590
edits
Changes
mLine 79:
Line 79: + + Line 133:
Line 135: − + − The go-crit tool was created during GSoC 2022 to enable analysis of CRIU [[images]] with tools written in Go. It allows container management tools such as [https://github.com/checkpoint-restore/checkpointctl checkpointctl] and Podman to provide capabilities similar to CRIT. The goal of this project is to extend go-crit with functionality for forensic analysis of container checkpoints to provide a better user experience. − + Line 146:
Line 147: + + + + + + + Line 199:
Line 207: − + + + + + + + + + + + + + + + + + + + + + +
no edit summary
'''Details:'''
'''Details:'''
* Contributor: [https://github.com/Parthiba-Hazra Parthiba Hazra]
* [https://github.com/Parthiba-Hazra/gsoc-2024 Final Report]
* Skill level: intermediate
* Skill level: intermediate
* Language: Go
* Language: Go
=== Forensic analysis of container checkpoints ===
=== Forensic analysis of container checkpoints ===
'''Summary:''' Extending go-crit with capabilities for forensic analysis
'''Summary:''' Extending go-crit and checkpointctl with capabilities for forensic analysis
'''Merged:''' https://github.com/checkpoint-restore/checkpointctl
'''Merged:''' https://github.com/checkpoint-restore/checkpointctl
The go-crit tool is still in its early stages of development. To effectively utilise this new feature, the checkpointctl tool would be extended to display information about the processes included in a container checkpoint and their runtime state (e.g., memory, open files, sockets, etc).
The Go implementation of the [[crit]] tool was developed during GSoC 2022 to enable native Go–based decoding and encoding of CRIU [[images]]. In GSoC 2023, this tool was integrated with [https://github.com/checkpoint-restore/checkpointctl checkpointctl] to enable forensic analysis capabilities for container checkpoints. Behouba Manassé implemented support for memory forensics by extending the Go version of the crit tool and checkpointctl with support for parsing memory pages (<code>checkpointctl memparse</code>), and displaying information about the command-line arguments and environment variables when analysing checkpoints with the <code>checkpointctl inspect</code> command. Prajwal Nadig build upon his previous work during GSoC 2022, by implementing capabilities for analysing the process tree, open files, and sockets within a checkpoint, as well as introducing CI tests.
'''Links:'''
'''Links:'''
* https://kubernetes.io/blog/2022/12/05/forensic-container-checkpointing-alpha/
* https://kubernetes.io/blog/2022/12/05/forensic-container-checkpointing-alpha/
'''Details:'''
* Contributor: [https://github.com/behouba Behouba Manassé] and [https://github.com/snprajwal Prajwal Nadig]
* Final Report: [https://github.com/behouba/gsoc-2023 Behouba Manassé], [https://github.com/snprajwal/gsoc-2023 Prajwal Nadig]
* Skill level: intermediate
* Language: Go
* Expected size: 350 hours
* Mentors: Radostin Stoyanov <rstoyanov@fedoraproject.org>, Adrian Reber <areber@redhat.com>
=== Restrict checks for open/mmaped files ===
=== Restrict checks for open/mmaped files ===
'''Links:'''
'''Links:'''
* [[CRIT (Go library)]]
* [[CRIT (Go library)]]
* https://github.com/snprajwal/gsoc-2022
* [https://github.com/snprajwal/gsoc-2022 Final Report]
=== Use eBPF to lock and unlock the network ===
'''Summary:''' Use eBPF instead of external iptables-restore tool for network lock and unlock.
During checkpointing and restoring CRIU locks the network to make sure no network packets are accepted by the network stack during the time the process is checkpointed. Currently CRIU calls out to iptables-restore to create and delete the corresponding iptables rules. Another approach which avoids calling out to the external binary iptables-restore would be to directly inject eBPF rules. There have been reports from users that iptables-restore fails in some way and eBPF could avoid this external dependency.
'''Links:'''
* https://www.criu.org/TCP_connection#Checkpoint_and_restore_TCP_connection
* https://github.com/systemd/systemd/blob/master/src/core/bpf-firewall.c
* https://blog.zeyady.com/2021-08-16/gsoc-criu
'''Details:'''
* Contributor: [https://github.com/ZeyadYasser Zeyad Yasser]
* [https://github.com/checkpoint-restore/criu/pull/1539 CRIU Pull Request]
* Skill level: intermediate
* Language: C
* Expected size: 350 hours
* Mentors: Radostin Stoyanov <rstoyanov@fedoraproject.org>, Prajwal S N <prajwalnadig21@gmail.com>
* Suggested by: Adrian Reber <areber@redhat.com>
=== Support sparse ghosts ===
=== Support sparse ghosts ===