<div dir="ltr">I am running the containers with --security-opt seccomp:unconfined option, so there should be no security risks.<div><br></div><div>Now what can we do to make criu check pass when running on kernels that don't have seccomp? The section "Checking That It Works" in <a href="http://criu.org/Installation">http://criu.org/Installation</a> says that the users should see "Looks OK". But currently we can't get a "Looks OK" message even with --no-seccomp. Pavel had a suggestion on how to redo criu check.</div><div><div><br></div><div>--Saied</div><div><br><div><div><br></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 17, 2016 at 6:50 AM, Tycho Andersen <span dir="ltr"><<a href="mailto:tycho.andersen@canonical.com" target="_blank">tycho.andersen@canonical.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Wed, Feb 17, 2016 at 05:41:28PM +0300, Pavel Emelyanov wrote:<br>
> On 02/17/2016 05:15 PM, Tycho Andersen wrote:<br>
> > On Wed, Feb 17, 2016 at 01:48:37PM +0300, Pavel Emelyanov wrote:<br>
> >> Applied.<br>
> >><br>
> >> Am I right, that the current behavior of criu is -- no seccomp configured<br>
> >> on a process means no attempt to dump one is performed?<br>
> ><br>
> > I think so, just to restate: if no seccomp is configured on the<br>
> > process than no attempt to dump the /seccomp/ stuff is made (since<br>
> > there's nothing to dump). The task itself is still dumped as usual.<br>
><br>
> OK :) Then Saied is potentially doing a dangerous thing with this option :)<br>
> since tasks will be restored without seccomp stuff configured in.<br>
<br>
</span>Yes, exactly. It does a pr_warn when it encounters this, at least.<br>
<span class="HOEnZb"><font color="#888888"><br>
Tycho<br>
</font></span></blockquote></div><br></div>