- 17 Mar, 2023 1 commit
-
-
zhul authored
-
- 24 Feb, 2023 3 commits
- 22 Feb, 2023 1 commit
-
-
zhul authored
- Add `fstatat_with_fallback_user` function to handle UIDs in `my_fstatat.c` - Add `#include <stdbool.h>` and `bool retried` to `proc_parse.c` - Add `retry_o_path` goto and `if (!retried)` check to `proc_parse.c` - Use `fstatat_with_fallback_user [criu/my_fstatat.c] - Add `fstatat_with_fallback_user` function - Set the UID based on the `CURRENT_TASK_USER` environment variable - Rollback to the original UID after the call to `fstatat` [criu/proc_parse.c] - Add `#include <stdbool.h>` - Add `bool retried` - Add `retry_o_path` goto - Add `if (!retried)` check - Add `flags = O_PATH` [criu/files-reg.c] - Include `my_fstatat.c` - Use `fstatat_with_fallback_user` instead of `fstatat`
-
- 25 Apr, 2019 2 commits
-
-
Pavel Emelyanov authored
Suddenly it's a feature-reach release. We have support for Android build and several tempting C/R things -- raw sockets, selinux labels and ro ghost files. And a couple of fixes, of course.
-
Andrei Vagin authored
Now, this code doesn't pass this simple test: atomic_t a;; int c = 0; atomic_set(&a, c); c = atomic_inc(&a); if (c != 0) { pr_err("c = %x &a = %p\n", c, &a); return 1; } 08:28:51.771: 26187: ERR: fd.c:36: c = 7ef47a60 &a = 0x7ef47a60 Reported-by: Mr Jenkins Signed-off-by:Andrei Vagin <avagin@gmail.com> Reviewed-by:
Dmitry Safonov <0x7f454c46@gmail.com> Signed-off-by:
-
- 21 Apr, 2019 33 commits
-
-
Radostin Stoyanov authored
FOO ?= bar is equivalent to ifeq ($(origin FOO), undefined) FOO = bar endif However, when CC is not set its value is 'default' rather than 'undefined'. >From [1]: 'undefined': if variable was never defined. 'default': if variable has a default definition, as is usual with CC and so on. See Variables Used by Implicit Rules. Note that if you have redefined a default variable, the origin function will return the origin of the later definition. [1] https://www.gnu.org/software/make/manual/make.htmlSigned-off-by:
Radostin Stoyanov <rstoyanov1@gmail.com> Acked-by:
Cyrill Gorcunov <gorcunov@gmail.com> Signed-off-by:
-
Adrian Reber authored
libcriu.so used to have the SONAME $ readelf -d lib/c/libcriu.so | grep SONAME 0x000000000000000e (SONAME) Library soname: [libcriu.so.1] The recent changes to libcriu (removed and added functions, changes from `char *`-args to `const char *`) are breaking ABI and API. This requires a new SONAME of 2. This patch changes the SONAME to 2: $ readelf -d lib/c/libcriu.so | grep SONAME 0x000000000000000e (SONAME) Library soname: [libcriu.so.2] Signed-off-by:Adrian Reber <areber@redhat.com>
-
Andrei Vagin authored
https://github.com/containers/container-selinux/issues/68 Cc: Adrian Reber <areber@redhat.com> Signed-off-by:
-
Andrei Vagin authored
We don't need to do this from early_init. Cc: Cyrill Gorcunov <gorcunov@gmail.com> Signed-off-by: -
Cyrill Gorcunov authored
For swrk, service, dump, restore we need to to raise nr_file limit to be able to process containers with huge number of files opened. Signed-off-by:
-
Cyrill Gorcunov authored
Signed-off-by:
-
Cyrill Gorcunov authored
It has nothing to do with utils but rather a separate service engine. Signed-off-by:
-
Dmitry Safonov authored
It has a different alignment - rework ugly macro RT_SIGFRAME_UC_SIGMASK into helpers. Fixes: #666 Signed-off-by:
Dmitry Safonov <dima@arista.com> Signed-off-by:
-
Dmitry Safonov authored
Travis CI with Xenial has 4.15 kernel these days - all support for ia32 C/R should be inplace. Finally :) Putting it into "allow_failures" to let it soak a bit. Signed-off-by:
