-
Notifications
You must be signed in to change notification settings - Fork 617
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
net: remember the name of the lock chain (nftables)
Using libnftables the chain to lock the network is composed of ("CRIU-%d", real_pid). This leads to around 40 zdtm tests failing with errors like this: Error: No such file or directory; did you mean table 'CRIU-62' in family inet? delete table inet CRIU-86 The reason is that as soon as a process is running in a namespace the real PID can be anything and only the PID in the namespace is restored correctly. Relying on the real PID does not work for the chain name. Using the PID of the innermost namespace would lead to the chain be called 'CRIU-1' most of the time which is also not really unique. With this commit the change is now named using the already existing CRIU run ID. To be able to correctly restore the process and delete the locking table, the CRIU run id during checkpointing is now stored in the inventory as dump_criu_run_id. Signed-off-by: Adrian Reber <[email protected]>
- Loading branch information
1 parent
30db0e9
commit ee03485
Showing
4 changed files
with
57 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -25,6 +25,7 @@ bool img_common_magic = true; | |
TaskKobjIdsEntry *root_ids; | ||
u32 root_cg_set; | ||
Lsmtype image_lsm; | ||
char dump_criu_run_id[37]; | ||
|
||
struct inventory_plugin { | ||
struct list_head node; | ||
|
@@ -120,6 +121,26 @@ int check_img_inventory(bool restore) | |
goto out_err; | ||
} | ||
} | ||
|
||
/** | ||
* This contains the criu_run_id during dumping of the process. | ||
* For things like removing network locking (nftables) this | ||
* information is needed to identify the name of the network | ||
* locking table. | ||
*/ | ||
if (he->dump_criu_run_id) { | ||
pr_info("Dump CRIU run id %d\n", dump_criu_run_id[0]); | ||
pr_info("Dump CRIU run id strlen %ld\n", strlen(dump_criu_run_id)); | ||
strncpy(dump_criu_run_id, he->dump_criu_run_id, sizeof(dump_criu_run_id) - 1); | ||
pr_info("Dump CRIU run id = %s\n", dump_criu_run_id); | ||
} else { | ||
/** | ||
* If restoring from an old image this is a marker | ||
* that no dump_criu_run_id exists. | ||
*/ | ||
dump_criu_run_id[0] = NO_DUMP_CRIU_RUN_ID; | ||
} | ||
|
||
Check warning on line 143 in criu/image.c GitHub Actions / build
|
||
} | ||
|
||
ret = 0; | ||
|
@@ -367,6 +388,17 @@ int prepare_inventory(InventoryEntry *he) | |
he->has_network_lock_method = true; | ||
he->network_lock_method = opts.network_lock_method; | ||
|
||
/** | ||
* This contains the criu_run_id during dumping of the process. | ||
* For things like removing network locking (nftables) this | ||
* information is needed to identify the name of the network | ||
* locking table. | ||
*/ | ||
he->dump_criu_run_id = xstrdup(criu_run_id); | ||
|
||
if (!he->dump_criu_run_id) | ||
return -1; | ||
|
||
return 0; | ||
} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -299,7 +299,25 @@ int nftables_lock_connection(struct inet_sk_desc *sk) | |
|
||
int nftables_get_table(char *table, int n) | ||
{ | ||
if (snprintf(table, n, "inet CRIU-%d", root_item->pid->real) < 0) { | ||
int ret; | ||
|
||
switch(dump_criu_run_id[0]) { | ||
Check warning on line 304 in criu/netfilter.c GitHub Actions / build
|
||
case 0: | ||
/* This is not a restore.*/ | ||
ret = snprintf(table, n, "inet CRIU-%s", criu_run_id); | ||
break; | ||
case NO_DUMP_CRIU_RUN_ID: | ||
/** | ||
* This is a restore from an older image with no | ||
* dump_criu_run_id available. Let's use the old ID. | ||
*/ | ||
ret = snprintf(table, n, "inet CRIU-%d", root_item->pid->real); | ||
break; | ||
default: | ||
ret = snprintf(table, n, "inet CRIU-%s", dump_criu_run_id); | ||
} | ||
|
||
if (ret < 0) { | ||
pr_err("Cannot generate CRIU's nftables table name\n"); | ||
return -1; | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters