it reports:
criu/pie/util-vdso-elf32.c:255:8: error: implicit declaration of function 'ELF32_ST_TYPE' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
                        if (ELF_ST_TYPE(sym->st_info) != STT_FUNC &&
                            ^
criu/include/util-vdso.h:72:21: note: expanded from macro 'ELF_ST_TYPE'
                        ^
/opt/android-ndk/toolchains/llvm/prebuilt/linux-x86_64//sysroot/usr/include/linux/elf.h:114:26: note: expanded from macro 'ELF32_ST_TYPE'
                         ^
criu/include/util-vdso.h:72:21: note: expanded from macro 'ELF_ST_TYPE'

add #ifndef to check whether these macro is already defined.

Cc: Chen Hu <hu1.chen@intel.com>
Signed-off-by: Zhang Ning <ning.a.zhang@intel.com>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

with Android P's Clang versoin: 6.0.2, and Android NDK's Clang version 8.0.2

Clang will report below error:
criu/compel/include/uapi/compel/sigframe-common.h:55:34: error: expected member name or ';' after declaration specifiers
        int                     __unused[32 - (sizeof (k_rtsigset_t) / sizeof (int))];
        ~~~                             ^

it takes __unused as an attribute, not a varible, chang to _unused, pass compile.

Cc: Chen Hu <hu1.chen@intel.com>
Signed-off-by: Zhang Ning <ning.a.zhang@intel.com>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

in Android NDK, <elf.h> doesn't has define for:
NT_X86_XSTATE
NT_PRSTATUS

so add these defines to pass compile.

NOTE: add <linux/elf.h> will have more build errors

Cc: Chen Hu <hu1.chen@intel.com>
Signed-off-by: Zhang Ning <ning.a.zhang@intel.com>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

imp.load_source() has been deprecated [1]. The recommended alternative
API for loading a module is exec_module() [2].

[1] https://docs.python.org/2.7/library/imp.html#imp.load_module
[2] https://docs.python.org/3.4/library/importlib.html#importlib.abc.Loader.exec_moduleSigned-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

We want to commit --check-mounts feature to vz-criu. But to maintain
image level compatibility between ms-criu and vz-criu one shouldn't use
the same field id for different data. So add a comment that these id is
reserved.

some notes for Android NDK cross compile.
Signed-off-by: Zhang Ning <ning.a.zhang@intel.com>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>

due to Android NDK's strings.h doesn't have index function.
Declare this function in CRIU, just like povit_root.

still need to provide index function implement, for link CRIU.

Cc: Chen Hu <hu1.chen@intel.com>
Signed-off-by: Zhang Ning <ning.a.zhang@intel.com>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>

in Android NDK, UNIX_PATH_MAX is already defined,
add ifndef to check.

linux/un.h:
22: #define UNIX_PATH_MAX 108

Cc: Chen Hu <hu1.chen@intel.com>
Signed-off-by: Zhang Ning <ning.a.zhang@intel.com>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>

1, do not hardcode libnl's cflags
    when cross compile CRIU, libnl's header file should not point to host.

2, remove link to rt
    Android NDK doesn't have library rt, and CRIU is not really need it,
    so disable it to pass link

Cc: Chen Hu <hu1.chen@intel.com>
Signed-off-by: Zhang Ning <ning.a.zhang@intel.com>
Reviewed-by: Cyrill Gorcunov <gorcunov@gmail.com>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>

Restoring a multi-threaded process with CRIU's SELinux support fails
because SELinux does not always support changing the process context of
a multi-threaded process.

Reading the man-page for setcon(), to change the context of a running
process, it states that changing the SELinux context of a multi-threaded
process can only work 'if the new security context is bounded by the old
security context'.

To be able to restore a process without the need to have 'the new
security context [] bounded by the old security context', this sets the
SELinux process context before creating the threads. Thus all threads
are created with the process context of the main process.
Signed-off-by: Adrian Reber <areber@redhat.com>

And get qemu-static from the 18.04 LTS Ubuntu repos.

https://github.com/checkpoint-restore/criu/issues/652Signed-off-by: Andrei Vagin <avagin@gmail.com>

The flag --security-opt doesn't use the colon separator (:) anymore
to divide keys and values, instead it uses the equal symbol (=) for
consistency with other similar flags, like --storage-opt.

