]>
Commit | Line | Data |
---|---|---|
cc73685d | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
d38dd64a | 2 | |
1160ce89 CB |
3 | #include "config.h" |
4 | ||
9b945f13 | 5 | #include <inttypes.h> |
e29fe1dd TA |
6 | #include <linux/limits.h> |
7 | #include <sched.h> | |
8 | #include <stdio.h> | |
9 | #include <stdlib.h> | |
10 | #include <string.h> | |
11 | #include <sys/mount.h> | |
12 | #include <sys/types.h> | |
13 | #include <sys/wait.h> | |
14 | #include <unistd.h> | |
15 | ||
cdb4f412 | 16 | #include "attach_options.h" |
5eac34d5 | 17 | |
e29fe1dd | 18 | #include "cgroup.h" |
dc259399 | 19 | #include "commands.h" |
d38dd64a | 20 | #include "conf.h" |
e29fe1dd TA |
21 | #include "criu.h" |
22 | #include "log.h" | |
23 | #include "lxc.h" | |
24 | #include "lxclock.h" | |
59d8a539 | 25 | #include "memory_utils.h" |
e29fe1dd | 26 | #include "network.h" |
28d832c4 | 27 | #include "storage.h" |
e8f764b6 | 28 | #include "syscall_wrappers.h" |
e29fe1dd TA |
29 | #include "utils.h" |
30 | ||
5f4e44a2 | 31 | #if IS_BIONIC |
58db1a61 | 32 | #include "lxcmntent.h" |
5f4e44a2 TA |
33 | #else |
34 | #include <mntent.h> | |
35 | #endif | |
36 | ||
db4af8c5 | 37 | #if !HAVE_STRLCPY |
58db1a61 | 38 | #include "strlcpy.h" |
9de31d5a CB |
39 | #endif |
40 | ||
c33b0338 | 41 | #define CRIU_VERSION "2.0" |
73d46752 TA |
42 | |
43 | #define CRIU_GITID_VERSION "2.0" | |
44 | #define CRIU_GITID_PATCHLEVEL 0 | |
45 | ||
f1954503 | 46 | #define CRIU_IN_FLIGHT_SUPPORT "2.4" |
46c8ffd5 | 47 | #define CRIU_EXTERNAL_NOT_VETH "2.8" |
0109a13d | 48 | #define CRIU_EXTERNAL_NETDEV "3.15" |
f1954503 | 49 | |
ac2cecc4 | 50 | lxc_log_define(criu, lxc); |
e29fe1dd | 51 | |
73d46752 | 52 | struct criu_opts { |
5af85cb1 TA |
53 | /* the thing to hook to stdout and stderr for logging */ |
54 | int pipefd; | |
55 | ||
73d46752 TA |
56 | /* The type of criu invocation, one of "dump" or "restore" */ |
57 | char *action; | |
58 | ||
b2c3710f TA |
59 | /* the user-provided migrate options relevant to this action */ |
60 | struct migrate_opts *user; | |
73d46752 TA |
61 | |
62 | /* The container to dump */ | |
63 | struct lxc_container *c; | |
64 | ||
73d46752 | 65 | /* dump: stop the container or not after dumping? */ |
4b54788e | 66 | char tty_id[32]; /* the criu tty id for /dev/console, i.e. "tty[${rdev}:${dev}]" */ |
73d46752 TA |
67 | |
68 | /* restore: the file to write the init process' pid into */ | |
0ab5703f | 69 | struct lxc_handler *handler; |
4b54788e TA |
70 | int console_fd; |
71 | /* The path that is bind mounted from /dev/console, if any. We don't | |
41808e20 | 72 | * want to use `--ext-mount-map auto`'s result here because the pty |
4b54788e | 73 | * device may have a different path (e.g. if the pty number is |
3aed4934 | 74 | * different) on the target host. NULL if lxc.console.path = "none". |
4b54788e TA |
75 | */ |
76 | char *console_name; | |
f1954503 AR |
77 | |
78 | /* The detected version of criu */ | |
79 | char *criu_version; | |
73d46752 TA |
80 | }; |
81 | ||
4b54788e TA |
82 | static int load_tty_major_minor(char *directory, char *output, int len) |
83 | { | |
4b54788e | 84 | char path[PATH_MAX]; |
c3e48967 | 85 | ssize_t ret; |
4b54788e | 86 | |
8eaa5ae3 CB |
87 | ret = strnprintf(path, sizeof(path), "%s/tty.info", directory); |
88 | if (ret < 0) | |
c3e48967 | 89 | return ret_errno(EIO); |
4b54788e | 90 | |
c3e48967 CB |
91 | ret = lxc_read_from_file(path, output, len); |
92 | if (ret < 0) { | |
93 | /* | |
94 | * This means we're coming from a liblxc which didn't export | |
3aed4934 CB |
95 | * the tty info. In this case they had to have lxc.console.path |
96 | * = * none, so there's no problem restoring. | |
4b54788e TA |
97 | */ |
98 | if (errno == ENOENT) | |
99 | return 0; | |
100 | ||
c3e48967 | 101 | return log_error_errno(-errno, errno, "Failed to open \"%s\"", path); |
4b54788e TA |
102 | } |
103 | ||
4b54788e TA |
104 | return 0; |
105 | } | |
106 | ||
74ad3607 FB |
107 | static int cmp_version(const char *v1, const char *v2) |
108 | { | |
109 | int ret; | |
110 | int oct_v1[3], oct_v2[3]; | |
111 | ||
112 | memset(oct_v1, -1, sizeof(oct_v1)); | |
113 | memset(oct_v2, -1, sizeof(oct_v2)); | |
114 | ||
115 | ret = sscanf(v1, "%d.%d.%d", &oct_v1[0], &oct_v1[1], &oct_v1[2]); | |
116 | if (ret < 1) | |
117 | return -1; | |
118 | ||
119 | ret = sscanf(v2, "%d.%d.%d", &oct_v2[0], &oct_v2[1], &oct_v2[2]); | |
120 | if (ret < 1) | |
121 | return -1; | |
122 | ||
123 | /* Major version is greater. */ | |
124 | if (oct_v1[0] > oct_v2[0]) | |
125 | return 1; | |
126 | ||
127 | if (oct_v1[0] < oct_v2[0]) | |
128 | return -1; | |
129 | ||
130 | /* Minor number is greater.*/ | |
131 | if (oct_v1[1] > oct_v2[1]) | |
132 | return 1; | |
133 | ||
134 | if (oct_v1[1] < oct_v2[1]) | |
135 | return -1; | |
136 | ||
137 | /* Patch number is greater. */ | |
138 | if (oct_v1[2] > oct_v2[2]) | |
139 | return 1; | |
140 | ||
141 | /* Patch numbers are equal. */ | |
142 | if (oct_v1[2] == oct_v2[2]) | |
143 | return 0; | |
144 | ||
145 | return -1; | |
146 | } | |
147 | ||
59d8a539 CB |
148 | struct criu_exec_args { |
149 | int argc; | |
150 | char *argv[]; | |
151 | }; | |
152 | ||
153 | static void put_criu_exec_args(struct criu_exec_args *args) | |
e29fe1dd | 154 | { |
59d8a539 CB |
155 | if (args) { |
156 | for (int i = 0; i < args->argc; i++) | |
157 | free_disarm(args->argv[i]); | |
158 | free_disarm(args); | |
159 | } | |
160 | } | |
161 | ||
162 | define_cleanup_function(struct criu_exec_args *, put_criu_exec_args); | |
163 | ||
164 | static int exec_criu(struct cgroup_ops *cgroup_ops, struct lxc_conf *conf, | |
165 | struct criu_opts *opts) | |
166 | { | |
167 | call_cleaner(put_criu_exec_args) struct criu_exec_args *args = NULL; | |
6eff3c0d | 168 | __do_fclose FILE *f_mnt = NULL; |
59d8a539 CB |
169 | char log[PATH_MAX]; |
170 | int static_args = 23, ret; | |
e29fe1dd | 171 | int netnr = 0; |
5f4e44a2 | 172 | struct mntent mntent; |
d696c45e CB |
173 | struct lxc_netdev *netdev; |
174 | struct string_entry *strentry; | |
e29fe1dd | 175 | |
0e4be3cf | 176 | char buf[4096], ttys[32]; |
5af85cb1 | 177 | |
e9195050 TA |
178 | /* If we are currently in a cgroup /foo/bar, and the container is in a |
179 | * cgroup /lxc/foo, lxcfs will give us an ENOENT if some task in the | |
180 | * container has an open fd that points to one of the cgroup files | |
181 | * (systemd always opens its "root" cgroup). So, let's escape to the | |
182 | * /actual/ root cgroup so that lxcfs thinks criu has enough rights to | |
