<div dir="ltr">Hello CRIU folks,<div><br></div><div>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal">I’m using CRIU (via docker restore) to restore a process
tree with --tcp-established. </p><p class="MsoNormal"><br></p><p class="MsoNormal">GOAL:</p><p class="MsoNormal"></p><ul><li>Is there a way to force a socket to reset on restore by modifying inetsk.img?</li></ul><p class="MsoNormal">SETUP:</p><p class="MsoNormal"></p><ul><li>We are restoring a process tree in node A, which has an open
socket connected to a remote resource on node B. <br></li><li>We have an AWS security group
in between nodes A and B, with rules to allow traffic from node A to node B. <br></li><li>Response traffic from node B to node A is normally allowed through the security
group because security groups are stateful. <br></li><li>AWS has the concept of "connection tracking" described here: <a href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-connection-tracking">http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-connection-tracking</a><br></li><li>However, when
we restore the process tree on node A well into the future, not only will node
B reject the incoming traffic from the process tree on node A because it has
dropped the connection, leading to a TCP connection reset (RST), but the stateful connection has also been dropped by the security group, meaning the response
traffic from B to A is now rejected.</li><li>The end result for this particular application is a long timeout. Everything restores correctly and eventually works, but the long timeout is not desirable.</li></ul><div>POSSIBLE FIX</div><ul><li>An easy way to fix this issue would be to modify the application to reset the socket connection. Both applications in node A and node B can not be easily modified. </li><li>An alternative approach I was considering is modifying the
image file “inetsk.img” using CRIT in such a manner that the socket restores
correctly, but will force a TCP RST.</li><li>Before I try this out, curious if there was a field in the
image file that would be a good candidate to modify.</li><li>The socket entry in intesk.img looks like the snippet below.</li></ul><p class="MsoNormal"><span></span></p>
<p class="MsoNormal"><span> Thanks, Joe</span></p><p class="MsoNormal"><span><br></span></p><p class="MsoNormal"><span>/////</span></p><p class="MsoNormal"><span><br></span></p>
<p class="MsoNormal"> { <span></span></p>
<p class="MsoNormal"> "src_port":41070,<span></span></p>
<p class="MsoNormal">
"family":2,<span></span></p>
<p class="MsoNormal">
"proto":6,<span></span></p>
<p class="MsoNormal"> "opts":{
<span></span></p>
<p class="MsoNormal"> "so_passsec":false,<span></span></p>
<p class="MsoNormal">
"so_snd_tmo_sec":0,<span></span></p>
<p class="MsoNormal">
"so_sndbuf":332800,<span></span></p>
<p class="MsoNormal">
"so_passcred":false,<span></span></p>
<p class="MsoNormal">
"so_mark":0,<span></span></p>
<p class="MsoNormal">
"reuseaddr":false,<span></span></p>
<p class="MsoNormal">
"so_rcv_tmo_usec":0,<span></span></p>
<p class="MsoNormal">
"so_priority":0,<span></span></p>
<p class="MsoNormal">
"so_rcvlowat":1,<span></span></p>
<p class="MsoNormal">
"so_no_check":false,<span></span></p>
<p class="MsoNormal">
"so_rcv_tmo_sec":0,<span></span></p>
<p class="MsoNormal">
"so_rcvbuf":372480,<span></span></p>
<p class="MsoNormal">
"so_dontroute":false,<span></span></p>
<p class="MsoNormal">
"so_snd_tmo_usec":0<span></span></p>
<p class="MsoNormal"> },<span></span></p>
<p class="MsoNormal">
"fown":{ <span></span></p>
<p class="MsoNormal"> "pid_type":0,<span></span></p>
<p class="MsoNormal">
"signum":0,<span></span></p>
<p class="MsoNormal">
"pid":0,<span></span></p>
<p class="MsoNormal">
"uid":0,<span></span></p>
<p class="MsoNormal">
"euid":0<span></span></p>
<p class="MsoNormal"> },<span></span></p>
<p class="MsoNormal">
"dst_addr":[ <span></span></p>
<p class="MsoNormal"> 4010041610<span></span></p>
<p class="MsoNormal"> ],<span></span></p>
<p class="MsoNormal">
"state":1,<span></span></p>
<p class="MsoNormal">
"ino":134758,<span></span></p>
<p class="MsoNormal">
"flags":526338,<span></span></p>
<p class="MsoNormal">
"dst_port":13555,<span></span></p>
<p class="MsoNormal"> "src_addr":[
<span></span></p>
<p class="MsoNormal"> 33559212<span></span></p>
<p class="MsoNormal"> ],<span></span></p>
<p class="MsoNormal">
"type":1,<span></span></p>
<p class="MsoNormal">
"id":2098,<span></span></p>
<p class="MsoNormal">
"backlog":0,<span></span></p>
<p class="MsoNormal">
"ip_opts":{ <span></span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"> }<span></span></p>
<p class="MsoNormal"> },<span></span></p></div></div>