Revision as of 17:29, 4 May 2017 by Dsafonov (talk | contribs) (→‎Configuring the kernel: Add NETFILTER_XT_MARK for iptables-restore)
Jump to navigation Jump to search

criu is an utility to checkpoint/restore a process tree. This page describes how to manually build and install prerequisites and the tool itself.

Installing from packages

Some distributions provide ready-to-use packages. If no, or the CRIU version you want is not yet there, you will need to get CRIU sources and compile it.

Obtaining CRIU Source

You can download the source code as a release tarball or sync the git repository. If you plan to modify CRIU sources the latter way is highly recommended.

Getting source tarball

Tarball: criu-3.17.1.tar.gz
Version: 3.17.1 "Radiant Redstart"
Released: 23 Jun 2022
GIT tag: v3.17.1

Cloning git repository

git clone


Compiler and C Library

CRIU is mostly written in C and the build system is based on Makefiles. Thus just install standard gcc and make packages (on Debian, build-essential will pull in both at once).

For building on x86 with compatible 32-bit applications C/R support you will need libc6-dev-i386, gcc-multilib instead of gcc.

If you are cross compiling for ARM, use distribution packages or download prebuilt toolchains from Linaro.

Downloading Linaro toolchains

sudo apt-get install lib32stdc++6 lib32z1 # These are ia32 binaries
mkdir -p deps/`uname -m`-linux-gnu
cd deps
tar --strip=1 -C `uname -m`-linux-gnu -xf gcc-linaro-arm-linux-gnueabihf-4.9-2014.09_linux.tar.xz
tar --strip=1 -C `uname -m`-linux-gnu -xf gcc-linaro-aarch64-linux-gnu-4.9-2014.09_linux.tar.xz
cd ..

Protocol Buffers

CRIU uses the Google Protocol Buffers to read and write images and thus requires C language bindings. The protoc tool is required at build time and the shared object is required at build and run time. CRIT also uses python language bindings for protocol buffers and requires the descriptor.proto file typically provided by a distribution's protobuf development package.

Distribution Packages

The easiest way is to install distribution packages.

  • RPM package names
    • group Development\ Tools
    • protobuf
    • protobuf-c
    • protobuf-c-devel
    • protobuf-compiler
    • protobuf-devel
    • protobuf-python
    • libnet-devel
  • Debian package names
    • build-essential
    • libprotobuf-dev
    • libprotobuf-c0-dev
    • protobuf-c-compiler
    • protobuf-compiler
    • python-protobuf
    • libnet1-dev
  • Ubuntu
    • The below will get your freshly installed Ubuntu host ready to compile criu. "--no-install-recommends" parameter is to avoid asciidoc pulling in a lot of dependencies.
    • sudo apt-get install --no-install-recommends git build-essential libprotobuf-dev libprotobuf-c0-dev protobuf-c-compiler protobuf-compiler python-protobuf libnl-3-dev libpth-dev pkg-config libcap-dev asciidoc libnet

Building Protocol Buffers From Source

If you would like to build from source, you can use the following commands to obtain the source code repositories, configure, and build the code. On a Debian based system, you may have to install autoconf curl g++ libtool packages first.

To build protobuf

cd deps
git clone protobuf
cd protobuf
./configure --prefix=`pwd`/../`uname -m`-linux-gnu
make install
cd ../..

To build protobuf-c

cd deps
git clone protobuf-c
cd protobuf-c
mkdir ../pbc-`uname -m`
cd ../pbc-`uname -m`
../protobuf-c/configure --prefix=`pwd`/../`uname -m`-linux-gnu \
  PKG_CONFIG_PATH=`pwd`/../`uname -m`-linux-gnu/lib/pkgconfig
make install
cd ../..

To cross-compile for ARM some more tricks will be required.

