Difference between revisions of "Download/criu/1.8"
Jump to navigation
Jump to search
(Created page with "{{Release|1.8|7 Dec 2015}} === New features === * Ability to check CRIU features via RPC * New zdtm.py test suite * C/R of read-only bind mounts * C/R of IPv6 routes and...") |
|||
(9 intermediate revisions by the same user not shown) | |||
Line 4: | Line 4: | ||
* Ability to check CRIU features via [[RPC]] | * Ability to check CRIU features via [[RPC]] | ||
* New zdtm.py test suite | * New zdtm.py test suite | ||
− | |||
− | |||
− | |||
* Pre-dump and pre-restore [[action scripts]] | * Pre-dump and pre-restore [[action scripts]] | ||
* The "info" action in [[CRIT]] showing stats about image file | * The "info" action in [[CRIT]] showing stats about image file | ||
Line 12: | Line 9: | ||
* Python API -- pycriu | * Python API -- pycriu | ||
* Ability to add custom paths to irmap scan | * Ability to add custom paths to irmap scan | ||
− | * C/R of ignore_routes_with_linkdown netns devconf | + | * C/R of |
+ | ** read-only bind mounts | ||
+ | ** IPv6 routes and iptables rules | ||
+ | ** ip rules (it ip tool supports such) | ||
+ | ** ignore_routes_with_linkdown netns devconf | ||
+ | ** empty bridges in netns | ||
+ | ** FILTER mode of seccomp | ||
+ | ** IP_FREEBIND socket option | ||
=== Optimizations/improvements === | === Optimizations/improvements === | ||
Line 24: | Line 28: | ||
* Improved page-server dump speed by keeping control over the Nagle algorithm | * Improved page-server dump speed by keeping control over the Nagle algorithm | ||
* Read pages.img in more optimal manner rather than page-by-page | * Read pages.img in more optimal manner rather than page-by-page | ||
+ | * Less "Error"-s in logs, that actually don't lead to errors | ||
+ | * Slightly faster /proc/pid/status parsing | ||
+ | * Dead/live-locks on internal criu locks now emits a warning into logs | ||
=== Fixes === | === Fixes === | ||
Line 45: | Line 52: | ||
* Unsupported filesystems silently failed the dump | * Unsupported filesystems silently failed the dump | ||
* External tmpfs (and some other) mounts generated tarballs with their contents | * External tmpfs (and some other) mounts generated tarballs with their contents | ||
+ | * Privately mapped files were picked from wrong mount namespace | ||
+ | * Controlling tty could be restored on wrong tty end | ||
+ | * Tmpfs mount of sub-namespace was restored from wrong image file | ||
+ | * Potential stack overflow in libcriu | ||
+ | * Partially-restored tasks could be left after failed restore | ||
+ | * In-container TCP connection sometimes failed to restore | ||
+ | * Race in sending SIGSTOP vs dump might cause dump to fail | ||
+ | * Post-restore actions could generate stats files in wrong directories | ||
+ | * Freeze-cgroup didn't take sub-cgroups' tasks into account | ||
+ | * Tentative state in IPv6 sockets binding prevented socket from being bound immediately | ||
+ | * Restoring from images with files pointing to /proc file of dead tasks could crash | ||
+ | * Tasks with STOP in queue (i.e. -- not ''yet'' stopped) were CONT-ed in case of --leave-running dump | ||
+ | * Stopped task with one more STOP in queue caused dump to stuck | ||
+ | * If parent task left the MNT namespace it created for children restore could BUG() | ||
+ | * Link-local IPv6 addresses sometimes failed to bind() at restore | ||
=== Security === | === Security === | ||
* Service run as root could allow users to violate ptrace policies | * Service run as root could allow users to violate ptrace policies | ||
* Service run as root could give users access to privileged files and directories | * Service run as root could give users access to privileged files and directories |
Latest revision as of 08:51, 30 November 2015
Tarball: | criu-1.8.tar.bz2 |
Version: | 1.8 |
Released: | 7 Dec 2015 |
GIT tag: | v1.8 |
New features[edit]
- Ability to check CRIU features via RPC
- New zdtm.py test suite
- Pre-dump and pre-restore action scripts
- The "info" action in CRIT showing stats about image file
- More user-friendly output by CRIT
- Python API -- pycriu
- Ability to add custom paths to irmap scan
- C/R of
- read-only bind mounts
- IPv6 routes and iptables rules
- ip rules (it ip tool supports such)
- ignore_routes_with_linkdown netns devconf
- empty bridges in netns
- FILTER mode of seccomp
- IP_FREEBIND socket option
Optimizations/improvements[edit]
- Shared pie/non-pie .c files are built two times with proper flags
- VDSO code re-shuffled for better re-use between arches
- Failures of action scripts are reported in logs
- OpenVZ's VENET handling is tuned to fit the current kernel state
- Do not use hardcoded /dev/rts maj:min numbers
- Unsupported socket protocols are reported at expected place
- Slightly faster access to /proc files by using O_PATH open mode
- Improved page-server dump speed by keeping control over the Nagle algorithm
- Read pages.img in more optimal manner rather than page-by-page
- Less "Error"-s in logs, that actually don't lead to errors
- Slightly faster /proc/pid/status parsing
- Dead/live-locks on internal criu locks now emits a warning into logs
Fixes[edit]
- Page server flooded node with tw buckets during migration
- Turned off cgroups controllers weren't detected as such
- Netns sysctls from old images weren't properly restored
- Running process could be mistakenly stopped after --leave-running dump
- Helper processes run by CRIU produced fake error messages in logs
- Error code from sigaction restore could be missed
- Several potential buffers overruns due to missed '\0' after strcpy-s existed
- Killed processes after dump survived in zombie state for some time holding PIDs and resources
- If task had MANY children, the latter could be skipped on dump
- Task dying while being frozen could fail the dump
- On Aarch64 the upper limit for user memory was not properly detected sometimes
- Guess for TCP buffer max segment size was too optimistic (could fail the restore on low-mem machines)
- CRIT didn't decode userns images
- Ghost files were left in the FS tree after failed restore (blocking the next restore attempt)
- Some log messages from pie code were lost
- Some net/ipc/uts sysctls failed to restore in userns
- Move tasks int cgroups failed in userns
- Unsupported filesystems silently failed the dump
- External tmpfs (and some other) mounts generated tarballs with their contents
- Privately mapped files were picked from wrong mount namespace
- Controlling tty could be restored on wrong tty end
- Tmpfs mount of sub-namespace was restored from wrong image file
- Potential stack overflow in libcriu
- Partially-restored tasks could be left after failed restore
- In-container TCP connection sometimes failed to restore
- Race in sending SIGSTOP vs dump might cause dump to fail
- Post-restore actions could generate stats files in wrong directories
- Freeze-cgroup didn't take sub-cgroups' tasks into account
- Tentative state in IPv6 sockets binding prevented socket from being bound immediately
- Restoring from images with files pointing to /proc file of dead tasks could crash
- Tasks with STOP in queue (i.e. -- not yet stopped) were CONT-ed in case of --leave-running dump
- Stopped task with one more STOP in queue caused dump to stuck
- If parent task left the MNT namespace it created for children restore could BUG()
- Link-local IPv6 addresses sometimes failed to bind() at restore
Security[edit]
- Service run as root could allow users to violate ptrace policies
- Service run as root could give users access to privileged files and directories