<div dir="ltr">Thanks for the explanation. So it sounds like if I want to be able to checkpoint and restore child processes from within an application using the libcriu C API that I need to run my application as root. I can do that for now while I'm developing and I'll be interested to try alternate techniques once they are available.<div><br></div><div><div>-Gabriel<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 13, 2015 at 4:42 AM, Pavel Emelyanov <span dir="ltr"><<a href="mailto:xemul@parallels.com" target="_blank">xemul@parallels.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 11/13/2015 08:58 AM, Gabriel Southern wrote:<br>
> I'm interested in using criu for creating/restoring checkpoints from within an<br>
> application that would be run as a regular user (not root).<br>
<br>
</span>:)<br>
<span class=""><br>
> I've been looking at the code in test/rpc/test-c.c to see an example of how this<br>
> could work.<br>
<br>
</span>There's a long story behind this. In the early stages we suggested using criu<br>
service started from root and an application willing to C/R talking to it via a<br>
unix socket. <a href="http://criu.org/RPC" rel="noreferrer" target="_blank">http://criu.org/RPC</a><br>
<br>
Later on, the service was recognized as a security hole and we no longer recommend<br>
people to make it publicly available when launched from root user. Instead, we<br>
started working on the user-mode dump and restore. The latest patches are [1] but<br>
it's still not 100% complete. In particular, the error you mention below is still<br>
not fixed.<br>
<br>
[1] <a href="https://lists.openvz.org/pipermail/criu/2015-October/022455.html" rel="noreferrer" target="_blank">https://lists.openvz.org/pipermail/criu/2015-October/022455.html</a><br>
<br>
<br>
We planned to have this set finished and merged by 1.8, but we're short of resources,<br>
so patches are now scheduled for 1.9.<br>
<span class=""><br>
> But when I run this test using the run.sh script I'm getting an error<br>
> during the restore step. Looking at the restore-c.log file the error that I see is:<br>
><br>
> pie: Error (pie/restorer.c:1085): prctl failed @1085 with -22<br>
<br>
</span>Yup, this is due to kernel restrictions on restoring the exe link. Right now<br>
there's nothing that can be done about it, but not to restore one. Tasks will<br>
continue running, but in /proc/pid/exe you would see criu, not the original<br>
binary.<br>
<br>
In the long term someone should start talking to the kernel people about<br>
relaxing those checks.<br>
<div class="HOEnZb"><div class="h5"><br>
> (full output available here: <a href="https://gist.github.com/southerngs/238a6f14ab61296587cc" rel="noreferrer" target="_blank">https://gist.github.com/southerngs/238a6f14ab61296587cc</a>)<br>
><br>
> If I could get the criu tests to pass I'd be able to use the libcriu C api for what I<br>
> need. But I'm not sure what I need to do to get these tests to pass. Any suggestions<br>
> are appreciated.<br>
><br>
> Also in case it matters I'm running Arch Linux. My kernel is 4.2.5-1 and compiled<br>
> with the Arch Linux defaults and with the options listed on the wiki page<br>
> (<a href="https://criu.org/Installation#Configuring_the_kernel" rel="noreferrer" target="_blank">https://criu.org/Installation#Configuring_the_kernel</a>).<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">-- Pavel<br>
<br>
</font></span></blockquote></div><br></div></div>