For ARMv7

cd deps
mkdir -p pbc-arm
cd pbc-arm
../protobuf-c/configure --host=arm-linux-gnueabihf --prefix=`pwd`/../arm-linux-gnueabihf \
                        --disable-protoc PATH=`pwd`/../`uname -m`-linux-gnu/bin:$PATH
make PATH=`pwd`/../`uname -m`-linux-gnu/bin:$PATH
make install PATH=`pwd`/../`uname -m`-linux-gnu/bin:$PATH
cd ../..

For ARM8

cd deps
mkdir -p pbc-aarch64
cd pbc-aarch64
 ../protobuf-c/configure --host=aarch64-linux-gnu --prefix=`pwd`/../aarch64-linux-gnu \
                         --disable-protoc PATH=`pwd`/../`uname -m`-linux-gnu/bin:$PATH
make PATH=`pwd`/../`uname -m`-linux-gnu/bin:$PATH
make install PATH=`pwd`/../`uname -m`-linux-gnu/bin:$PATH
cd ../..

Other deps

  • pkg-config to check on build library dependencies.
  • libnl3 and libnl3-devel (RPM distros) or libnl-3-dev (DEB distros) for network operations.
  • python-ipaddr is used by CRIT to pretty-print ip.
  • If libbsd available, CRIU will be compiled with setproctitle() support. It will allow to make process titles of service workers to be more verbose.
  • The iproute2 tool version 3.5.0 or higher is needed for dumping network namespaces. The latest one can be cloned from iproute2. It should be compiled and a path to ip written in the environment variable CR_IP_TOOL.
  • libcap-devel (RPM) or libcap-dev (DEB)
  • If you would like to use make test you should install libaio-devel (RPM) or libaio-dev (DEB).
  • For test launcher you need PyYAML (RPM) or python-yaml (DEB).

Linux Kernel

Linux kernel v3.11 or newer is required, with some specific options set. If your distribution does not provide needed kernel, you might want to compile one yourself.

Configuring the kernel

Most likely the first thing to enable is the CONFIG_EXPERT=y (General setup -> Configure standard kernel features (expert users)) option, which on x86_64 depends on the CONFIG_EMBEDDED=y (General setup -> Embedded system) one (welcome to Kconfig reverse chains hell).

The following options must be enabled for CRIU to work:

  • General setup options
    • CONFIG_CHECKPOINT_RESTORE=y (Checkpoint/restore support)
    • CONFIG_NAMESPACES=y (Namespaces support)
    • CONFIG_UTS_NS=y (Namespaces support -> UTS namespace)
    • CONFIG_IPC_NS=y (Namespaces support -> IPC namespace)
    • CONFIG_PID_NS=y (Namespaces support -> PID namespaces)
    • CONFIG_NET_NS=y (Namespaces support -> Network namespace)
    • CONFIG_FHANDLE=y (Open by fhandle syscalls)
    • CONFIG_EVENTFD=y (Enable eventfd() system call)
    • CONFIG_EPOLL=y (Enable eventpoll support)
  • Networking support -> Networking options options for sock-diag subsystem
    • CONFIG_UNIX_DIAG=y (Unix domain sockets -> UNIX: socket monitoring interface)
    • CONFIG_INET_DIAG=y (TCP/IP networking -> INET: socket monitoring interface)
    • CONFIG_INET_UDP_DIAG=y (TCP/IP networking -> INET: socket monitoring interface -> UDP: socket monitoring interface)
    • CONFIG_PACKET_DIAG=y (Packet socket -> Packet: sockets monitoring interface)
    • CONFIG_NETLINK_DIAG=y (Netlink socket -> Netlink: sockets monitoring interface)

Other options not required by CRIU, but C/R supported (ZDTM test suite may fail without them):