183 | * see all cgroups. | |
184 | */ | |
59d8a539 CB |
185 | if (!cgroup_ops->criu_escape(cgroup_ops, conf)) |
186 | return log_error_errno(-ENOENT, ENOENT, "Failed to escape to root cgroup"); | |
e9195050 | 187 | |
e29fe1dd | 188 | /* The command line always looks like: |
19d1509c | 189 | * criu $(action) --tcp-established --file-locks --link-remap \ |
5f178bc9 | 190 | * --manage-cgroups=full --action-script foo.sh -D $(directory) \ |
e29fe1dd TA |
191 | * -o $(directory)/$(action).log --ext-mount-map auto |
192 | * --enable-external-sharing --enable-external-masters | |
4b54788e | 193 | * --enable-fs hugetlbfs --enable-fs tracefs --ext-mount-map console:/dev/pts/n |
e29fe1dd TA |
194 | * +1 for final NULL */ |
195 | ||
066af2cb | 196 | if (strequal(opts->action, "dump") || strequal(opts->action, "pre-dump")) { |
dc259399 TA |
197 | /* -t pid --freeze-cgroup /lxc/ct */ |
198 | static_args += 4; | |
e29fe1dd | 199 | |
aef3d51e | 200 | /* --prev-images-dir <path-to-directory-A-relative-to-B> */ |
b2c3710f | 201 | if (opts->user->predump_dir) |
aef3d51e TA |
202 | static_args += 2; |
203 | ||
74eb576c | 204 | /* --page-server --address <address> --port <port> */ |
b2c3710f | 205 | if (opts->user->pageserver_address && opts->user->pageserver_port) |
74eb576c NE |
206 | static_args += 5; |
207 | ||
aef3d51e | 208 | /* --leave-running (only for final dump) */ |
066af2cb | 209 | if (strequal(opts->action, "dump") && !opts->user->stop) |
e29fe1dd | 210 | static_args++; |
4b54788e TA |
211 | |
212 | /* --external tty[88,4] */ | |
213 | if (opts->tty_id[0]) | |
214 | static_args += 2; | |
19d1509c TA |
215 | |
216 | /* --force-irmap */ | |
217 | if (!opts->user->preserves_inodes) | |
218 | static_args++; | |
b2b7b0d2 TA |
219 | |
220 | /* --ghost-limit 1024 */ | |
221 | if (opts->user->ghost_limit) | |
222 | static_args += 2; | |
066af2cb | 223 | } else if (strequal(opts->action, "restore")) { |
e29fe1dd | 224 | /* --root $(lxc_mount_point) --restore-detached |
0ab5703f | 225 | * --restore-sibling |
13389b29 TA |
226 | * --lsm-profile apparmor:whatever |
227 | */ | |
0ab5703f | 228 | static_args += 6; |
4b54788e | 229 | |
0e4be3cf CB |
230 | ttys[0] = 0; |
231 | if (load_tty_major_minor(opts->user->directory, ttys, sizeof(ttys))) | |
59d8a539 | 232 | return log_error_errno(-EINVAL, EINVAL, "Failed to load tty information"); |
4b54788e TA |
233 | |
234 | /* --inherit-fd fd[%d]:tty[%s] */ | |
0e4be3cf | 235 | if (ttys[0]) |
4b54788e | 236 | static_args += 2; |
59d8a539 | 237 | |
d696c45e | 238 | static_args += list_len(netdev, &opts->c->lxc_conf->netdevs, head) * 2; |
e29fe1dd | 239 | } else { |
59d8a539 | 240 | return log_error_errno(-EINVAL, EINVAL, "Invalid criu operation specified"); |
e29fe1dd TA |
241 | } |
242 | ||
ff9edd2d CB |
243 | if (cgroup_ops->criu_num_hierarchies(cgroup_ops) > 0) |
244 | static_args += 2 * cgroup_ops->criu_num_hierarchies(cgroup_ops); | |
0ab5703f | 245 | |
b2c3710f | 246 | if (opts->user->verbose) |
e29fe1dd TA |
247 | static_args++; |
248 | ||
b9ee6643 TA |
249 | if (opts->user->action_script) |
250 | static_args += 2; | |
251 | ||
d696c45e | 252 | static_args += 2 * list_len(strentry, &opts->c->lxc_conf->mount_entries, head); |
5f4e44a2 | 253 | |
8eaa5ae3 CB |
254 | ret = strnprintf(log, sizeof(log), "%s/%s.log", opts->user->directory, opts->action); |
255 | if (ret < 0) | |
59d8a539 | 256 | return ret_errno(EIO); |
e29fe1dd | 257 | |
59d8a539 CB |
258 | args = zalloc(sizeof(struct criu_exec_args) + (static_args * sizeof(char **))); |
259 | if (!args) | |
260 | return log_error_errno(-ENOMEM, ENOMEM, "Failed to allocate static arguments"); | |
261 | ||
262 | #define DECLARE_ARG(arg) \ | |
263 | do { \ | |
264 | if (arg == NULL) \ | |
265 | return log_error_errno(-EINVAL, EINVAL, \ | |
266 | "Got NULL argument for criu"); \ | |
267 | args->argv[(args->argc)++] = strdup(arg); \ | |
268 | if (!args->argv[args->argc - 1]) \ | |
269 | return log_error_errno(-ENOMEM, ENOMEM, \ | |
270 | "Failed to duplicate argumen %s", arg); \ | |
e29fe1dd TA |
271 | } while (0) |
272 | ||
59d8a539 CB |
273 | args->argv[(args->argc)++] = on_path("criu", NULL); |
274 | if (!args->argv[args->argc - 1]) | |
275 | return log_error_errno(-ENOENT, ENOENT, "Failed to find criu binary"); | |
e29fe1dd TA |
276 | |
277 | DECLARE_ARG(opts->action); | |
278 | DECLARE_ARG("--tcp-established"); | |
279 | DECLARE_ARG("--file-locks"); | |
280 | DECLARE_ARG("--link-remap"); | |
0a5fc6df | 281 | DECLARE_ARG("--manage-cgroups=full"); |
e29fe1dd TA |
282 | DECLARE_ARG("--ext-mount-map"); |
283 | DECLARE_ARG("auto"); | |
284 | DECLARE_ARG("--enable-external-sharing"); | |
285 | DECLARE_ARG("--enable-external-masters"); | |
dd62857a TA |
286 | DECLARE_ARG("--enable-fs"); |
287 | DECLARE_ARG("hugetlbfs"); | |
5b454329 TA |
288 | DECLARE_ARG("--enable-fs"); |
289 | DECLARE_ARG("tracefs"); | |
e29fe1dd | 290 | DECLARE_ARG("-D"); |
b2c3710f | 291 | DECLARE_ARG(opts->user->directory); |
e29fe1dd TA |
292 | DECLARE_ARG("-o"); |
293 | DECLARE_ARG(log); | |
294 | ||
59d8a539 CB |
295 | for (int i = 0; i < cgroup_ops->criu_num_hierarchies(cgroup_ops); i++) { |
296 | __do_free char *cgroup_base_path = NULL, *controllers; | |
297 | char **controllers_list = NULL; | |
298 | char *tmp; | |
0ab5703f | 299 | |
59d8a539 CB |
300 | if (!cgroup_ops->criu_get_hierarchies(cgroup_ops, i, &controllers_list)) |
301 | return log_error_errno(-ENOENT, ENOENT, "Failed to retrieve cgroup hierarchies %d", i); | |
0ab5703f | 302 | |
59d8a539 CB |
303 | /* |
304 | * If we are in a dump, we have to ask the monitor process what | |
0ab5703f TA |
305 | * the right cgroup is. if this is a restore, we can just use |
306 | * the handler the restore task created. | |
307 | */ | |
066af2cb | 308 | if (strequal(opts->action, "dump") || strequal(opts->action, "pre-dump")) { |
a9b642ee | 309 | cgroup_base_path = lxc_cmd_get_limit_cgroup_path(opts->c->name, opts->c->config_path, controllers_list[0]); |
59d8a539 | 310 | if (!cgroup_base_path) |
a9b642ee | 311 | return log_error_errno(-ENOENT, ENOENT, "Failed to retrieve limit cgroup path for %s", controllers_list[0] ?: "(null)"); |
0ab5703f TA |
312 | } else { |
313 | const char *p; | |
314 | ||
a9b642ee | 315 | p = cgroup_ops->get_limit_cgroup(cgroup_ops, controllers_list[0]); |
59d8a539 | 316 | if (!p) |
a9b642ee | 317 | return log_error_errno(-ENOENT, ENOENT, "Failed to retrieve limit cgroup path for %s", controllers_list[0] ?: "(null)"); |
0ab5703f | 318 | |
59d8a539 CB |
