2,257
edits
Changes
Jump to navigation
Jump to search
Line 4:
Line 4: − * C/R of read-only bind mounts − * C/R of IPv6 routes and iptables rules − * C/R of ip rules (it ip tool supports such) Line 12:
Line 9: − + + + + + + + + Line 24:
Line 28: + + + Line 45:
Line 52: + + + + + + + + + + + + + + +
no edit summary
* Ability to check CRIU features via [[RPC]]
* Ability to check CRIU features via [[RPC]]
* New zdtm.py test suite
* New zdtm.py test suite
* Pre-dump and pre-restore [[action scripts]]
* Pre-dump and pre-restore [[action scripts]]
* The "info" action in [[CRIT]] showing stats about image file
* The "info" action in [[CRIT]] showing stats about image file
* Python API -- pycriu
* Python API -- pycriu
* Ability to add custom paths to irmap scan
* Ability to add custom paths to irmap scan
* C/R of ignore_routes_with_linkdown netns devconf
* C/R of
** read-only bind mounts
** IPv6 routes and iptables rules
** ip rules (it ip tool supports such)
** ignore_routes_with_linkdown netns devconf
** empty bridges in netns
** FILTER mode of seccomp
** IP_FREEBIND socket option
=== Optimizations/improvements ===
=== Optimizations/improvements ===
* Improved page-server dump speed by keeping control over the Nagle algorithm
* Improved page-server dump speed by keeping control over the Nagle algorithm
* Read pages.img in more optimal manner rather than page-by-page
* Read pages.img in more optimal manner rather than page-by-page
* Less "Error"-s in logs, that actually don't lead to errors
* Slightly faster /proc/pid/status parsing
* Dead/live-locks on internal criu locks now emits a warning into logs
=== Fixes ===
=== Fixes ===
* Unsupported filesystems silently failed the dump
* Unsupported filesystems silently failed the dump
* External tmpfs (and some other) mounts generated tarballs with their contents
* External tmpfs (and some other) mounts generated tarballs with their contents
* Privately mapped files were picked from wrong mount namespace
* Controlling tty could be restored on wrong tty end
* Tmpfs mount of sub-namespace was restored from wrong image file
* Potential stack overflow in libcriu
* Partially-restored tasks could be left after failed restore
* In-container TCP connection sometimes failed to restore
* Race in sending SIGSTOP vs dump might cause dump to fail
* Post-restore actions could generate stats files in wrong directories
* Freeze-cgroup didn't take sub-cgroups' tasks into account
* Tentative state in IPv6 sockets binding prevented socket from being bound immediately
* Restoring from images with files pointing to /proc file of dead tasks could crash
* Tasks with STOP in queue (i.e. -- not ''yet'' stopped) were CONT-ed in case of --leave-running dump
* Stopped task with one more STOP in queue caused dump to stuck
* If parent task left the MNT namespace it created for children restore could BUG()
* Link-local IPv6 addresses sometimes failed to bind() at restore
=== Security ===
=== Security ===
* Service run as root could allow users to violate ptrace policies
* Service run as root could allow users to violate ptrace policies
* Service run as root could give users access to privileged files and directories
* Service run as root could give users access to privileged files and directories