  • CONFIG_INOTIFY_USER=y (File systems -> Inotify support for userspace)
  • CONFIG_FANOTIFY=y (File systems -> Filesystem wide access notification)
  • CONFIG_NETFILTER_XT_MARK=y (Networking support -> Networking options -> Network packet filtering framework (Netfilter) -> Core Netfilter Configuration -> Netfilter Xtables support (required for ip_tables) -> nfmark target and match support)
  • CONFIG_MEMCG=y (General setup -> Control Group support -> Memory controller)
  • CONFIG_CGROUP_DEVICE=y (General setup -> Control Group support -> Device controller)
  • CONFIG_MACVLAN=y (Device Drivers -> Network device support -> Network core driver support -> MAC-VLAN support)
  • CONFIG_BRIDGE=y (Networking support -> Networking options -> 802.1d Ethernet Bridging)
  • CONFIG_BINFMT_MISC=y (Userspace binary formats -> Kernel support for MISC binaries)
  • CONFIG_IA32_EMULATION=y (x86 only) (Executable file formats -> Emulations -> IA32 Emulation)

For some usage scenarios there is an ability to track memory changes and produce incremental dumps. Need to enable the CONFIG_MEM_SOFT_DIRTY=y (optional) (Processor type and features -> Track memory changes).

Note we also have our custom kernel, which might contain some experimental CRIU related patches.

Building CRIU From Source

Native Compilation

Simply run make in the CRIU source directory.

Compilation in Docker container

There's a docker-build target in Makefile which builds CRIU in Ubuntu Docker container. Just run make docker-build and that's it.

Non-standard compilation

Building natively, but specifying built dependencies manually

cd deps
rsync -a --exclude=.git --exclude=deps .. criu-`uname -m`
cd criu-`uname -m`
make \
  USERCFLAGS="-I`pwd`/../`uname -m`-linux-gnu/include -L`pwd`/../`uname -m`-linux-gnu/lib" \
  PATH="`pwd`/../`uname -m`-linux-gnu/bin:$PATH"
sudo LD_LIBRARY_PATH=`pwd`/../`uname -m`-linux-gnu/lib ./criu check
cd ../..

Cross Compilation for ARM


cd deps
rsync -a --exclude=.git --exclude=deps .. criu-arm
cd criu-arm
make \
  ARCH=arm \
  CROSS_COMPILE=`pwd`/../`uname -m`-linux-gnu/bin/arm-linux-gnueabihf- \
  USERCFLAGS="-I`pwd`/../arm-linux-gnueabihf/include -L`pwd`/../arm-linux-gnueabihf/lib" \
  PATH="`pwd`/../`uname -m`-linux-gnu/bin:$PATH"
cd ../..


 cd deps
 rsync -a --exclude=.git --exclude=deps .. criu-aarch64
 cd criu-aarch64
 make \
  ARCH=aarch64 \
  CROSS_COMPILE=`pwd`/../`uname -m`-linux-gnu/bin/aarch64-linux-gnu- \
  USERCFLAGS="-I`pwd`/../aarch64-linux-gnu/include -L`pwd`/../aarch64-linux-gnu/lib" \
  PATH="`pwd`/../`uname -m`-linux-gnu/bin:$PATH"
 cd ../..


CRIU has functionality that is either optional or behaves differently depending on the kernel CRIU is running on. By default build process includes maximum of it, but this behavior can be changed.

Main article: Configuring


CRIU works perfectly even when run from the sources directory (with the "./criu" command), but if you want to have in standard paths run make install.

You may need to install the following packages to generate docs in Debian-based OS's to avoid errors from install-man:

  • asciidoc
  • xmlto

Checking That It Works

First thing to do is to run criu check. At the end it should say "Looks OK", if it doesn't the messages on the screen explain what functionality is missing.

Some kernel functionality is required in rare cases and may not block the dump (but sometimes may). These features can be checked by adding the --extra flag.

If you're using our custom kernel, then the --all option can be used, in this case CRIU would check for all the kernel features to work.

You can then try running the ZDTM Test Suite which sits in the tests/zdtm/ directory.

Further reading