319 | cgroup_base_path = strdup(p); |
320 | if (!cgroup_base_path) | |
a9b642ee | 321 | return log_error_errno(-ENOMEM, ENOMEM, "Failed to duplicate limit cgroup path"); |
0ab5703f TA |
322 | } |
323 | ||
539c3977 | 324 | tmp = lxc_path_simplify(cgroup_base_path); |
59d8a539 | 325 | if (!tmp) |
bdb8aeda | 326 | return log_error_errno(-ENOMEM, ENOMEM, "Failed to remove extraneous slashes from \"%s\"", cgroup_base_path); |
59d8a539 | 327 | free_move_ptr(cgroup_base_path, tmp); |
0ab5703f | 328 | |
92fde26d CB |
329 | if (controllers_list[0]) { |
330 | controllers = lxc_string_join(",", (const char **)controllers_list, false); | |
331 | if (!controllers) | |
332 | return log_error_errno(-ENOMEM, ENOMEM, "Failed to join controllers"); | |
59d8a539 | 333 | |
92fde26d CB |
334 | ret = sprintf(buf, "%s:%s", controllers, cgroup_base_path); |
335 | } else { | |
336 | WARN("No cgroup controllers configured in container's cgroup %s", cgroup_base_path); | |
337 | ret = sprintf(buf, "%s", cgroup_base_path); | |
338 | } | |
402770b6 | 339 | if (ret < 0 || (size_t)ret >= sizeof(buf)) |
59d8a539 | 340 | return log_error_errno(-EIO, EIO, "sprintf of cgroup root arg failed"); |
0ab5703f TA |
341 | |
342 | DECLARE_ARG("--cgroup-root"); | |
343 | DECLARE_ARG(buf); | |
344 | } | |
345 | ||
b2c3710f | 346 | if (opts->user->verbose) |
582cb478 | 347 | DECLARE_ARG("-v4"); |
e29fe1dd | 348 | |
b9ee6643 TA |
349 | if (opts->user->action_script) { |
350 | DECLARE_ARG("--action-script"); | |
351 | DECLARE_ARG(opts->user->action_script); | |
352 | } | |
353 | ||
be0bc4d1 | 354 | f_mnt = make_anonymous_mount_file(&opts->c->lxc_conf->mount_entries, |
1800f924 | 355 | opts->c->lxc_conf->lsm_aa_allow_nesting); |
6eff3c0d | 356 | if (!f_mnt) |
59d8a539 | 357 | return log_error_errno(-ENOENT, ENOENT, "Failed to create anonymous mount file"); |
5f4e44a2 | 358 | |
6eff3c0d | 359 | while (getmntent_r(f_mnt, &mntent, buf, sizeof(buf))) { |
5257b91b | 360 | __do_free char *mnt_options = NULL; |
a08bfbe3 | 361 | unsigned long flags = 0; |
5f4e44a2 | 362 | char arg[2 * PATH_MAX + 2]; |
19d2422b | 363 | |
d94eb390 | 364 | if (parse_mntopts_legacy(mntent.mnt_opts, &flags, &mnt_options) < 0) |
59d8a539 | 365 | return log_error_errno(-EINVAL, EINVAL, "Failed to parse mount options"); |
19d2422b | 366 | |
19d2422b TA |
367 | /* only add --ext-mount-map for actual bind mounts */ |
368 | if (!(flags & MS_BIND)) | |
369 | continue; | |
5f4e44a2 | 370 | |
066af2cb | 371 | if (strequal(opts->action, "dump")) |
8eaa5ae3 | 372 | ret = strnprintf(arg, sizeof(arg), "/%s:%s", mntent.mnt_dir, mntent.mnt_dir); |
d07545c7 | 373 | else |
8eaa5ae3 CB |
374 | ret = strnprintf(arg, sizeof(arg), "%s:%s", mntent.mnt_dir, mntent.mnt_fsname); |
375 | if (ret < 0) | |
59d8a539 | 376 | return log_error_errno(-EIO, EIO, "Failed to create mount entry"); |
5f4e44a2 TA |
377 | |
378 | DECLARE_ARG("--ext-mount-map"); | |
379 | DECLARE_ARG(arg); | |
380 | } | |
5f4e44a2 | 381 | |
066af2cb | 382 | if (strequal(opts->action, "dump") || strequal(opts->action, "pre-dump")) { |
2539492c CB |
383 | pid_t init_pid; |
384 | char init_pid_str[INTTYPE_TO_STRLEN(int)]; | |
385 | char *freezer_relative; | |
e29fe1dd | 386 | |
2539492c CB |
387 | init_pid = opts->c->init_pid(opts->c); |
388 | if (init_pid < 0) | |
389 | return log_error_errno(-ESRCH, ESRCH, "Failed to retrieve init pid of container"); | |
390 | ||
8eaa5ae3 CB |
391 | ret = strnprintf(init_pid_str, sizeof(init_pid_str), "%d", init_pid); |
392 | if (ret < 0) | |
2539492c | 393 | return log_error_errno(-EIO, EIO, "Failed to create entry for init pid of container"); |
e29fe1dd TA |
394 | |
395 | DECLARE_ARG("-t"); | |
2539492c | 396 | DECLARE_ARG(init_pid_str); |
dc259399 | 397 | |
a9b642ee CB |
398 | freezer_relative = lxc_cmd_get_limit_cgroup_path(opts->c->name, |
399 | opts->c->config_path, | |
400 | "freezer"); | |
59d8a539 CB |
401 | if (!freezer_relative) |
402 | return log_error_errno(-ENOENT, ENOENT, "Failed getting freezer path"); | |
dc259399 | 403 | |
928b065d | 404 | if (pure_unified_layout(cgroup_ops)) |
8eaa5ae3 | 405 | ret = strnprintf(log, sizeof(log), "/sys/fs/cgroup/%s", freezer_relative); |
928b065d | 406 | else |
8eaa5ae3 CB |
407 | ret = strnprintf(log, sizeof(log), "/sys/fs/cgroup/freezer/%s", freezer_relative); |
408 | if (ret < 0) | |
59d8a539 | 409 | return log_error_errno(-EIO, EIO, "Failed to freezer cgroup entry"); |
dc259399 | 410 | |
f1954503 | 411 | if (!opts->user->disable_skip_in_flight && |
066af2cb | 412 | strcmp(opts->criu_version, CRIU_IN_FLIGHT_SUPPORT) >= 0) |
f1954503 AR |
413 | DECLARE_ARG("--skip-in-flight"); |
414 | ||
dc259399 TA |
415 | DECLARE_ARG("--freeze-cgroup"); |
416 | DECLARE_ARG(log); | |
417 | ||
4b54788e | 418 | if (opts->tty_id[0]) { |
36d2096c TA |
419 | DECLARE_ARG("--ext-mount-map"); |
420 | DECLARE_ARG("/dev/console:console"); | |
421 | ||
4b54788e TA |
422 | DECLARE_ARG("--external"); |
423 | DECLARE_ARG(opts->tty_id); | |
424 | } | |
425 | ||
b2c3710f | 426 | if (opts->user->predump_dir) { |
aef3d51e | 427 | DECLARE_ARG("--prev-images-dir"); |
b2c3710f | 428 | DECLARE_ARG(opts->user->predump_dir); |
9f99a33f | 429 | DECLARE_ARG("--track-mem"); |
74eb576c | 430 | } |
4c0c0319 | 431 | |
b2c3710f | 432 | if (opts->user->pageserver_address && opts->user->pageserver_port) { |
74eb576c NE |
433 | DECLARE_ARG("--page-server"); |
434 | DECLARE_ARG("--address"); | |
b2c3710f | 435 | DECLARE_ARG(opts->user->pageserver_address); |
74eb576c | 436 | DECLARE_ARG("--port"); |
b2c3710f | 437 | DECLARE_ARG(opts->user->pageserver_port); |
74eb576c | 438 | } |
aef3d51e | 439 | |
19d1509c TA |
440 | if (!opts->user->preserves_inodes) |
441 | DECLARE_ARG("--force-irmap"); | |
442 | ||
b2b7b0d2 TA |
443 | if (opts->user->ghost_limit) { |
444 | char ghost_limit[32]; | |
445 | ||
9b945f13 | 446 | ret = sprintf(ghost_limit, "%"PRIu64, opts->user->ghost_limit); |
402770b6 | 447 | if (ret < 0 || (size_t)ret >= sizeof(ghost_limit)) |
59d8a539 | 448 | return log_error_errno(-EIO, EIO, "Failed to print ghost limit %"PRIu64, opts->user->ghost_limit); |
b2b7b0d2 TA |
449 | |
450 | DECLARE_ARG("--ghost-limit"); | |
451 | DECLARE_ARG(ghost_limit); | |
452 | } | |
453 | ||
aef3d51e | 454 | /* only for final dump */ |
066af2cb | 455 | if (strequal(opts->action, "dump") && !opts->user->stop) |
e29fe1dd | 456 | DECLARE_ARG("--leave-running"); |
066af2cb | 457 | } else if (strequal(opts->action, "restore")) { |
13389b29 | 458 | struct lxc_conf *lxc_conf = opts->c->lxc_conf; |
e29fe1dd TA |
