Difference between revisions of "Download/criu/2.0"
Jump to navigation
Jump to search
m |
|||
| (9 intermediate revisions by the same user not shown) | |||
| Line 9: | Line 9: | ||
* Added timeout for dump procedure (5 sec by default) | * Added timeout for dump procedure (5 sec by default) | ||
* Ability to override LSM profile on restore with CLI/RPC option | * Ability to override LSM profile on restore with CLI/RPC option | ||
| − | |||
* [[External bind mounts]] can be fs-root mounts too | * [[External bind mounts]] can be fs-root mounts too | ||
* Skip netns' internals on dump and restore (for Docker [[integration]]) | * Skip netns' internals on dump and restore (for Docker [[integration]]) | ||
* Advanced support for [[external files]] | * Advanced support for [[external files]] | ||
| + | ** [[External resources|External TTYs]] | ||
* C/R for | * C/R for | ||
** Mode and uid/gid of cgroup files and dirs | ** Mode and uid/gid of cgroup files and dirs | ||
** Freeze cgroup state (frozen/thawed) | ** Freeze cgroup state (frozen/thawed) | ||
| − | ** Task's loginuid | + | ** Task's loginuid and oom score |
| − | |||
** Per-thread credentials | ** Per-thread credentials | ||
** Filter mode of seccomp | ** Filter mode of seccomp | ||
| Line 24: | Line 23: | ||
** Binfmt-misc FS contents | ** Binfmt-misc FS contents | ||
** Netfilter conntracks and expectations | ** Netfilter conntracks and expectations | ||
| + | ** Multi-headed cgroups | ||
| + | ** CGroup namespaces (no nesting) | ||
=== Optimizations/improvements === | === Optimizations/improvements === | ||
| Line 32: | Line 33: | ||
* CRIT shows device numbers in "maj:min" manner | * CRIT shows device numbers in "maj:min" manner | ||
* CRIT shows mmap's status in verbose | * CRIT shows mmap's status in verbose | ||
| − | * | + | * Docker files for builds on all supported arches |
=== Fixes === | === Fixes === | ||
| Line 48: | Line 49: | ||
* CRIT didn't show IPC objects | * CRIT didn't show IPC objects | ||
* CRIT didn't convert IP addresses in images | * CRIT didn't convert IP addresses in images | ||
| + | * Logs from PIE code contained corrupted addresses and sizes | ||
| + | * Not loaded netfilter modules could cause dump/restore to stuck on dumping netlink socket | ||
| + | * Shared external mounts were restored with error | ||
=== Security === | === Security === | ||
* [[User-mode]] | * [[User-mode]] | ||
| + | * When checking for namespaces' CRIU entered userns with host creds | ||
=== Deprecated/removed === | === Deprecated/removed === | ||
* Completely removed 'show' action. Use [[CRIT]] instead. | * Completely removed 'show' action. Use [[CRIT]] instead. | ||
Latest revision as of 13:55, 7 April 2016
| Tarball: | criu-2.0.tar.bz2 |
| Version: | 2.0 |
| Released: | 7 Mar 2016 |
| GIT tag: | v2.0 |
New features[edit]
- New code layout for sub-projects (e.g. Compel)
- Unprivileged dump
- Dump/check cpuinfo support for PPC
- Explorers for CRIT
- Added "post-setup-namespaces" to action scripts
- Added timeout for dump procedure (5 sec by default)
- Ability to override LSM profile on restore with CLI/RPC option
- External bind mounts can be fs-root mounts too
- Skip netns' internals on dump and restore (for Docker integration)
- Advanced support for external files
- C/R for
- Mode and uid/gid of cgroup files and dirs
- Freeze cgroup state (frozen/thawed)
- Task's loginuid and oom score
- Per-thread credentials
- Filter mode of seccomp
- Ghost file in removed directory
- Ghost files lutimes
- Binfmt-misc FS contents
- Netfilter conntracks and expectations
- Multi-headed cgroups
- CGroup namespaces (no nesting)
Optimizations/improvements[edit]
- Align parasite stack on 16 bits for correctness
- Compilation with native libc syscall wrappers and helpers
- Parasite code injection done via memfd system call
- Make vaddr to pfn conversion with one less syscall
- CRIT shows device numbers in "maj:min" manner
- CRIT shows mmap's status in verbose
- Docker files for builds on all supported arches
Fixes[edit]
- Absent readlink syscall on ARM (use readlinkat instead) could cause dump to fail
- Wrong argument to timer_create system call could cause restore to crash
- Extra tasks in freeze cgroup caused dump to fail/hand/crash
- Unaligned restore-time object allocations caused lock operations to fail
- Opened /proc/pid dir of dead task failed the dump
- Unaligned stacks caused criu to fail on aarch64
- Changed device numbers on restore side could cause random failures
- Fixes in mount points sharing/slavery/propagation restore
- Race between mntns creation and fds closing in different tasks could cause restore to fail
- Hard kernel limit on TCP repair recv queue restore could cause big queue restore to fail
- Unconnected dgram UNIX socket with data lost packets on restore
- CRIT didn't show IPC objects
- CRIT didn't convert IP addresses in images
- Logs from PIE code contained corrupted addresses and sizes
- Not loaded netfilter modules could cause dump/restore to stuck on dumping netlink socket
- Shared external mounts were restored with error
Security[edit]
- User-mode
- When checking for namespaces' CRIU entered userns with host creds
Deprecated/removed[edit]
- Completely removed 'show' action. Use CRIT instead.