-
Zhang Ning authored
due to Android NDK's clang is x86_64-linux-android28-clang --sysroot ${SYSROOT_PATH} and it's ld is x86_64-linux-android-ld, it's not able to use a single pattern to discript clang and ld. and there is a error for x86_64-linux-android-ld. x86_64-linux-android-ld -L/home/ning/source/criu/protobuf-c/../target/lib -lprotobuf-c -r -z noexecstack -T ./compel/arch/x86/scripts/compel-pack.lds.S -o criu/pie/parasite.built-in.o criu/pie/parasite.o criu/pie/pie.lib.a ./compel/plugins/std.lib.a ./compel/compel-host hgen -f criu/pie/parasite.built-in.o -o criu/pie/parasite-blob.h Error (compel/src/lib/handle-elf-host.c:335): Unexpected undefined symbol: `'. External symbol in PIE? criu/pie/Makefile:49: recipe for target 'criu/pie/parasite-blob.h' failed rebuild with host ld, can pass build. so support override CC/LD from command line can pass build. Cc: Chen Hu <hu1.chen@intel.com> Signed-off-by:Zhang Ning <ning.a.zhang@intel.com> Reviewed-by:
-
Zhang Ning authored
criu/log.c:356:16: error: called object type 'int' is not a function or function pointer int __errno = errno; ^~~~~ /root/android-ndk/toolchains/llvm/prebuilt/linux-x86_64//sysroot/usr/include/errno.h:43:24: note: expanded from macro 'errno' ~~~~~~~^ criu/log.c:391:2: error: called object type 'int' is not a function or function pointer errno = __errno; ^~~~~ /root/android-ndk/toolchains/llvm/prebuilt/linux-x86_64//sysroot/usr/include/errno.h:43:24: note: expanded from macro 'errno' in Android NDK's errno.h: 42: int* __errno(void) __attribute_const__; 43: #define errno (*__errno()) so rename __errno to _errno to pass build Cc: Chen Hu <hu1.chen@intel.com> Signed-off-by: -
Zhang Ning authored
it reports: criu/pie/util-vdso-elf32.c:255:8: error: implicit declaration of function 'ELF32_ST_TYPE' is invalid in C99 [-Werror,-Wimplicit-function-declaration] if (ELF_ST_TYPE(sym->st_info) != STT_FUNC && ^ criu/include/util-vdso.h:72:21: note: expanded from macro 'ELF_ST_TYPE' ^ /opt/android-ndk/toolchains/llvm/prebuilt/linux-x86_64//sysroot/usr/include/linux/elf.h:114:26: note: expanded from macro 'ELF32_ST_TYPE' ^ criu/include/util-vdso.h:72:21: note: expanded from macro 'ELF_ST_TYPE' add #ifndef to check whether these macro is already defined. Cc: Chen Hu <hu1.chen@intel.com> Signed-off-by: -
Zhang Ning authored
with Android P's Clang versoin: 6.0.2, and Android NDK's Clang version 8.0.2 Clang will report below error: criu/compel/include/uapi/compel/sigframe-common.h:55:34: error: expected member name or ';' after declaration specifiers int __unused[32 - (sizeof (k_rtsigset_t) / sizeof (int))]; ~~~ ^ it takes __unused as an attribute, not a varible, chang to _unused, pass compile. Cc: Chen Hu <hu1.chen@intel.com> Signed-off-by: -
Zhang Ning authored
in Android NDK, <elf.h> doesn't has define for: NT_X86_XSTATE NT_PRSTATUS so add these defines to pass compile. NOTE: add <linux/elf.h> will have more build errors Cc: Chen Hu <hu1.chen@intel.com> Signed-off-by:
-
Radostin Stoyanov authored
imp.load_source() has been deprecated [1]. The recommended alternative API for loading a module is exec_module() [2]. [1] https://docs.python.org/2.7/library/imp.html#imp.load_module [2] https://docs.python.org/3.4/library/importlib.html#importlib.abc.Loader.exec_moduleSigned-off-by:
-
Pavel Tikhomirov authored
We want to commit --check-mounts feature to vz-criu. But to maintain image level compatibility between ms-criu and vz-criu one shouldn't use the same field id for different data. So add a comment that these id is reserved.
