[CRIU] ✗ travis-ci: failure for series starting with [PATCHv2,1/5] locks: Add c/r of non broken leases (kernel>=v4.1)
Andrei Vagin
avagin at virtuozzo.com
Tue Sep 5 00:12:38 MSK 2017
On Sun, Sep 03, 2017 at 05:36:58PM +0300, Pavel Begunkov wrote:
> Seems, CRIU can't set a lease on a file when user namespaces are used.
> So, I found a notice from *fcntl* man:
>
> "An unprivileged process may take out a lease only on a file whose UID
> (owner) matches the filesystem UID of the process. A process with the
> CAP_LEASE capability may take out leases on arbitrary files."
>
> I suppose, that restore stage is performed in user namespace and,
> because of that, filesystem UID of new process differ from the original
> one. Thus, it leads to violation of statements above.
>
> Could somebody with a better understanding of namespaces in CRIU tell if
> it sounds reasonable and guess what I can do about it, please?
It is possible to use something like this:
diff --git a/criu/file-lock.c b/criu/file-lock.c
index c2db04497..1b75fdfdc 100644
--- a/criu/file-lock.c
+++ b/criu/file-lock.c
@@ -516,6 +516,8 @@ static int restore_breaking_file_lease(FileLockEntry
*fle)
return 0;
}
+int setfsuid(uid_t fsuid);
+int setfsgid(gid_t fsuid);
static int restore_file_lease(FileLockEntry *fle)
{
int ret;
@@ -523,9 +525,17 @@ static int restore_file_lease(FileLockEntry *fle)
if (fle->type & LEASE_BREAKING) {
return restore_breaking_file_lease(fle);
} else {
+ struct stat st;
+ int old_fsuid;
+ if (fstat(fle->fd, &st)) {
+ pr_perror("stat");
+ return 1;
+ }
+ old_fsuid = setfsuid(st.st_uid);
ret = fcntl(fle->fd, F_SETLEASE, fle->type);
if (ret < 0)
pr_perror("Can't restore non broken lease");
+ setfsuid(old_fsuid);
return ret;
}
}
And if this way will fail too, we can create a slow path, which will
work via the usernsd daemon. Usernsd is running in the root user
namespaces with all capabilities, and it is possible to ask it to
set a lease. You need to look at userns_call().
>
>
> On 30/08/17 04:04, Pavel Begunkov wrote:
> > Yeah, thanks. Soon I'll make time to fix it along with one's noticed by
> > Pavel.
> >
> > On 30/08/17 02:43, Andrei Vagin wrote:
> >> ===================== Run zdtm/static/file_lease01 in uns ======================
> >> Start test
> >> ./file_lease01 --pidfile=file_lease01.pid --outfile=file_lease01.out --filename=file_lease01.test
> >> Run criu dump
> >> Run criu restore
> >> =[log]=> dump/zdtm/static/file_lease01/124/1/restore.log
> >> ------------------------ grep Error ------------------------
> >> (00.308462) 4: Create fd for 3
> >> (00.308480) 4: Create fd for 4
> >> (00.308486) 4: Create fd for 5
> >> (00.308491) 4: Create fd for 6
> >> (00.308510) 4: Error (criu/file-lock.c:528): Can't restore non broken lease: Permission denied
> >> (00.310868) 1: Error (criu/cr-restore.c:1527): 4 exited, status=1
> >> (00.346609) uns: calling exit_usernsd (-1, 1)
> >> (00.346678) uns: daemon calls 0x4d3390 (146, -1, 1)
> >> (00.346690) uns: `- daemon exits w/ 0
> >> (00.349075) uns: daemon stopped
> >> (00.349092) Error (criu/cr-restore.c:2412): Restoring FAILED.
> >> ------------------------ ERROR OVER ------------------------
> >> ############## Test zdtm/static/file_lease01 FAIL at CRIU restore ##############
> >>
> >> On Mon, Aug 14, 2017 at 01:12:36AM +0000, Patchwork wrote:
> >>> == Series Details ==
> >>>
> >>> Series: series starting with [PATCHv2,1/5] locks: Add c/r of non broken leases (kernel>=v4.1)
> >>> URL : https://patchwork.criu.org/series/1885/
> >>> State : failure
> >>>
> >>> == Logs ==
> >>>
> >>> For more details see: https://travis-ci.org/criupatchwork/criu/builds/264198066?utm_source=github_status&utm_medium=notification
> >>> _______________________________________________
> >>> CRIU mailing list
> >>> CRIU at openvz.org
> >>> https://lists.openvz.org/mailman/listinfo/criu
> >
>
> --
> Yours sincerely,
> Pavel
>
More information about the CRIU
mailing list