Deprecated in release: v1.11.0
Target for removal in release: v17.06

https://docs.docker.com/engine/deprecated/

 #653
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

This tests if CRIU can restore a process with the same policy as during
checkpointing.

The test selinux00 is started and if SELinux is available the test
process moves itself to another process context. To make this possible
either a new SELinux policy needs to be available containing:

https://github.com/fedora-selinux/selinux-policy/commit/2d537cabbb2df614ea598ac20873c653cbf271a8

Or for a short time SELinux is switched to permissive mode.

The correct SELinux setup is done by zdtm/static/selinux00.checkskip and
zdtm/static/selinux00.hook and after the test the previous SELinux
policy state is restored.

After the test case is restored the test case checks if it still has the
same SELinux process context as before. If not the test cases fails.
Signed-off-by: Adrian Reber <areber@redhat.com>

If running on a system with SELinux enabled the socket for the
communication between parasite daemon and the main CRIU process needs to
be correctly labeled.

Initially this was motivated by Podman's use case: The container is
usually running as something like '...:...:container_t:...:....' and
CRIU started from runc and Podman will run as
'...:...:container_runtime_t:...:...'. As the parasite will be running
with the same context as the container process: 'container_t'.

Allowing a container process to connect via socket to the outside
of the container ('container_runtime_t') is not desired and therefore
CRIU needs to label the socket with the context of the
container: 'container_t'.

So this first gets the context of the root container process and tells
SELinux to label the next created socket with the same label as the root
container process. For this to work it is necessary to have the correct
SELinux policies installed. For Fedora based systems this is part of the
container-selinux package.

This assumes that all processes CRIU wants to dump are labeled with the
same SELinux context. If some of the child processes have different
labels this will not work and needs additional SELinux policies. But the
whole SELinux socket labeling relies on the correct SELinux being
available.
Signed-off-by: Adrian Reber <areber@redhat.com>

There was support for SELinux process labels in CRIU but because it was
never tested or verified CRIU only supported the 'unconfined_t' process
label. This was basically no SELinux support.

For successful container checkpoint and restore on a SELinux enabled
host it is necessary that the restored container has the same process
context as before checkpointing.

This commit only removes the check if the label is 'unconfined_t' and
now stores any process label to be restored.

For 'normal' processes started from the command-line which are usually
running in the 'unconfined_t' this just works.

For the container use case this needs additional policies. The latest
container-selinux package on Fedora has the necessary policy to allow
CRIU (running as 'container_runtime_t' when used from Podman) to
transition the restored process to 'container_t'.

Restoring a process running under systemd's control (which means
'unconfined_service_t' without additional policies) will fail because
CRIU will be not allowed to change the context of the restored process.

For each additional CRIU use case on SELinux enabled systems, besides
container processes and command-line/shell processes, additional SELinux
policies are required to allow CRIU to do a 'dyntransition' (change the
Signed-off-by: Adrian Reber <areber@redhat.com>

It was never designed to run params in ansync mode,
and i always been against this change because async
here is too fragile.

p.s.:

I think this might be a reason for

https://github.com/checkpoint-restore/criu/issues/647Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

https://github.com/checkpoint-restore/criu/issues/329Signed-off-by: Harshavardhan Unnibhavi <hvubfoss@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

Removed return value assignment statements as they are not referenced or used
anywhere after the assignment is done.

Fixes #334: Removing Unneeded Assignments
Signed-off-by: Mitul Karnik <mitulkarnik.92@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

Use faccessat() in check_path_remap() to check if the file (relative
to root of mnt ns) is accessible or not.
Signed-off-by: Ashutosh Mehra <asmehra1@in.ibm.com>

binfmt_misc.c:168:23: error: ‘sprintf’ may write a terminating nul past the end of the destination [-Werror=format-overflow=]
  168 |   sprintf(path, "%s/%s", dirname, NAME[i]);
      |                       ^
Signed-off-by: Adrian Reber <areber@redhat.com>

Signed-off-by: Adrian Reber <areber@redhat.com>

Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

Support for printing early log messages was recently added, which makes this
comment is no longer relevant.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

In rpc.proto the interface to query the CRIU version number uses major
and minor as keywords. This creates errors when using the RPC
definitions with C++: https://github.com/checkpoint-restore/criu/issues/625

In this commit the fields are renamed from major to major_number and
from minor to minor_number.