-
Zhang Ning authored
some notes for Android NDK cross compile. Signed-off-by:
-
Zhang Ning authored
due to Android NDK's strings.h doesn't have index function. Declare this function in CRIU, just like povit_root. still need to provide index function implement, for link CRIU. Cc: Chen Hu <hu1.chen@intel.com> Signed-off-by:
-
Zhang Ning authored
in Android NDK, UNIX_PATH_MAX is already defined, add ifndef to check. linux/un.h: 22: #define UNIX_PATH_MAX 108 Cc: Chen Hu <hu1.chen@intel.com> Signed-off-by:
-
Zhang Ning authored
1, do not hardcode libnl's cflags when cross compile CRIU, libnl's header file should not point to host. 2, remove link to rt Android NDK doesn't have library rt, and CRIU is not really need it, so disable it to pass link Cc: Chen Hu <hu1.chen@intel.com> Signed-off-by: -
Adrian Reber authored
Restoring a multi-threaded process with CRIU's SELinux support fails because SELinux does not always support changing the process context of a multi-threaded process. Reading the man-page for setcon(), to change the context of a running process, it states that changing the SELinux context of a multi-threaded process can only work 'if the new security context is bounded by the old security context'. To be able to restore a process without the need to have 'the new security context [] bounded by the old security context', this sets the SELinux process context before creating the threads. Thus all threads are created with the process context of the main process. Signed-off-by: -
Andrei Vagin authored
And get qemu-static from the 18.04 LTS Ubuntu repos. https://github.com/checkpoint-restore/criu/issues/652Signed-off-by:
-
Radostin Stoyanov authored
The flag --security-opt doesn't use the colon separator (:) anymore to divide keys and values, instead it uses the equal symbol (=) for consistency with other similar flags, like --storage-opt. Deprecated in release: v1.11.0 Target for removal in release: v17.06 https://docs.docker.com/engine/deprecated/ #653 Signed-off-by:
-
Adrian Reber authored
This tests if CRIU can restore a process with the same policy as during checkpointing. The test selinux00 is started and if SELinux is available the test process moves itself to another process context. To make this possible either a new SELinux policy needs to be available containing: https://github.com/fedora-selinux/selinux-policy/commit/2d537cabbb2df614ea598ac20873c653cbf271a8 Or for a short time SELinux is switched to permissive mode. The correct SELinux setup is done by zdtm/static/selinux00.checkskip and zdtm/static/selinux00.hook and after the test the previous SELinux policy state is restored. After the test case is restored the test case checks if it still has the same SELinux process context as before. If not the test cases fails. Signed-off-by:
-
Adrian Reber authored
If running on a system with SELinux enabled the socket for the communication between parasite daemon and the main CRIU process needs to be correctly labeled. Initially this was motivated by Podman's use case: The container is usually running as something like '...:...:container_t:...:....' and CRIU started from runc and Podman will run as '...:...:container_runtime_t:...:...'. As the parasite will be running with the same context as the container process: 'container_t'. Allowing a container process to connect via socket to the outside of the container ('container_runtime_t') is not desired and therefore CRIU needs to label the socket with the context of the container: 'container_t'. So this first gets the context of the root container process and tells SELinux to label the next created socket with the same label as the root container process. For this to work it is necessary to have the correct SELinux policies installed. For Fedora based systems this is part of the container-selinux package. This assumes that all processes CRIU wants to dump are labeled with the same SELinux context. If some of the child processes have different labels this will not work and needs additional SELinux policies. But the whole SELinux socket labeling relies on the correct SELinux being available. Signed-off-by: -
Adrian Reber authored
There was support for SELinux process labels in CRIU but because it was never tested or verified CRIU only supported the 'unconfined_t' process label. This was basically no SELinux support. For successful container checkpoint and restore on a SELinux enabled host it is necessary that the restored container has the same process context as before checkpointing. This commit only removes the check if the label is 'unconfined_t' and now stores any process label to be restored. For 'normal' processes started from the command-line which are usually running in the 'unconfined_t' this just works. For the container use case this needs additional policies. The latest container-selinux package on Fedora has the necessary policy to allow CRIU (running as 'container_runtime_t' when used from Podman) to transition the restored process to 'container_t'. Restoring a process running under systemd's control (which means 'unconfined_service_t' without additional policies) will fail because CRIU will be not allowed to change the context of the restored process. For each additional CRIU use case on SELinux enabled systems, besides container processes and command-line/shell processes, additional SELinux policies are required to allow CRIU to do a 'dyntransition' (change the Signed-off-by: -
Cyrill Gorcunov authored
It was never designed to run params in ansync mode, and i always been against this change because async here is too fragile. p.s.: I think this might be a reason for https://github.com/checkpoint-restore/criu/issues/647Signed-off-by:
-
Harshavardhan Unnibhavi authored
https://github.com/checkpoint-restore/criu/issues/329Signed-off-by:
Harshavardhan Unnibhavi <hvubfoss@gmail.com> Signed-off-by:
-
Mitul Karnik authored
Removed return value assignment statements as they are not referenced or used anywhere after the assignment is done. Fixes #334: Removing Unneeded Assignments Signed-off-by:
Mitul Karnik <mitulkarnik.92@gmail.com> Signed-off-by:
-
Ashutosh Mehra authored
Use faccessat() in check_path_remap() to check if the file (relative to root of mnt ns) is accessible or not. Signed-off-by:Ashutosh Mehra <asmehra1@in.ibm.com>
-
Adrian Reber authored
binfmt_misc.c:168:23: error: ‘sprintf’ may write a terminating nul past the end of the destination [-Werror=format-overflow=] 168 | sprintf(path, "%s/%s", dirname, NAME[i]); | ^ Signed-off-by: -
Adrian Reber authored
Signed-off-by: -
Radostin Stoyanov authored
Signed-off-by:
-
