checkpoint: handle config.Devices and config.MaskPaths #1110
Conversation
| c.addCriuRestoreMount(req, m) | ||
| } | ||
|
|
||
| if c.config.Namespaces.Contains(configs.NEWUSER) { |
There was a problem hiding this comment.
I don't really know enough about this to know the answer, but is it definitely the case that we only want to add mounts for c.config.Devices if there's a newuser namespace?
There was a problem hiding this comment.
There are two cases when devices are bind-mounted from host:
- if a container is executed in its own userns
- if a container is executed from a non-root userns
// Create the device nodes in the container.
func createDevices(config *configs.Config) error {
useBindMount := system.RunningInUserNS() || config.Namespaces.Contains(configs.NEWUSER)
Actually we can add this ext-mounts always and they will be ignored if devices should not be bind-mounted.
Currently I have a problem with MaskPaths. Because behaviour is different for files and directories, but we don't know who is who when a container isn't running.
// For files, maskPath bind mounts /dev/null over the top of the specified path.
// For directories, maskPath mounts read-only tmpfs over the top of the specified path.
avagin
force-pushed
the
cpt-in-userns
branch
2 times, most recently
from
f5f4609 to
83ed56a
Compare
|
Should these only be added when userns is enabled? |
|
@crosbymichael heh, it was originally implemented that way and I asked the opposite question. I don't know the answer. |
|
Well when userns is not enabled we don't create bind mounts for devices, we just mknod the device so I don't think it applies. |
@crosbymichael We create bind-mounts if userns is enabled for a container and if a container is started from a non-root userns. I suggest to always set these options for CRIU, because if devices are not mounted, CRIU will do nothing with them. |
In user namespaces devices are bind-mounted from the host, so we need to add them as external mounts for CRIU. Reported-by: Ross Boucher <[email protected]> Signed-off-by: Andrei Vagin <[email protected]>
|
@avagin so even though you add all these mounts for the devices in criu it won't do anything with them if they were not originally mounted? |
|
@crosbymichael No, it won't. |
|
LGTM |
1 similar comment
|
LGTM |
In user namespaces devices are bind-mounted from the host, so
we need to add them as external mounts for CRIU.
Reported-by: @boucher