<div dir="ltr"><div>Hi Andrey,</div><div><br></div><div>Thanks for your reply. To give you more details about my scenario, I'm live cloning Apache between two hosts with same configuration. In my intended scenario, I want to leave the original Apache running (that's why I use -R). Currently, my steps for cloning are checkpoint -R on the source host, transfer images between source and destination, and restore on the destination host. I extended my copy of CRIU to handle relocation of established connections when restoring on the destination host (otherwise, the restore would fail in the destination host while trying to restore established connections). </div>
<div><br></div><div>So, my first question: assuming that I'm not planning to execute restores of Apache on the source host (I want it to be always running and want to be able to take dumps of it to clone to another host), should I perform a full checkpoint-restore cycle on the source host each time I want to clone Apache or may I safely use checkpoint with option -R followed by a iptables flush? </div>
<div><br></div><div>When you mentioned that -R doesn't work, is there other issues apart from the issue related to established connections unlocking on the source host? </div><div><br></div><div>Thanks,</div><div>Fred</div>
<div><br></div><div>On Wed, Oct 30, 2013 at 4:39 AM, Andrew Vagin <span dir="ltr"><<a href="mailto:avagin@parallels.com" target="_blank">avagin@parallels.com</a>></span> wrote:<br></div><div class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="im">On Tue, Oct 29, 2013 at 05:20:03PM -0500, Frederico Araujo wrote:<br>
> Hi there,<br>
><br>
> I noticed that when checkpointing with the option -R, the iptables filters are<br>
> not being cleaned. I checked CRIU's log and this is what i have:<br>
<br>
</div>-R doesn't work and it's known issue. In one moment we decided that this<br>
option is meaningless, because this options doesn't give a garanty that<br>
the created snapshot will be able to be restored in a future. For example if<br>
you checkpoint apache, you need to create a snapshot of all files, which<br>
apache is used in this moment. CRIU can't unlock TCP connections after<br>
dumping, because most probably they will be restored incorrectly and so on.<br>
<br>
Then we added the post-dump action script, where a user can do<br>
additional actions and then he can decide to stop or resume processes.<br>
<br>
You can look at test/zdtm.sh and test/post-dump.sh for example.<br>
<div class="im"><br>
><br>
> ...<br>
> pie: 1067: Restored<br>
> (00.059424) Unlock network<br>
> (00.059454) Running iptables [iptables -t filter -D INPUT --protocol tcp<br>
> --source 10.0.3.1 --sport 50373 --destination 10.0.3.236 --dport 8080 -j DROP]<br>
> iptables: Bad rule (does a matching rule exist in that chain?).<br>
> (00.062168) Error (util.c:574): waitpid() failed: No child processes<br>
> (00.062193) Error (netfilter.c:69): Iptables configuration failed: No child<br>
> processes<br>
> (00.062204) Running iptables [iptables -t filter -D OUTPUT --protocol tcp<br>
> --source 10.0.3.236 --sport 8080 --destination 10.0.3.1 --dport 50373 -j DROP]<br>
> iptables: Bad rule (does a matching rule exist in that chain?).<br>
> ...<br>
><br>
> Then, I checked my iptables after checkpointing and the exact rules are in<br>
> there. I manually executed the above iptables commands after checkpointing and<br>
> it successfully cleans the filters. Is this a known issue/bug or am doing<br>
> something wrong?<br>
<br>
</div>You must understand that if you unlock tcp connections, they probably<br>
will not restored correctly in the next time. You can do that safely only<br>
if both side of a connection has been dumped.<br>
<div class="im"><br>
><br>
> I'm using criu to checkpoint a instance of Apache Server. To reproduce the<br>
> scenario, you have to have an established connection to the server.<br>
<br>
</div>Do you want to reproduce the state of tcp connections? Do you checkpoint<br>
both sides of connections?<br>
Can you give a bit more details about the use case?<br>
<br>
Thanks,<br>
Andrey<br>
<br>
</blockquote></div><br></div></div>