[Devel] Re: [PATCH] cr: add container configuration header

Oren Laadan orenl at librato.com
Fri Oct 16 17:04:05 PDT 2009 

Thanks for pulling this part out. I applied it.

Note that I left out the text below about LSM - it belongs
to your LSM series :)

Oren.

Serge E. Hallyn wrote:
> Add a container configuration section to the checkpoint header.
> This will contain information such as the LSM name and policy
> identifier, potentially network interface and container-wide
> mounts.
> 
> [ pulled out of the LSM c/r patchset ]
> 
> Signed-off-by: Serge E. Hallyn <serue at us.ibm.com>
> ---
>  Documentation/checkpoint/readme.txt |   36 ++++++++++++++++++++++++++++++++--
>  checkpoint/checkpoint.c             |   18 +++++++++++++++++
>  checkpoint/restart.c                |   18 +++++++++++++++++
>  include/linux/checkpoint.h          |    2 +-
>  include/linux/checkpoint_hdr.h      |    7 ++++++
>  5 files changed, 77 insertions(+), 4 deletions(-)
> 
> diff --git a/Documentation/checkpoint/readme.txt b/Documentation/checkpoint/readme.txt
> index 571c469..3eb3dfa 100644
> --- a/Documentation/checkpoint/readme.txt
> +++ b/Documentation/checkpoint/readme.txt
> @@ -161,9 +161,10 @@ in-userspace conversion tools.
>  
>  The general format of the checkpoint image is as follows:
>  1. Image header
> -2. Task hierarchy
> -3. Tasks' state
> -4. Image trailer
> +2. Container configuration
> +3. Task hierarchy
> +4. Tasks' state
> +5. Image trailer
>  
>  The image always begins with a general header that holds a magic
>  number, an architecture identifier (little endian format), a format
> @@ -172,6 +173,11 @@ version number (@rev), followed by information about the kernel
>  checkpoint and the flags given to sys_checkpoint(). This header is
>  followed by an arch-specific header.
>  
> +The container configuration section contains details about the
> +security (LSM) configuration.  Network configuration and
> +container-wide mounts may also go here, so that the userspace
> +restart coordinator can re-create a suitable environment.
> +
>  The task hierarchy comes next so that userspace tools can read it
>  early (even from a stream) and re-create the restarting tasks. This is
>  basically an array of all checkpointed tasks, and their relationships
> @@ -333,6 +339,30 @@ So that's why we don't want CAP_SYS_ADMIN required up-front. That way
>  we will be forced to more carefully review each of those features.
>  However, this can be controlled with a sysctl-variable.
>  
> +LSM
> +===
> +
> +Security modules use custom labels on subjects and objects to
> +further mediate access decisions beyond DAC controls.  When
> +checkpoint applications, these labels are [ work in progress ]
> +checkpointed along with the objects.  At restart, the
> +RESTART_KEEP_LSM flag tells the kernel whether re-created objects
> +whould keep their checkpointed labels, or get automatically
> +recalculated labels.  Since checkpointed labels will only make
> +sense to the same LSM which was active at checkpoint time,
> +sys_restart() with the RESTART_KEEP_LSM flag will fail with
> +-EINVAL if the LSM active at restart is not the same as that
> +active at checkpoint.  If RESTART_KEEP_LSM is not specified,
> +then objects will be given whatever default labels the LSM and
> +their optional policy decide.  Of course, when RESTART_KEEP_LSM
> +is specified, the LSM may choose a different label than the
> +checkpointed one, or fail the entire restart if the caller
> +does not have permission to create objects with the checkpointed
> +label.
