- 03 Mar, 2016 11 commits
-
-
Tycho Andersen authored
Before we were unshare(CLONE_NEWCGROUP)ing in a child task, which meant that we couldn't c/r this test once we forbid nested cgroup namespaces. Instead, use a new strategy for testing cgroup namespaces: set up the namespace before forking the test task so there is no nesting, and then do a setns back to init's ns to check the cgroup namespace of the test. This doesn't work in the 'ns' flavor because init in the test's pid ns is the test itself. There is a bit of a chicken and egg problem here, though, because if we set it up after test_init(), we can't unshare because that would be a nested cgroup ns. Signed-off-by:
Tycho Andersen <tycho.andersen@canonical.com> Signed-off-by:
Pavel Emelyanov <xemul@virtuozzo.com>
-
Tycho Andersen authored
Signed-off-by:
-
Tycho Andersen authored
Signed-off-by:
-
Tycho Andersen authored
Because we don't support nested cgroup namespaces, we can just grab the cgns prefixes from the root cgset's prefix list. This means we only have to query one task for its cgroup file, instead of potentially each of them. Signed-off-by:
-
Tycho Andersen authored
Basically, instead of --cgroup-root replacing the actual root, when a cgns is present, it just replaces the namespace prefix. See patch comments for details. Signed-off-by:
-
Tycho Andersen authored
We rely on the synchronous-ness of the behavior because we assume that the task is in all the right cgroups when forking its children. If it's not, and the child has the same cgroups as its parent but not all the moves are done, it might end up in /. Signed-off-by:
-
Pavel Emelyanov authored
Signed-off-by: -
Tycho Andersen authored
These flags are restored differently, so let's not make extra namespaces where we don't need them. Signed-off-by:
-
Tycho Andersen authored
Instead of doing all the work in collect_cgroup() to figure out whether or not we've collected this cgroup already, let's only call it if we created a new cgset in the first place. Signed-off-by:
-
Tycho Andersen authored
After some discussion with Serge Hallyn, it seems that the current implementation of cgroup namespaces doesn't really support nesting. It's not a quick fix, so let's disable this for now (not that it matters, since probably nobody is nesting these anyways right now :) Signed-off-by:
-
Tycho Andersen authored
b428a3a2 allows dumping containers with multi-headed freezer cgroups, but we can't restore these containers without some help at restore time too. Signed-off-by:
-
- 02 Mar, 2016 3 commits
-
-
Pavel Emelyanov authored
When working with mntns, the absolute path in parent symlink will not be open-able on restore. However, completely banning this case is not good. Affects #116 Signed-off-by:
Pavel Emelyanov <xemul@parallels.com> Signed-off-by:
-
Dmitry Safonov authored
nr_gotpcrel is the last variable which name we can't set with piegen's option. Let's introduce option for that. It will help for including two generated blobs simultaneously. Cc: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by:
Dmitry Safonov <dsafonov@virtuozzo.com> Acked-by:
Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by:
-
Andrew Vagin authored
Signed-off-by:
Andrew Vagin <avagin@virtuozzo.com> Signed-off-by:
-
- 01 Mar, 2016 8 commits
-
-
Tycho Andersen authored
Travis uses cpusets in such a way [1] that we can't actually write to cpuset.cpu_exclusive ever, so none of these tests will work. They'll still work in jenkins, though, so disabling them is probably ok. Closes #118 [1]: https://github.com/travis-ci/worker/blob/master/backend/docker.go#L66Signed-off-by:
-
Tycho Andersen authored
Some libcs buffer writes to FILE*, which means that we error on fclose instead of write, which makes it hard to figure out what property actually failed writing. Also shorten the error path a bit. Hopefully this patch will help with debugging #118 Signed-off-by:
Andrew Vagin <avagin@openvz.org> Signed-off-by:
-
Andrew Vagin authored
*** CID 158458: Memory - corruptions (NEGATIVE_RETURNS) /criu/pie/parasite.c: 321 in get_proc_fd() 315 316 ret = sys_readlinkat(AT_FDCWD, "/proc/self", buf, sizeof(buf)); 317 if (ret < 0 && ret != -ENOENT) { 318 pr_err("Can't readlink /proc/self (%d)\n", ret); 319 return ret; 320 } >>> CID 158458: Memory - corruptions (NEGATIVE_RETURNS) >>> Using variable "ret" as an index to array "buf". 321 buf[ret] = 0; 322 323 /* Fast path -- if /proc belongs to this pidns */ 324 if (pie_atoi(buf) == sys_getpid()) 325 return sys_open("/proc", O_RDONLY, 0); 326 Signed-off-by: -
Andrew Vagin authored
*** CID 158459: Uninitialized variables (UNINIT) /criu/proc_parse.c: 2218 in parse_task_cgroup() 2212 2213 int parse_task_cgroup(int pid, struct parasite_dump_cgroup_args *args, struct list_head *retl, unsigned int *n) 2214 { 2215 FILE *f; 2216 int ret; 2217 LIST_HEAD(internal); >>> CID 158459: Uninitialized variables (UNINIT) >>> Declaring variable "n_internal" without initializer. 2218 unsigned int n_internal; 2219 struct cg_ctl *intern, *ext; 2220 2221 f = fopen_proc(pid, "cgroup"); 2222 if (!f) { 2223 pr_perror("couldn't open task cgroup file"); ** CID 158458: Memory - corruptions (NEGATIVE_RETURNS) /criu/pie/parasite.c: 321 in get_proc_fd() Signed-off-by: -
Tycho Andersen authored
