[CRIU] Failing second checkpoint with iptables-restore v1.8.0 (nf_tables)

Adrian Reber adrian at lisas.de
Wed Sep 5 17:14:04 MSK 2018 

On Wed, Sep 05, 2018 at 11:14:14AM +0200, Adrian Reber wrote:
> I got a report of a checkpoint failure that is happening when dumping a
> already restored runc container.
> 
> On the second 'runc checkpoint' the log says:
> 
> (00.101158) Lock network
> (00.101161) Running network-lock scripts
> (00.101162) 	RPC
> iptables-restore v1.8.0 (nf_tables): 
> line 2: CHAIN_USER_FLUSH failed (Device or resource busy): chain CRIU
> line 2: CHAIN_USER_ADD failed (File exists): chain CRIU
> (00.109645) Error (criu/util.c:811): exited, status=4
> ip6tables-restore v1.8.0 (nf_tables): 
> line 2: CHAIN_USER_FLUSH failed (Device or resource busy): chain CRIU
> line 2: CHAIN_USER_ADD failed (File exists): chain CRIU
> (00.117250) Error (criu/util.c:811): exited, status=4
> (00.117267) Error (criu/net.c:2560): Locking network failed:
> iptables-restore returned -1. This may be connected to disabled
> CONFIG_NETFILTER_XT_MARK kernel build config option.
> (00.117284) Unlock network
> (00.117286) Running network-unlock scripts
> (00.117288) 	RPC
> iptables-restore v1.8.0 (nf_tables): 
> line 2: CHAIN_USER_FLUSH failed (Device or resource busy): chain CRIU
> line 2: CHAIN_USER_ADD failed (File exists): chain CRIU
> (00.124776) Error (criu/util.c:811): exited, status=4
> ip6tables-restore v1.8.0 (nf_tables): 
> line 2: CHAIN_USER_FLUSH failed (Device or resource busy): chain CRIU
> line 2: CHAIN_USER_ADD failed (File exists): chain CRIU
> (00.132118) Error (criu/util.c:811): exited, status=4
> (00.132144) Unfreezing tasks into 1
> (00.132154) 	Unseizing 15729 into 1
> (00.132175) Error (criu/cr-dump.c:1720): Dumping FAILED.
> 
> This is criu 3.10 on a 4.18 kernel. This is the first time I am seeing a
> system with 'iptables-restore v1.8.0 (nf_tables)'. Not sure if that is
> related.
> 
> I cannot reproduce it with runc currently. So right now I just wanted to
> reach it out if this is something anybody has already seen.

I was able to reproduce this error and it is related to iptables 1.8.0
which has a multi call binary:

/usr/sbin/iptables-restore -> xtables-nft-multi

and the command line options of this iptables-restore program are
different (and with less features) than the iptables-restore from 1.6.*.

I started to talk with one of the iptables maintainers.

		Adrian

More information about the CRIU mailing list