459 | |
460 | DECLARE_ARG("--root"); | |
461 | DECLARE_ARG(opts->c->lxc_conf->rootfs.mount); | |
462 | DECLARE_ARG("--restore-detached"); | |
463 | DECLARE_ARG("--restore-sibling"); | |
e29fe1dd | 464 | |
0e4be3cf | 465 | if (ttys[0]) { |
59d8a539 CB |
466 | if (opts->console_fd < 0) |
467 | return log_error_errno(-EINVAL, EINVAL, "lxc.console.path configured on source host but not target"); | |
97e4f1a9 | 468 | |
8eaa5ae3 CB |
469 | ret = strnprintf(buf, sizeof(buf), "fd[%d]:%s", opts->console_fd, ttys); |
470 | if (ret < 0) | |
59d8a539 | 471 | return log_error_errno(-EIO, EIO, "Failed to create console entry"); |
4b54788e TA |
472 | |
473 | DECLARE_ARG("--inherit-fd"); | |
474 | DECLARE_ARG(buf); | |
475 | } | |
476 | if (opts->console_name) { | |
8eaa5ae3 | 477 | if (strnprintf(buf, sizeof(buf), "console:%s", opts->console_name) < 0) |
59d8a539 CB |
478 | return log_error_errno(-EIO, EIO, "Failed to create console entry"); |
479 | ||
4b54788e TA |
480 | DECLARE_ARG("--ext-mount-map"); |
481 | DECLARE_ARG(buf); | |
482 | } | |
483 | ||
13389b29 TA |
484 | if (lxc_conf->lsm_aa_profile || lxc_conf->lsm_se_context) { |
485 | ||
486 | if (lxc_conf->lsm_aa_profile) | |
8eaa5ae3 | 487 | ret = strnprintf(buf, sizeof(buf), "apparmor:%s", lxc_conf->lsm_aa_profile); |
13389b29 | 488 | else |
8eaa5ae3 CB |
489 | ret = strnprintf(buf, sizeof(buf), "selinux:%s", lxc_conf->lsm_se_context); |
490 | if (ret < 0) | |
59d8a539 | 491 | return log_error_errno(-EIO, EIO, "Failed to create lsm entry"); |
13389b29 TA |
492 | |
493 | DECLARE_ARG("--lsm-profile"); | |
494 | DECLARE_ARG(buf); | |
495 | } | |
496 | ||
87d0990c | 497 | list_for_each_entry(netdev, &opts->c->lxc_conf->netdevs, head) { |
9de31d5a | 498 | size_t retlen; |
e29fe1dd | 499 | char eth[128], *veth; |
46c8ffd5 AR |
500 | bool external_not_veth; |
501 | ||
74ad3607 | 502 | if (cmp_version(opts->criu_version, CRIU_EXTERNAL_NOT_VETH) >= 0) { |
46c8ffd5 AR |
503 | /* Since criu version 2.8 the usage of --veth-pair |
504 | * has been deprecated: | |
505 | * git tag --contains f2037e6d3445fc400 | |
506 | * v2.8 */ | |
507 | external_not_veth = true; | |
508 | } else { | |
509 | external_not_veth = false; | |
510 | } | |
e29fe1dd | 511 | |
87d0990c CB |
512 | if (netdev->name[0] != '\0') { |
513 | retlen = strlcpy(eth, netdev->name, sizeof(eth)); | |
9de31d5a | 514 | if (retlen >= sizeof(eth)) |
59d8a539 | 515 | return log_error_errno(-E2BIG, E2BIG, "Failed to append veth device name"); |
796a109d | 516 | } else { |
8eaa5ae3 CB |
517 | ret = strnprintf(eth, sizeof(eth), "eth%d", netnr); |
518 | if (ret < 0) | |
59d8a539 | 519 | return log_error_errno(-E2BIG, E2BIG, "Failed to append veth device name"); |
796a109d | 520 | } |
e29fe1dd | 521 | |
87d0990c | 522 | switch (netdev->type) { |
e2697330 | 523 | case LXC_NET_VETH: |
87d0990c | 524 | veth = netdev->priv.veth_attr.pair; |
ea7f6b29 | 525 | if (veth[0] == '\0') |
87d0990c | 526 | veth = netdev->priv.veth_attr.veth1; |
e29fe1dd | 527 | |
87d0990c | 528 | if (netdev->link[0] != '\0') { |
46c8ffd5 | 529 | if (external_not_veth) |
87d0990c | 530 | ret = strnprintf(buf, sizeof(buf), "veth[%s]:%s@%s", eth, veth, netdev->link); |
46c8ffd5 | 531 | else |
87d0990c | 532 | ret = strnprintf(buf, sizeof(buf), "%s=%s@%s", eth, veth, netdev->link); |
46c8ffd5 AR |
533 | } else { |
534 | if (external_not_veth) | |
8eaa5ae3 | 535 | ret = strnprintf(buf, sizeof(buf), "veth[%s]:%s", eth, veth); |
46c8ffd5 | 536 | else |
8eaa5ae3 | 537 | ret = strnprintf(buf, sizeof(buf), "%s=%s", eth, veth); |
46c8ffd5 | 538 | } |
8eaa5ae3 | 539 | if (ret < 0) |
59d8a539 | 540 | return log_error_errno(-EIO, EIO, "Failed to append veth device name"); |
2541dfab CB |
541 | |
542 | TRACE("Added veth device entry %s", buf); | |
e2697330 TA |
543 | break; |
544 | case LXC_NET_MACVLAN: | |
87d0990c CB |
545 | if (netdev->link[0] == '\0') |
546 | return log_error_errno(-EINVAL, EINVAL, "Failed to find host interface for macvlan %s", netdev->name); | |
e2697330 | 547 | |
87d0990c | 548 | ret = strnprintf(buf, sizeof(buf), "macvlan[%s]:%s", eth, netdev->link); |
8eaa5ae3 | 549 | if (ret < 0) |
59d8a539 | 550 | return log_error_errno(-EIO, EIO, "Failed to add macvlan entry"); |
2541dfab CB |
551 | |
552 | TRACE("Added macvlan device entry %s", buf); | |
553 | ||
0109a13d CB |
554 | break; |
555 | case LXC_NET_PHYS: | |
556 | if (cmp_version(opts->criu_version, CRIU_EXTERNAL_NETDEV) < 0) | |
557 | return syserror_set(-EOPNOTSUPP, "Restoring physical network devices not supported"); | |
558 | ||
559 | if (is_empty_string(netdev->link)) | |
560 | return syserror_set(-EINVAL, "Specifying link is required"); | |
561 | ||
562 | ret = strnprintf(buf, sizeof(buf), "netdev[%s]:%s", eth, netdev->link); | |
563 | if (ret < 0) | |
564 | return syserror_set(-EIO, "Failed to append phys device name"); | |
565 | ||
566 | TRACE("Added phys device entry %s", buf); | |
e2697330 TA |
567 | break; |
568 | case LXC_NET_NONE: | |
0109a13d | 569 | __fallthrough; |
e2697330 TA |
570 | case LXC_NET_EMPTY: |
571 | break; | |
572 | default: | |
573 | /* we have screened for this earlier... */ | |
87d0990c | 574 | return log_error_errno(-EINVAL, EINVAL, "Unsupported network type %d", netdev->type); |
e2697330 | 575 | } |
e29fe1dd | 576 | |
46c8ffd5 AR |
577 | if (external_not_veth) |
578 | DECLARE_ARG("--external"); | |
579 | else | |
580 | DECLARE_ARG("--veth-pair"); | |
e29fe1dd | 581 | DECLARE_ARG(buf); |
2f3fbc6b | 582 | netnr++; |
e29fe1dd TA |
583 | } |
584 | ||
585 | } | |
586 | ||
59d8a539 | 587 | args->argv[args->argc] = NULL; |
e29fe1dd | 588 | |
2541dfab CB |
589 | if (lxc_log_trace()) { |
590 | buf[0] = 0; | |
591 | for (int i = 0, pos = 0; i < args->argc && args->argv[i]; i++) { | |
8eaa5ae3 CB |
592 | ret = strnprintf(buf + pos, sizeof(buf) - pos, "%s ", args->argv[i]); |
593 | if (ret < 0) | |
2541dfab CB |
594 | return log_error_errno(-EIO, EIO, "Failed to reorder entries"); |
595 | else | |
596 | pos += ret; | |
597 | } | |
72a30576 | 598 | |
2541dfab | 599 | TRACE("Using command line %s", buf); |
cf4b07a5 TA |
600 | } |
601 | ||
5af85cb1 TA |
602 | /* before criu inits its log, it sometimes prints things to stdout/err; |
603 | * let's be sure we capture that. | |
604 | */ | |
59d8a539 CB |
605 | if (dup2(opts->pipefd, STDOUT_FILENO) < 0) |
606 | return log_error_errno(-errno, errno, "Failed to duplicate stdout"); | |
5af85cb1 | 607 | |
59d8a539 CB |
608 | if (dup2(opts->pipefd, STDERR_FILENO) < 0) |