> +
> +It should always be safe to take a checkpoint of an application
> +under LSM_1, and restart it without the RESTART_KEEP_LSM flag
> +under LSM_2.
>  
>  Kernel interfaces
>  =================
> diff --git a/checkpoint/checkpoint.c b/checkpoint/checkpoint.c
> index 5a76d2b..6eb8f3b 100644
> --- a/checkpoint/checkpoint.c
> +++ b/checkpoint/checkpoint.c
> @@ -354,6 +354,21 @@ static int checkpoint_write_header(struct ckpt_ctx *ctx)
>  	return checkpoint_write_header_arch(ctx);
>  }
>  
> +/* write the container configuration section */
> +static int checkpoint_container(struct ckpt_ctx *ctx)
> +{
> +	struct ckpt_hdr_container *h;
> +	int ret;
> +
> +	h = ckpt_hdr_get_type(ctx, sizeof(*h), CKPT_HDR_CONTAINER);
> +	if (!h)
> +		return -ENOMEM;
> +	ret = ckpt_write_obj(ctx, &h->h);
> +	ckpt_hdr_put(ctx, h);
> +
> +	return ret;
> +}
> +
>  /* write the checkpoint trailer */
>  static int checkpoint_write_tail(struct ckpt_ctx *ctx)
>  {
> @@ -765,6 +780,9 @@ long do_checkpoint(struct ckpt_ctx *ctx, pid_t pid)
>  	ret = checkpoint_write_header(ctx);
>  	if (ret < 0)
>  		goto out;
> +	ret = checkpoint_container(ctx);
> +	if (ret < 0)
> +		goto out;
>  	ret = checkpoint_tree(ctx);
>  	if (ret < 0)
>  		goto out;
> diff --git a/checkpoint/restart.c b/checkpoint/restart.c
> index 6679472..32a9fc5 100644
> --- a/checkpoint/restart.c
> +++ b/checkpoint/restart.c
> @@ -624,6 +624,20 @@ static int restore_read_header(struct ckpt_ctx *ctx)
>  	return ret;
>  }
>  
> +/* read the container configuration section */
> +static int restore_container(struct ckpt_ctx *ctx)
> +{
> +	int ret = 0;
> +	struct ckpt_hdr_container *h;
> +
> +	h = ckpt_read_obj_type(ctx, sizeof(*h), CKPT_HDR_CONTAINER);
> +	if (IS_ERR(h))
> +		return PTR_ERR(h);
> +	ckpt_hdr_put(ctx, h);
> +
> +	return ret;
> +}
> +
>  /* read the checkpoint trailer */
>  static int restore_read_tail(struct ckpt_ctx *ctx)
>  {
> @@ -1162,6 +1176,10 @@ static int do_restore_coord(struct ckpt_ctx *ctx, pid_t pid)
>  	ckpt_debug("restore header: %d\n", ret);
>  	if (ret < 0)
>  		return ret;
> +	ret = restore_container(ctx);
> +	ckpt_debug("restore container: %d\n", ret);
> +	if (ret < 0)
> +		return ret;
>  	ret = restore_read_tree(ctx);
>  	ckpt_debug("restore tree: %d\n", ret);
>  	if (ret < 0)
> diff --git a/include/linux/checkpoint.h b/include/linux/checkpoint.h
> index 4b61378..914176c 100644
> --- a/include/linux/checkpoint.h
> +++ b/include/linux/checkpoint.h
> @@ -10,7 +10,7 @@
>   *  distribution for more details.
>   */
>  
> -#define CHECKPOINT_VERSION  2
> +#define CHECKPOINT_VERSION  3
>  
>  /* checkpoint user flags */
>  #define CHECKPOINT_SUBTREE	0x1
> diff --git a/include/linux/checkpoint_hdr.h b/include/linux/checkpoint_hdr.h
> index ca2500d..ff2e4aa 100644
> --- a/include/linux/checkpoint_hdr.h
> +++ b/include/linux/checkpoint_hdr.h
> @@ -63,6 +63,8 @@ enum {
>  #define CKPT_HDR_HEADER CKPT_HDR_HEADER
>  	CKPT_HDR_HEADER_ARCH,
>  #define CKPT_HDR_HEADER_ARCH CKPT_HDR_HEADER_ARCH
> +	CKPT_HDR_CONTAINER,
> +#define CKPT_HDR_CONTAINER CKPT_HDR_CONTAINER
>  	CKPT_HDR_BUFFER,
>  #define CKPT_HDR_BUFFER CKPT_HDR_BUFFER
>  	CKPT_HDR_STRING,
> @@ -247,6 +249,11 @@ struct ckpt_const {
>  	__u16 tty_termios_ncc;
>  } __attribute__((aligned(8)));
>  
> +/* container configuration section header */
> +struct ckpt_hdr_container {
> +	struct ckpt_hdr h;
> +};
> +
>  /* checkpoint image header */
>  struct ckpt_hdr_header {
>  	struct ckpt_hdr h;
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers

More information about the Devel mailing list