++++++++++++++++++-------
>> criu/files-reg.c | 8 -
>> criu/files.c | 20 +-
>> criu/include/namespaces.h | 17 ++
>> criu/include/proc_parse.h | 3
>> criu/include/pstree.h | 28 +++
>> criu/include/restore.h | 3
>> criu/include/restorer.h | 6 +
>> criu/include/rst_info.h | 1
>> criu/mount.c | 19 +-
>> criu/namespaces.c | 359 +++++++++++++++++++++++++++++++++++++++++
>> criu/net.c | 16 +-
>> criu/ns-common.c | 51 ++++++
>> criu/pie/restorer.c | 50 ++++--
>> criu/proc_parse.c | 81 +++++++++
>> criu/pstree.c | 297 ++++++++++++++++++++++++----------
>> criu/seize.c | 41 +++--
>> criu/sk-unix.c | 11 +
>> criu/tty.c | 2
>> images/pstree.proto | 17 +-
>> test/zdtm/static/Makefile | 2
>> test/zdtm/static/pidns00.c | 205 +++++++++++++++++++++++
>> test/zdtm/static/pidns00.desc | 1
>> test/zdtm/static/pidns01.c | 164 +++++++++++++++++++
>> test/zdtm/static/pidns01.desc | 1
>> test/zdtm/static/tun.desc | 2
>> 27 files changed, 1581 insertions(+), 243 deletions(-)
>> create mode 100644 criu/ns-common.c
>> create mode 100644 test/zdtm/static/pidns00.c
>> create mode 100644 test/zdtm/static/pidns00.desc
>> create mode 100644 test/zdtm/static/pidns01.c
>> create mode 100644 test/zdtm/static/pidns01.desc
>>
>> --
>> Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
More information about the CRIU
mailing list