609 | return log_error_errno(-errno, errno, "Failed to duplicate stderr"); | |
5af85cb1 TA |
610 | |
611 | close(opts->pipefd); | |
612 | ||
e29fe1dd | 613 | #undef DECLARE_ARG |
59d8a539 CB |
614 | execv(args->argv[0], args->argv); |
615 | return -ENOEXEC; | |
e29fe1dd TA |
616 | } |
617 | ||
b5b12b9e AR |
618 | /* |
619 | * Function to check if the checks activated in 'features_to_check' are | |
620 | * available with the current architecture/kernel/criu combination. | |
621 | * | |
622 | * Parameter features_to_check is a bit mask of all features that should be | |
623 | * checked (see feature check defines in lxc/lxccontainer.h). | |
624 | * | |
625 | * If the return value is true, all requested features are supported. If | |
626 | * the return value is false the features_to_check parameter is updated | |
627 | * to reflect which features are available. '0' means no feature but | |
628 | * also that something went totally wrong. | |
629 | * | |
630 | * Some of the code flow of criu_version_ok() is duplicated and maybe it | |
631 | * is a good candidate for refactoring. | |
632 | */ | |
633 | bool __criu_check_feature(uint64_t *features_to_check) | |
634 | { | |
635 | pid_t pid; | |
636 | uint64_t current_bit = 0; | |
637 | int ret; | |
fca23691 | 638 | uint64_t features = *features_to_check; |
b5b12b9e AR |
639 | /* Feature checking is currently always like |
640 | * criu check --feature <feature-name> | |
641 | */ | |
642 | char *args[] = { "criu", "check", "--feature", NULL, NULL }; | |
643 | ||
644 | if ((features & ~FEATURE_MEM_TRACK & ~FEATURE_LAZY_PAGES) != 0) { | |
645 | /* There are feature bits activated we do not understand. | |
646 | * Refusing to answer at all */ | |
647 | *features_to_check = 0; | |
648 | return false; | |
649 | } | |
650 | ||
6d61f17d | 651 | while (current_bit < (sizeof(uint64_t) * 8 - 1)) { |
b5b12b9e AR |
652 | /* only test requested features */ |
653 | if (!(features & (1ULL << current_bit))) { | |
654 | /* skip this */ | |
655 | current_bit++; | |
656 | continue; | |
657 | } | |
658 | ||
659 | pid = fork(); | |
660 | if (pid < 0) { | |
661 | SYSERROR("fork() failed"); | |
662 | *features_to_check = 0; | |
663 | return false; | |
664 | } | |
665 | ||
666 | if (pid == 0) { | |
667 | if ((1ULL << current_bit) == FEATURE_MEM_TRACK) | |
668 | /* This is needed for pre-dump support, which | |
669 | * enables pre-copy migration. */ | |
670 | args[3] = "mem_dirty_track"; | |
671 | else if ((1ULL << current_bit) == FEATURE_LAZY_PAGES) | |
672 | /* CRIU has two checks for userfaultfd support. | |
673 | * | |
674 | * The simpler check is only for 'uffd'. If the | |
675 | * kernel supports userfaultfd without noncoop | |
676 | * then only process can be lazily restored | |
677 | * which do not fork. With 'uffd-noncoop' | |
678 | * it is also possible to lazily restore processes | |
679 | * which do fork. For a container runtime like | |
680 | * LXC checking only for 'uffd' makes not much sense. */ | |
681 | args[3] = "uffd-noncoop"; | |
682 | else | |
4f43526d | 683 | _exit(EXIT_FAILURE); |
b5b12b9e AR |
684 | |
685 | null_stdfds(); | |
686 | ||
687 | execvp("criu", args); | |
688 | SYSERROR("Failed to exec \"criu\""); | |
4f43526d | 689 | _exit(EXIT_FAILURE); |
b5b12b9e AR |
690 | } |
691 | ||
692 | ret = wait_for_pid(pid); | |
693 | ||
694 | if (ret == -1) { | |
695 | /* It is not known why CRIU failed. Either | |
696 | * CRIU is not available, the feature check | |
697 | * does not exist or the feature is not | |
698 | * supported. */ | |
699 | INFO("feature not supported"); | |
700 | /* Clear not supported feature bit */ | |
701 | features &= ~(1ULL << current_bit); | |
702 | } | |
703 | ||
704 | current_bit++; | |
705 | /* no more checks requested; exit check loop */ | |
706 | if (!(features & ~((1ULL << current_bit)-1))) | |
707 | break; | |
708 | } | |
709 | if (features != *features_to_check) { | |
710 | *features_to_check = features; | |
711 | return false; | |
712 | } | |
713 | return true; | |
714 | } | |
715 | ||
8ba5ced7 TA |
716 | /* |
717 | * Check to see if the criu version is recent enough for all the features we | |
718 | * use. This version allows either CRIU_VERSION or (CRIU_GITID_VERSION and | |
719 | * CRIU_GITID_PATCHLEVEL) to work, enabling users building from git to c/r | |
720 | * things potentially before a version is released with a particular feature. | |
721 | * | |
722 | * The intent is that when criu development slows down, we can drop this, but | |
723 | * for now we shouldn't attempt to c/r with versions that we know won't work. | |
5407e2ab CB |
724 | * |
725 | * Note: If version != NULL criu_version() stores the detected criu version in | |
726 | * version. Allocates memory for version which must be freed by caller. | |
8ba5ced7 | 727 | */ |
5407e2ab | 728 | static bool criu_version_ok(char **version) |
8ba5ced7 TA |
729 | { |
730 | int pipes[2]; | |
731 | pid_t pid; | |
732 | ||
733 | if (pipe(pipes) < 0) { | |
734 | SYSERROR("pipe() failed"); | |
735 | return false; | |
736 | } | |
737 | ||
738 | pid = fork(); | |
739 | if (pid < 0) { | |
740 | SYSERROR("fork() failed"); | |
741 | return false; | |
742 | } | |
743 | ||
744 | if (pid == 0) { | |
745 | char *args[] = { "criu", "--version", NULL }; | |
755fa453 | 746 | char *path; |
8ba5ced7 TA |
747 | close(pipes[0]); |
748 | ||
749 | close(STDERR_FILENO); | |
750 | if (dup2(pipes[1], STDOUT_FILENO) < 0) | |
665bb114 | 751 | _exit(EXIT_FAILURE); |
8ba5ced7 | 752 | |
755fa453 | 753 | path = on_path("criu", NULL); |
d9b32b09 | 754 | if (!path) |
665bb114 | 755 | _exit(EXIT_FAILURE); |
d9b32b09 | 756 | |
755fa453 | 757 | execv(path, args); |
665bb114 | 758 | _exit(EXIT_FAILURE); |
8ba5ced7 TA |
759 | } else { |
760 | FILE *f; | |
5407e2ab | 761 | char *tmp; |
8ba5ced7 TA |
762 | int patch; |
763 | ||
764 | close(pipes[1]); | |
765 | if (wait_for_pid(pid) < 0) { | |
766 | close(pipes[0]); | |
4eae4051 | 767 | SYSERROR("execing criu failed, is it installed?"); |
8ba5ced7 TA |
768 | return false; |
769 | } | |
770 | ||
4110345b | 771 | f = fdopen(pipes[0], "re"); |
8ba5ced7 TA |
772 | if (!f) { |
773 | close(pipes[0]); | |
774 | return false; | |
775 | } | |
776 | ||
5407e2ab CB |
777 | tmp = malloc(1024); |
778 | if (!tmp) { | |
779 | fclose(f); | |
780 | return false; | |
781 | } | |
782 | ||
783 | if (fscanf(f, "Version: %1023[^\n]s", tmp) != 1) | |
8ba5ced7 TA |
784 | goto version_error; |
785 | ||
786 | if (fgetc(f) != '\n') | |
787 | goto version_error; | |
788 | ||
5407e2ab | 789 | if (strcmp(tmp, CRIU_VERSION) >= 0) |