For existing programs using the RPC protobuf definition this should be a
transparent change. Only for programs importing the latest rpc.proto it
will require code changes.
Signed-off-by: Adrian Reber <areber@redhat.com>

Combine the functionality of socket_set_non_blocking() and
socket_set_blocking() into a new function, and move it in
criu/util.c to enable reusability throughout the code base.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

Signed-off-by: Mitul Karnik <mitulkarnik.92@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

When the --ps-socket option is specified the provided file descriptor
of a socket will be reused for incoming TCP connection. In such case
the --address and --port options are ignored.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

The variable `len` is used only to calculate the value of `end`. We
already have the static inline function pagemap_len(), which can be
used instead.
Acked-by: Mike Rapoport <rppt@linux.ibm.com>
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

The --lsm-profile option allows a container engine to specify LSM
profile name.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

The server socket is marked as nonblocking, and if the client doesn't
connect, accept() will fail and set errno to EAGAIN (or EWOULDBLOCK).
Instead, use poll to wait for POLLIN event on the file descriptor.
Suggested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

Running crit with python2 gives following minimal help message:

 $ crit/crit
 usage: crit [-h] {decode,encode,info,x,show} ...
 crit: error: too few arguments

Using a python3 only system crit shows the following error:

 $ crit/crit
 Traceback (most recent call last):
   File "crit/crit", line 6, in <module>
     cli.main()
   File "/home/criu/crit/pycriu/cli.py", line 334, in main
     opts["func"](opts)
 KeyError: 'func'

Using this patch the python3 output changes to:

 $ crit/crit
 usage: crit [-h] {decode,encode,info,x,show} ...
 crit: error: too few arguments
Suggested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: Adrian Reber <areber@redhat.com>

When the --ps-socket option is used with page-server, instead of
--address and --port, this message would appear as:

    (00.028440) Disconnect from the page server (null):0
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

From man inet_pton(3):

    inet_pton() returns 1 on success (network address was successfully
    converted). 0 is returned if src does not contain a character
    string representing a valid network address in the specified
    address family. If af does not contain a valid address family,
    -1 is returned and errno is set to EAFNOSUPPORT.

We can assume that the return value is 1 or 0 (because af is set to
AF_INET4 or AF_INET6), therefore errno will not be set.

If a user attempts to bind a server using invalid network address the
following error message will be shown:

 Bad server address: Success

Which is not very clear, with this change the error message will look
like this:

Invalid server address "localhost". The address must be in IPv4 or IPv6 format.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

* "post-resume" was introduced with commit:

 2ab59939
 cr-restore: "post-resume" hook introduced

 This hook is called at the very end, when everything is restored and processes
 were resumed.
 Can be used for some actions, which require operation container, like
 restarting of systemd autofs services.

* "post-setup-namespaces" was introduced with commit:

 eec66f3d
 criu [PATCH] post-setup-namespaces

 Introduce post-setup-namespaces action script

 It needed to have possibility to run cutom script after mount
 namespace is configured

* "orphan-pts-master" was introduced with commit:

 6afe523d
 tty: notify about orphan tty-s via rpc

 Now Docker creates a pty pair from a container devpts to use is as console.
 A slave tty is set as a control tty for the init process and bind-mounted
 into /dev/console. The master tty is handled externelly.

 Now CRIU can handle external resources, but here we have internal resources
 which are used externaly.
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

Suppress the false positive fail in criu-live-migration job:
https://ci.openvz.org/job/CRIU/job/criu-live-migration/job/criu-dev/1796/

[criu]# ./test/zdtm.py run -t zdtm/static/overmounted_file -f uns --lazy-migrate

=== Run 1/1 ================ zdtm/static/overmounted_file
=================== Run zdtm/static/overmounted_file in uns ====================
Start test
Test is SUID
./overmounted_file --pidfile=overmounted_file.pid --outfile=overmounted_file.out --dirname=overmounted_file.test
Run criu dump
Test zdtm/static/overmounted_file FAIL at criu dump exited with 1 ######
Send the 9 signal to  49
Wait for zdtm/static/overmounted_file(49) to die for 0.100000
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>

The '-R' is short for '--leave-running', which is a boolean option and
does not require an argument.

From getopt(3) man page:

optstring is a string containing the legitimate option characters. If
such a character is followed by a colon, the option requires an
argument, ...
Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>