The restore process uses these modules as well, so let's modprobe them. This prevents: (00.217856) 1: Running ip rule delete (00.218970) 1: Running ip rule delete (00.220059) 1: Running ip rule delete (00.221695) 1: Running ip rule restore (00.223068) 1: Running iptables-restore for iptables-restore (00.439385) 1: Running ip6tables-restore for ip6tables-restore modprobe: ERROR: could not insert 'ip6_tables': Operation not permitted ip6tables-restore v1.6.0: ip6tables-restore: unable to initialize table 'filter' Error occurred at line: 2 Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information. Signed-off-by:
-
Tycho Andersen authored
Signed-off-by:
-
Andrew Vagin authored
Signed-off-by:
-
Cyrill Gorcunov authored
When we run "make install" the python's setup script prepares all directories for modules but if we need to run crit from the source tree without its install then we fall in trouble because python doesn't know where the fetch pycriu from. Thus simply provide the symlink to the modules emulating that instalation complete. Note this is for developers conveniency only because for end users "make install" always must has place. Reported-by:
-
- 29 Feb, 2016 15 commits
-
-
Tycho Andersen authored
At one point in the cgns patchsets I had removed this, but somehow it got lost in the shuffle. Since we support this now, let's remove this restriction. Signed-off-by:
-
Tycho Andersen authored
Signed-off-by:
-
Andrey Ryabinin authored
We don't have a way to dump proccess blocked in vfork(), hence mark this test as expected to fail. Signed-off-by:
Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Andrew Vagin <avagin@virtuozzo.com> Signed-off-by:
-
Andrey Ryabinin authored
execlp() fails when we run vfork00 test inside namespace because we don't have '/bin/true' there. Instead of execlp() in vfork-child we can just _exit(). Signed-off-by:
-
Andrey Vagin authored
$ echo test//home/avagin/git/criu test//home/avagin/git/criu v2: use double quotes to run pwd Signed-off-by:
-
Tycho Andersen authored
Consider the case where --freeze-cgroup=/lxc/foo, but (e.g. with systemd in lxc), all of the tasks actually live in a set of sub cgroups, e.g. /lxc/foo/init.scope and others. In this case, we will have a multi-headed controller, since there is nothing in the common parent. We should just save the freezer value in all of these heads instead of failing. Note that this doesn't address the larger problem that only the top level freezer.state file is c/r'd, or waht happens when the container itself has frozen tasks but not at the top level. After some discussion, there is no nice way to atomically test-and-set the cgroup freezer, so we'll need some other kernel help. But I'll ignore this for now :) Signed-off-by:
-
Pavel Emelyanov authored
Signed-off-by: -
Andrew Vagin authored
Signed-off-by:
-
Andrew Vagin authored
Signed-off-by:
-
Andrew Vagin authored
Signed-off-by:
-
Andrew Vagin authored
Signed-off-by:
-
Tycho Andersen authored
As with the socket diag modules, since we might be using the ip*filter_tables modules, we should preload those as well, in case the host system hasn't already loaded them. Really, I should implement netlink buffer dumping so we can get rid of this hack :) v2: remember to close /dev/null fd after using it Signed-off-by:
-
Cyrill Gorcunov authored
We better should switch to nmk usage. But lets c/p for now. Signed-off-by:
-
Dmitry Safonov authored
Fixes commit e7d89a60 ("add openat() to syscall list"). Nip: move sys_seccomp for numerical order Signed-off-by:
Cyrill Gorcunov <gorcunov@gmail.com> Signed-off-by:
-
Andrew Vagin authored
We can do this, but we need to be sure that all structures are consistent in any moment and we need to block alarm when they are inconsistent. I don't think that we really want to do this now. I suggest to interrupt a current syscall if an alarm signal is triggered. v2: print an error message before exiting Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by:
-
- 26 Feb, 2016 3 commits
-
-
Cyrill Gorcunov authored
They are running inside dumpee space so should not be injected with Gcov instructions. Signed-off-by:
-
Cyrill Gorcunov authored
This cause problem on ppc64 | gcc -c -O2 -g -Wall -Werror -DCONFIG_PPC64 -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE | -fno-strict-aliasing -iquote /home/cyrill/criu/criu/include -iquote /home/cyrill/criu/images | -iquote /home/cyrill/criu/criu/pie -iquote /home/cyrill/criu/criu/arch/ppc64 | -iquote /home/cyrill/criu/criu/arch/ppc64/include -iquote /home/cyrill/criu/ -I/usr/include/libnl3 | -iquote ppc64 -DCONFIG_PPC64 -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE parasite-syscall.c -o parasite-syscall.o | parasite-syscall.c: In function ‘parasite_dump_cgroup’: | parasite-syscall.c:1283:2: error: size of unnamed array is negative | ca = parasite_args(ctl, struct parasite_dump_cgroup_args); | ^ | /home/cyrill/criu/scripts/nmk/scripts/rules.mk:53: recipe for target 'parasite-syscall.o' failed Just use size parasite known to support. Signed-off-by:
Laurent Dufour <ldufour@linux.vnet.ibm.com> Acked-by:
-
Pavel Emelyanov authored
In commit 736a2940 there was added a collection of non-root task's cgsets. But criu's cgset should anyway be excluded from it. Signed-off-by:
-