8ba5ced7 TA |
790 | goto version_match; |
791 | ||
5407e2ab | 792 | if (fscanf(f, "GitID: v%1023[^-]s", tmp) != 1) |
8ba5ced7 TA |
793 | goto version_error; |
794 | ||
795 | if (fgetc(f) != '-') | |
796 | goto version_error; | |
797 | ||
798 | if (fscanf(f, "%d", &patch) != 1) | |
799 | goto version_error; | |
800 | ||
5407e2ab | 801 | if (strcmp(tmp, CRIU_GITID_VERSION) < 0) |
8ba5ced7 TA |
802 | goto version_error; |
803 | ||
804 | if (patch < CRIU_GITID_PATCHLEVEL) | |
805 | goto version_error; | |
806 | ||
807 | version_match: | |
3158ab5b | 808 | fclose(f); |
5407e2ab CB |
809 | if (!version) |
810 | free(tmp); | |
811 | else | |
812 | *version = tmp; | |
8ba5ced7 TA |
813 | return true; |
814 | ||
815 | version_error: | |
3158ab5b | 816 | fclose(f); |
5407e2ab | 817 | free(tmp); |
9f1f54b0 | 818 | ERROR("must have criu " CRIU_VERSION " or greater to checkpoint/restore"); |
8ba5ced7 TA |
819 | return false; |
820 | } | |
821 | } | |
822 | ||
e29fe1dd TA |
823 | /* Check and make sure the container has a configuration that we know CRIU can |
824 | * dump. */ | |
f1954503 | 825 | static bool criu_ok(struct lxc_container *c, char **criu_version) |
e29fe1dd | 826 | { |
87d0990c | 827 | struct lxc_netdev *netdev; |
e29fe1dd TA |
828 | |
829 | if (geteuid()) { | |
9f1f54b0 | 830 | ERROR("Must be root to checkpoint"); |
e29fe1dd TA |
831 | return false; |
832 | } | |
833 | ||
7177e6b1 DJ |
834 | if (!criu_version_ok(criu_version)) |
835 | return false; | |
836 | ||
e29fe1dd | 837 | /* We only know how to restore containers with veth networks. */ |
87d0990c CB |
838 | list_for_each_entry(netdev, &c->lxc_conf->netdevs, head) { |
839 | switch(netdev->type) { | |
65b20221 TA |
840 | case LXC_NET_VETH: |
841 | case LXC_NET_NONE: | |
842 | case LXC_NET_EMPTY: | |
0109a13d | 843 | case LXC_NET_PHYS: |
e2697330 | 844 | case LXC_NET_MACVLAN: |
65b20221 TA |
845 | break; |
846 | default: | |
87d0990c | 847 | ERROR("Found un-dumpable network: %s (%s)", lxc_net_type_to_str(netdev->type), netdev->name); |
7177e6b1 DJ |
848 | if (criu_version) { |
849 | free(*criu_version); | |
850 | *criu_version = NULL; | |
851 | } | |
e29fe1dd TA |
852 | return false; |
853 | } | |
854 | } | |
855 | ||
e29fe1dd TA |
856 | return true; |
857 | } | |
858 | ||
e29fe1dd TA |
859 | static bool restore_net_info(struct lxc_container *c) |
860 | { | |
7eab8fc6 | 861 | int ret; |
e29fe1dd | 862 | bool has_error = true; |
87d0990c | 863 | struct lxc_netdev *netdev; |
e29fe1dd TA |
864 | |
865 | if (container_mem_lock(c)) | |
866 | return false; | |
867 | ||
87d0990c | 868 | list_for_each_entry(netdev, &c->lxc_conf->netdevs, head) { |
e29fe1dd | 869 | char template[IFNAMSIZ]; |
65b20221 TA |
870 | |
871 | if (netdev->type != LXC_NET_VETH) | |
872 | continue; | |
873 | ||
8eaa5ae3 CB |
874 | ret = strnprintf(template, sizeof(template), "vethXXXXXX"); |
875 | if (ret < 0) | |
7eab8fc6 | 876 | goto out_unlock; |
e29fe1dd | 877 | |
de4855a8 CB |
878 | if (netdev->priv.veth_attr.pair[0] == '\0' && |
879 | netdev->priv.veth_attr.veth1[0] == '\0') { | |
3646ffd9 | 880 | if (!lxc_ifname_alnum_case_sensitive(template)) |
de4855a8 CB |
881 | goto out_unlock; |
882 | ||
cbb9c7c7 | 883 | (void)strlcpy(netdev->priv.veth_attr.veth1, template, IFNAMSIZ); |
de4855a8 | 884 | } |
e29fe1dd TA |
885 | } |
886 | ||
887 | has_error = false; | |
888 | ||
889 | out_unlock: | |
890 | container_mem_unlock(c); | |
891 | return !has_error; | |
892 | } | |
893 | ||
1a0e70ac | 894 | /* do_restore never returns, the calling process is used as the monitor process. |
5a24adb8 | 895 | * do_restore calls _exit() if it fails. |
1a0e70ac | 896 | */ |
c33b0338 | 897 | static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_opts *opts, char *criu_version) |
e29fe1dd | 898 | { |
5af9369b | 899 | int fd, ret; |
e29fe1dd | 900 | pid_t pid; |
e29fe1dd | 901 | struct lxc_handler *handler; |
113ebd57 | 902 | int status = 0; |
9b1e2e6e | 903 | int pipes[2] = {-1, -1}; |
d9fc9be8 | 904 | struct cgroup_ops *cgroup_ops; |
e29fe1dd | 905 | |
a7fb6043 | 906 | /* Try to detach from the current controlling tty if it exists. |
69e3b3be | 907 | * Otherwise, lxc_init (via lxc_console) will attach the container's |
a7fb6043 TA |
908 | * console output to the current tty, which is probably not what any |
909 | * library user wants, and if they do, they can just manually configure | |
910 | * it :) | |
911 | */ | |
912 | fd = open("/dev/tty", O_RDWR); | |
913 | if (fd >= 0) { | |
914 | if (ioctl(fd, TIOCNOTTY, NULL) < 0) | |
915 | SYSERROR("couldn't detach from tty"); | |
916 | close(fd); | |
917 | } | |
918 | ||
a42abcce | 919 | handler = lxc_init_handler(NULL, c->name, c->lxc_conf, c->config_path, false); |
e29fe1dd TA |
920 | if (!handler) |
921 | goto out; | |
922 | ||
aa460476 CB |
923 | if (lxc_init(c->name, handler) < 0) |
924 | goto out; | |
d9fc9be8 | 925 | cgroup_ops = handler->cgroup_ops; |
aa460476 | 926 | |
d9fc9be8 CB |
927 | if (!cgroup_ops->monitor_create(cgroup_ops, handler)) { |
928 | ERROR("Failed to create monitor cgroup"); | |
929 | goto out_fini_handler; | |
930 | } | |
931 | ||
932 | if (!cgroup_ops->monitor_enter(cgroup_ops, handler)) { | |
933 | ERROR("Failed to enter monitor cgroup"); | |
934 | goto out_fini_handler; | |
935 | } | |
936 | ||
937 | if (!cgroup_ops->monitor_delegate_controllers(cgroup_ops)) { | |
938 | ERROR("Failed to delegate controllers to monitor cgroup"); | |
939 | goto out_fini_handler; | |
940 | } | |
941 | ||
942 | if (!cgroup_ops->payload_create(cgroup_ops, handler)) { | |
943 | ERROR("Failed creating cgroups"); | |
e29fe1dd TA |
944 | goto out_fini_handler; |
945 | } | |
946 | ||
947 | if (!restore_net_info(c)) { | |
948 | ERROR("failed restoring network info"); | |
949 | goto out_fini_handler; | |
950 | } | |
951 | ||
5af9369b CB |
952 | ret = resolve_clone_flags(handler); |
953 | if (ret < 0) { | |
6d1400b5 | 954 | SYSERROR("Unsupported clone flag specified"); |
5af9369b CB |
955 | goto out_fini_handler; |
956 | } | |
e29fe1dd | 957 | |
de31cb57 | 958 | if (pipe2(pipes, O_CLOEXEC) < 0) { |
3d9a5c85 TA |
959 | SYSERROR("pipe() failed"); |
960 | goto out_fini_handler; | |
961 | } | |
962 | ||
e29fe1dd TA |
963 | pid = fork(); |
964 | if (pid < 0) | |
965 | goto out_fini_handler; | |
966 | ||
967 | if (pid == 0) { | |
968 | struct criu_opts os; | |
969 | struct lxc_rootfs *rootfs; | |
4b54788e | 970 | int flags; |
e29fe1dd | 971 | |
3d9a5c85 TA |
972 | close(status_pipe); |
973 | status_pipe = -1; | |
974 | ||
