sk-inet: Add support for checkpoint/restore of ICMP sockets #2558
Conversation
|
@ss141309 Thank you for opening this pull request! Would you be able to add a ZDTM test for this functionality? Example: |
|
@rst0git oops, it looks like I forgot to add an IP6 version of the test, do I need to create it? |
It would be good to have test for this. CRIU is used in some production environments where only IPv6 addresses are being used. |
|
As far as I remember, ICMP sockets can have attached filters and we need to dump them. Pls take a look at c2cbcaf, maybe some code can be reused. |
|
it seems that the tests are failing because of the GIDs being set in the ping_group_range variable. What should I set them to in the |
The test gid is 58467: Line 507 in 7c66617
Line 444 in 7c66617 I think "58467 58468" is the right range in this case. |
ICMP filters are only attached when using SOCK_RAW, since unprivileged ICMP sockets only accept ICMP_ECHO and ICMP_ECHOREPLY type messages |
ss141309
force-pushed
the
criu-dev
branch
2 times, most recently
from
6f97c64 to
9c54c86
Compare
|
Overall, it looks good to me. We need to move C/R of the sysctl to the proper place and resort patches. I will do all of that this week. Thanks for the contribution. |
|
@ss141309 Would you be able update the pull request to apply the fixup changes into previous commits? |
@rst0git I did the changes, is it now alright? |
|
@ss141309 Would you be able to apply the change from |
We need to integrate it into dump_netns_conf/restore_netns_conf, probably taking as an example ebe3b52353c This value belongs to namespace, not to socket. |
Should I make a new commit or edit the existing one and force push the changes? |
|
@ss141309 I did proper handling of ping_group_range c/r here #2565, you can rebase on top of it when/if it is merged. Machinery of sysctls in CRIU is a bit too complex, I must admit. And so I helped you a bit here, as you can see there is a lot of code to do one more sysctl in the directory which is not yet handled. |
Currently there is no option to checkpoint/restore programs that use ICMP sockets, such as `ping`. This patch adds support for the same. Fixes checkpoint-restore#2557 Signed-off-by: समीर सिंह Sameer Singh <[email protected]>
ZDTM test suite creates separate network namespaces to run tests. These namespaces do not preserve the value of the sysctl variable `net.ipv4.ping_group_range` which allows the creation of unprivileged ICMP sockets. This commit modifies the variable after the namespaces have been created to allow GIDs 0-58468 to create unprivileged ICMP sockets, since the zdtm test GID is in this range. Signed-off-by: समीर सिंह Sameer Singh <[email protected]>
Add ZDTM static tests for IP4/ICMP and IP6/ICMP socket feature. Signed-off-by: समीर सिंह Sameer Singh <[email protected]>
| @@ -0,0 +1 @@ | |||
| {'flags': 'suid', 'flavor': 'h ns'} | |||
There was a problem hiding this comment.
why is it suid? Why uns is excluded?
There was a problem hiding this comment.
- If we remove suid we get:
04:09:54.090: 4: ERR: sysctl.c:34: Can't open /proc/sys/net/ipv4/ping_group_range (errno = 13 (Permission denied))
Which is EACCES as file have permissions "0644", and non-root is not allowed to write it. But we want to avoid suid to check non-root users too. So we can probably just remove setting ping_group_range from test and rely on it being set in second patch for all tests.
So please remove suid together with setting ping_group_range from test/zdtm/static/socket*_icmp.c and let's see if it works.
- If we add uns we get:
b'(00.004760) 1: Error (criu/net.c:2180): net: unix: Failed to write net/ipv4/<sysctls>'
I see that we get EINVAL when writing to ping_group_range on criu restore.
Likely the low/high uids we try to set got considered invalid in the userns of the caller (CRIU). We should probably just enter proper userns at that point of setting ping_group_range, I will try to fix this.
Currently there is no option to checkpoint/restore programs that use ICMP sockets, such as
ping. This patch adds support for the same.Fixes #2557