<div dir="ltr"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span style="font-size:12.8px">What I'm not sure about is how this works with<br></span><span style="font-size:12.8px">--leave-running; doesn't it already delete these rules? If not, how is<br></span><span style="font-size:12.8px">the network actually unlocked?</span></blockquote><div> </div><div>cr-dump.c: (opts.final_state == TASK_ALIVE if <span style="font-size:12.8px">--leave-running is passed to criu)</span></div><div>1597 if (ret || post_dump_ret || opts.final_state == TASK_ALIVE) {</div><div>1598 network_unlock();</div><div>1599 delete_link_remaps();</div><div>1600 }</div><div><br></div><div>The only problem is that this 2 function calls are executed after dump and during restore.</div><div>And this calls expect already initialized big c/r state. It's the problem that I've described in the previous email.</div><div><br></div><div>Also there is a pecularity in criu gc that can be important for you. You need to specify path to image<br></div><div>files dir for criu gc because criu gc uses data from images to find the right iptable rules and link remaps.</div><div>So a part of dump should be stored on node you migrate from.</div><div><br></div><div><span style="font-size:12.8px;white-space:nowrap">Tycho, do you have any urgency in criu gc feature arrival?</span><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-05-16 17:17 GMT+03:00 Tycho Andersen <span dir="ltr"><<a href="mailto:tycho.andersen@canonical.com" target="_blank">tycho.andersen@canonical.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Mon, May 16, 2016 at 03:31:57PM +0300, Pavel Emelyanov wrote:<br>
> On 05/10/2016 08:04 PM, Tycho Andersen wrote:<br>
> > Hi guys,<br>
> ><br>
> > I'm looking at implementing some kind of --leave-frozen option in<br>
> > CRIU, so that we can have a basic UX in LXD where we can wait for the<br>
> > restore to be successful before we kill the checkpointed container. I<br>
> > know p.haul does this by just using a callback, but it would be sort<br>
> > of painful to absorb just the callback part without doing a lot of<br>
> > extra engineering. We'll get LXD using p.haul someday, though :)<br>
> ><br>
> > The actual --leave-frozen patch is not so bad (see attached), but I'm<br>
> > not sure what to do about the network locking/unlocking bits.<br>
><br>
> There was a patch 8b04551c (restore: restore freezer cgroup state) in 2.0<br>
> that turned cgroup into whatever state it was before dump. Can it be fixed<br>
> to make '--leave-frozen' alter the behavior of add_freezer_state_for_restore()<br>
> and set it to 'frozen' always?<br>
<br>
</span>That's basically what this patch does, although in a slightly<br>
different way than what you suggest. I can fix it up if you want to<br>
apply it, though.<br>
<span class=""><br>
> > It seems like it is always safe to do the bits in<br>
> > cpt_unlock_tcp_connections() since that's just disabling tcp repair<br>
> > mode, but all of the iptables rules seem necessary in order to keep<br>
> > the network locked.<br>
> ><br>
> > So my question is: is there a nice way we can "tag" these rules so<br>
> > that something can come by and delete them later? I was thinking about<br>
> > having criu add a comment (via -m comment --comment "CRIU-LOCK-RULE")<br>
> > to each rule it adds, but I'm not sure if there's a better way, or if<br>
> > I've missed something entirely.<br>
><br>
> Yes, there's an issue #45 -- show what's left in the system after dump. Iptables<br>
> rules are in the list :) I know that some gentlemen (Cc) from Saint-Petersburg were<br>
> interested in implementing it in form of 'criu gc' action, so probably tuning this<br>
> option to support '--show-only' would help you?<br>
<br>
</span>Well, I could use `criu gc` directly to remove the iptables rules to<br>
unlock the network if that's all that was needed. So I don't really<br>
need a --show-only. What I'm not sure about is how this works with<br>
--leave-running; doesn't it already delete these rules? If not, how is<br>
the network actually unlocked?<br>
<br>
I don't mind implementing such a `criu gc` option where it tries to go<br>
through and delete its rules, though. That sounds like exactly what I<br>
want here, and if it's ok with you, I can try to work on it :)<br>
<span class="HOEnZb"><font color="#888888"><br>
Tycho<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Best regards,<br>Eugene Batalov.</div>
</div>