975 | close(pipes[0]); | |
976 | pipes[0] = -1; | |
e29fe1dd TA |
977 | |
978 | if (unshare(CLONE_NEWNS)) | |
979 | goto out_fini_handler; | |
980 | ||
4e86cad3 CB |
981 | ret = lxc_storage_prepare(c->lxc_conf); |
982 | if (ret) | |
983 | goto out_fini_handler; | |
984 | ||
e29fe1dd TA |
985 | /* CRIU needs the lxc root bind mounted so that it is the root of some |
986 | * mount. */ | |
987 | rootfs = &c->lxc_conf->rootfs; | |
988 | ||
989 | if (rootfs_is_blockdev(c->lxc_conf)) { | |
8ce1abc2 CB |
990 | if (lxc_setup_rootfs_prepare_root(c->lxc_conf, c->name, |
991 | c->config_path) < 0) | |
e29fe1dd TA |
992 | goto out_fini_handler; |
993 | } else { | |
994 | if (mkdir(rootfs->mount, 0755) < 0 && errno != EEXIST) | |
995 | goto out_fini_handler; | |
996 | ||
997 | if (mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) < 0) { | |
998 | SYSERROR("remount / to private failed"); | |
999 | goto out_fini_handler; | |
1000 | } | |
1001 | ||
1002 | if (mount(rootfs->path, rootfs->mount, NULL, MS_BIND, NULL) < 0) { | |
f075e955 | 1003 | (void)rmdir(rootfs->mount); |
e29fe1dd TA |
1004 | goto out_fini_handler; |
1005 | } | |
1006 | } | |
1007 | ||
5af85cb1 | 1008 | os.pipefd = pipes[1]; |
e29fe1dd | 1009 | os.action = "restore"; |
b2c3710f | 1010 | os.user = opts; |
e29fe1dd | 1011 | os.c = c; |
41808e20 | 1012 | os.console_fd = c->lxc_conf->console.pty; |
f1954503 | 1013 | os.criu_version = criu_version; |
0ab5703f | 1014 | os.handler = handler; |
4b54788e | 1015 | |
97e4f1a9 TA |
1016 | if (os.console_fd >= 0) { |
1017 | /* Twiddle the FD_CLOEXEC bit. We want to pass this FD to criu | |
1018 | * via --inherit-fd, so we don't want it to close. | |
1019 | */ | |
1020 | flags = fcntl(os.console_fd, F_GETFD); | |
1021 | if (flags < 0) { | |
1022 | SYSERROR("F_GETFD failed: %d", os.console_fd); | |
1023 | goto out_fini_handler; | |
1024 | } | |
4b54788e | 1025 | |
97e4f1a9 | 1026 | flags &= ~FD_CLOEXEC; |
4b54788e | 1027 | |
97e4f1a9 TA |
1028 | if (fcntl(os.console_fd, F_SETFD, flags) < 0) { |
1029 | SYSERROR("F_SETFD failed"); | |
1030 | goto out_fini_handler; | |
1031 | } | |
4b54788e TA |
1032 | } |
1033 | os.console_name = c->lxc_conf->console.name; | |
e29fe1dd TA |
1034 | |
1035 | /* exec_criu() returning is an error */ | |
b41a8023 | 1036 | ret = exec_criu(handler->cgroup_ops, c->lxc_conf, &os); |
59d8a539 CB |
1037 | if (ret) |
1038 | SYSERROR("Failed to execute criu"); | |
e29fe1dd | 1039 | umount(rootfs->mount); |
f075e955 | 1040 | (void)rmdir(rootfs->mount); |
e29fe1dd TA |
1041 | goto out_fini_handler; |
1042 | } else { | |
e29fe1dd TA |
1043 | char title[2048]; |
1044 | ||
3d9a5c85 TA |
1045 | close(pipes[1]); |
1046 | pipes[1] = -1; | |
1047 | ||
e29fe1dd TA |
1048 | pid_t w = waitpid(pid, &status, 0); |
1049 | if (w == -1) { | |
1050 | SYSERROR("waitpid"); | |
1051 | goto out_fini_handler; | |
1052 | } | |
1053 | ||
e29fe1dd | 1054 | if (WIFEXITED(status)) { |
75d219f0 TA |
1055 | char buf[4096]; |
1056 | ||
e29fe1dd | 1057 | if (WEXITSTATUS(status)) { |
3d9a5c85 TA |
1058 | int n; |
1059 | ||
668ba602 | 1060 | n = lxc_read_nointr(pipes[0], buf, sizeof(buf)); |
3d9a5c85 TA |
1061 | if (n < 0) { |
1062 | SYSERROR("failed reading from criu stderr"); | |
1063 | goto out_fini_handler; | |
1064 | } | |
1065 | ||
2735dfae TA |
1066 | if (n == sizeof(buf)) |
1067 | n--; | |
3d9a5c85 TA |
1068 | buf[n] = 0; |
1069 | ||
9f1f54b0 | 1070 | ERROR("criu process exited %d, output:\n%s", WEXITSTATUS(status), buf); |
e29fe1dd TA |
1071 | goto out_fini_handler; |
1072 | } else { | |
8eaa5ae3 CB |
1073 | ret = strnprintf(buf, sizeof(buf), "/proc/self/task/%lu/children", (unsigned long)syscall(__NR_gettid)); |
1074 | if (ret < 0) { | |
1075 | ERROR("strnprintf'd too many characters: %d", ret); | |
75d219f0 TA |
1076 | goto out_fini_handler; |
1077 | } | |
1078 | ||
4110345b | 1079 | FILE *f = fopen(buf, "re"); |
e29fe1dd | 1080 | if (!f) { |
9f1f54b0 | 1081 | SYSERROR("couldn't read restore's children file %s", buf); |
e29fe1dd TA |
1082 | goto out_fini_handler; |
1083 | } | |
1084 | ||
1085 | ret = fscanf(f, "%d", (int*) &handler->pid); | |
1086 | fclose(f); | |
1087 | if (ret != 1) { | |
1088 | ERROR("reading restore pid failed"); | |
1089 | goto out_fini_handler; | |
1090 | } | |
1091 | ||
f8a41688 TA |
1092 | if (lxc_set_state(c->name, handler, RUNNING)) { |
1093 | ERROR("error setting running state after restore"); | |
e29fe1dd | 1094 | goto out_fini_handler; |
f8a41688 | 1095 | } |
e29fe1dd TA |
1096 | } |
1097 | } else { | |
9f1f54b0 | 1098 | ERROR("CRIU was killed with signal %d", WTERMSIG(status)); |
e29fe1dd TA |
1099 | goto out_fini_handler; |
1100 | } | |
1101 | ||
3d9a5c85 TA |
1102 | close(pipes[0]); |
1103 | ||
614be9bc | 1104 | ret = lxc_write_nointr(status_pipe, &status, sizeof(status)); |
f3886023 TA |
1105 | close(status_pipe); |
1106 | status_pipe = -1; | |
1107 | ||
1108 | if (sizeof(status) != ret) { | |
1109 | SYSERROR("failed to write all of status"); | |
1110 | goto out_fini_handler; | |
1111 | } | |
1112 | ||
e29fe1dd TA |
1113 | /* |
1114 | * See comment in lxcapi_start; we don't care if these | |
1115 | * fail because it's just a beauty thing. We just | |
1116 | * assign the return here to silence potential. | |
1117 | */ | |
8eaa5ae3 CB |
1118 | ret = strnprintf(title, sizeof(title), "[lxc monitor] %s %s", c->config_path, c->name); |
1119 | if (ret < 0) | |
223e30c1 CB |
1120 | INFO("Setting truncated process name"); |
1121 | ||
e29fe1dd | 1122 | ret = setproctitle(title); |
223e30c1 CB |
1123 | if (ret < 0) |
1124 | INFO("Failed to set process name"); | |
e29fe1dd TA |
1125 | |
1126 | ret = lxc_poll(c->name, handler); | |
1127 | if (ret) | |
0c5859ff | 1128 | lxc_abort(handler); |
fd5be714 | 1129 | lxc_end(handler); |
5a24adb8 | 1130 | _exit(ret); |
e29fe1dd TA |
1131 | } |
1132 | ||
1133 | out_fini_handler: | |
3d9a5c85 TA |
1134 | if (pipes[0] >= 0) |
1135 | close(pipes[0]); | |
1136 | if (pipes[1] >= 0) | |
1137 | close(pipes[1]); | |
1138 | ||
fd5be714 | 1139 | lxc_end(handler); |
e29fe1dd TA |
1140 | |
1141 | out: | |
3d9a5c85 | 1142 | if (status_pipe >= 0) { |
f3886023 TA |
1143 | /* ensure getting here was a failure, e.g. if we failed to |
1144 | * parse the child pid or something, even after a successful | |
1145 | * restore | |
1146 | */ | |
1147 | if (!status) | |
1148 | status = 1; | |
113ebd57 | 1149 | |
614be9bc | 1150 | if (lxc_write_nointr(status_pipe, &status, sizeof(status)) != sizeof(status)) |
e29fe1dd | 1151 | SYSERROR("writing status failed"); |
3d9a5c85 | 1152 | close(status_pipe); |
e29fe1dd TA |
1153 | } |
1154 | ||
5a24adb8 | 1155 | _exit(EXIT_FAILURE); |
e29fe1dd | 1156 | } |
aef3d51e | 1157 | |
4b54788e TA |
1158 | static int save_tty_major_minor(char *directory, struct lxc_container *c, char *tty_id, int len) |
1159 | { | |
1160 | FILE *f; | |
1161 | char path[PATH_MAX]; | |
1162 | int ret; | |
1163 | struct stat sb; | |
1164 | ||
066af2cb | 1165 | if (c->lxc_conf->console.path && strequal(c->lxc_conf->console.path, "none")) { |
4b54788e TA |
1166 | tty_id[0] = 0; |
1167 | return 0; | |
1168 | } | |
1169 | ||
8eaa5ae3 CB |
1170 | ret = strnprintf(path, sizeof(path), "/proc/%d/root/dev/console", c->init_pid(c)); |
1171 | if (ret < 0) { | |
1172 | ERROR("strnprintf'd too many characters: %d", ret); | |
4b54788e TA |
1173 | return -1; |
1174 | } | |
1175 | ||
1176 | ret = stat(path, &sb); | |
1177 | if (ret < 0) { | |
1178 | SYSERROR("stat of %s failed", path); | |
1179 | return -1; | |
1180 | } | |
1181 | ||
8eaa5ae3 CB |
1182 | ret = strnprintf(path, sizeof(path), "%s/tty.info", directory); |
1183 | if (ret < 0) { | |
1184 | ERROR("strnprintf'd too many characters: %d", ret); | |
4b54788e TA |
1185 | return -1; |
1186 | } | |
1187 | ||
8eaa5ae3 | 1188 | ret = strnprintf(tty_id, len, "tty[%llx:%llx]", |
f03280a7 TA |
1189 | (long long unsigned) sb.st_rdev, |
1190 | (long long unsigned) sb.st_dev); | |
8eaa5ae3 CB |
1191 | if (ret < 0) { |
1192 | ERROR("strnprintf'd too many characters: %d", ret); | |
4b54788e TA |
1193 | return -1; |
1194 | } | |
1195 | ||
4110345b | 1196 | f = fopen(path, "we"); |
4b54788e TA |
1197 | if (!f) { |
1198 | SYSERROR("failed to open %s", path); | |
1199 | return -1; | |
1200 | } | |
1201 | ||
1202 | ret = fprintf(f, "%s", tty_id); | |
1203 | fclose(f); | |
1204 | if (ret < 0) | |
1205 | SYSERROR("failed to write to %s", path); | |
1206 | return ret; | |
1207 | } | |
1208 | ||
aef3d51e | 1209 | /* do one of either predump or a regular dump */ |
b2c3710f | 1210 | static bool do_dump(struct lxc_container *c, char *mode, struct migrate_opts *opts) |
aef3d51e | 1211 | { |
0e4adc1a | 1212 | int ret; |
aef3d51e | 1213 | pid_t pid; |
5af85cb1 | 1214 | int criuout[2]; |
0e4adc1a | 1215 | char *criu_version = NULL; |
aef3d51e | 1216 | |
f1954503 | 1217 | if (!criu_ok(c, &criu_version)) |
aef3d51e TA |
1218 | return false; |
1219 | ||
0e4adc1a CB |
1220 | ret = pipe(criuout); |
1221 | if (ret < 0) { | |
5af85cb1 | 1222 | SYSERROR("pipe() failed"); |
7177e6b1 | 1223 | free(criu_version); |
aef3d51e | 1224 | return false; |
5af85cb1 TA |
1225 | } |
1226 | ||
539c3977 | 1227 | if (lxc_mkdir_p(opts->directory, 0700) < 0) |
5af85cb1 | 1228 | goto fail; |
aef3d51e TA |
1229 | |
1230 | pid = fork(); | |
1231 | if (pid < 0) { | |
1232 | SYSERROR("fork failed"); | |
5af85cb1 | 1233 | goto fail; |
aef3d51e TA |
1234 | } |
1235 | ||
1236 | if (pid == 0) { | |
1237 | struct criu_opts os; | |
2202afc9 | 1238 | struct cgroup_ops *cgroup_ops; |
0ab5703f | 1239 | |
5af85cb1 TA |
1240 | close(criuout[0]); |
1241 | ||
5a087e05 | 1242 | cgroup_ops = cgroup_init(c->lxc_conf); |
2202afc9 | 1243 | if (!cgroup_ops) { |
0ab5703f | 1244 | ERROR("failed to cgroup_init()"); |
7211378b | 1245 | _exit(EXIT_FAILURE); |
0ab5703f | 1246 | } |
aef3d51e | 1247 | |
5af85cb1 | 1248 | os.pipefd = criuout[1]; |
aef3d51e | 1249 | os.action = mode; |
b2c3710f | 1250 | os.user = opts; |
aef3d51e | 1251 | os.c = c; |
4b54788e | 1252 | os.console_name = c->lxc_conf->console.path; |
f1954503 | 1253 | os.criu_version = criu_version; |
e20f46f8 | 1254 | os.handler = NULL; |
74eb576c | 1255 | |
0e4adc1a CB |
1256 | ret = save_tty_major_minor(opts->directory, c, os.tty_id, sizeof(os.tty_id)); |
1257 | if (ret < 0) { | |
1258 | free(criu_version); | |
7211378b | 1259 | _exit(EXIT_FAILURE); |
0e4adc1a | 1260 | } |
aef3d51e TA |
1261 | |
1262 | /* exec_criu() returning is an error */ | |
59d8a539 CB |
1263 | ret = exec_criu(cgroup_ops, c->lxc_conf, &os); |
1264 | if (ret) | |
1265 | SYSERROR("Failed to execute criu"); | |
0e4adc1a | 1266 | free(criu_version); |
7211378b | 1267 | _exit(EXIT_FAILURE); |
aef3d51e TA |
1268 | } else { |
1269 | int status; | |
5af85cb1 TA |
1270 | ssize_t n; |
1271 | char buf[4096]; | |
5af85cb1 TA |
1272 | |
1273 | close(criuout[1]); | |
1274 | ||
aef3d51e TA |
1275 | pid_t w = waitpid(pid, &status, 0); |
1276 | if (w == -1) { | |
1277 | SYSERROR("waitpid"); | |
5af85cb1 | 1278 | close(criuout[0]); |
7177e6b1 | 1279 | free(criu_version); |
aef3d51e TA |
1280 | return false; |
1281 | } | |
1282 | ||
668ba602 | 1283 | n = lxc_read_nointr(criuout[0], buf, sizeof(buf)); |
5af85cb1 TA |
1284 | close(criuout[0]); |
1285 | if (n < 0) { | |
1286 | SYSERROR("read"); | |
1287 | n = 0; | |
1288 | } | |
40229e95 | 1289 | |
1290 | if (n == sizeof(buf)) | |
1291 | buf[n-1] = 0; | |
1292 | else | |
1293 | buf[n] = 0; | |
5af85cb1 | 1294 | |
aef3d51e TA |
1295 | if (WIFEXITED(status)) { |
1296 | if (WEXITSTATUS(status)) { | |
9f1f54b0 | 1297 | ERROR("dump failed with %d", WEXITSTATUS(status)); |
5af85cb1 TA |
1298 | ret = false; |
1299 | } else { | |
1300 | ret = true; | |
aef3d51e | 1301 | } |
aef3d51e | 1302 | } else if (WIFSIGNALED(status)) { |
9f1f54b0 | 1303 | ERROR("dump signaled with %d", WTERMSIG(status)); |
5af85cb1 | 1304 | ret = false; |
aef3d51e | 1305 | } else { |
9f1f54b0 | 1306 | ERROR("unknown dump exit %d", status); |
5af85cb1 | 1307 | ret = false; |
aef3d51e | 1308 | } |
5af85cb1 TA |
1309 | |
1310 | if (!ret) | |
1311 | ERROR("criu output: %s", buf); | |
7177e6b1 DJ |
1312 | |
1313 | free(criu_version); | |
5af85cb1 | 1314 | return ret; |
aef3d51e | 1315 | } |
5af85cb1 TA |
1316 | fail: |
1317 | close(criuout[0]); | |
1318 | close(criuout[1]); | |
f075e955 | 1319 | (void)rmdir(opts->directory); |
0e4adc1a | 1320 | free(criu_version); |
5af85cb1 | 1321 | return false; |
aef3d51e TA |
1322 | } |
1323 | ||
b2c3710f | 1324 | bool __criu_pre_dump(struct lxc_container *c, struct migrate_opts *opts) |
aef3d51e | 1325 | { |
b2c3710f | 1326 | return do_dump(c, "pre-dump", opts); |
aef3d51e TA |
1327 | } |
1328 | ||
b2c3710f | 1329 | bool __criu_dump(struct lxc_container *c, struct migrate_opts *opts) |
aef3d51e TA |
1330 | { |
1331 | char path[PATH_MAX]; | |
1332 | int ret; | |
1333 | ||
8eaa5ae3 CB |
1334 | ret = strnprintf(path, sizeof(path), "%s/inventory.img", opts->directory); |
1335 | if (ret < 0) | |
aef3d51e TA |
1336 | return false; |
1337 | ||
1338 | if (access(path, F_OK) == 0) { | |
9f1f54b0 | 1339 | ERROR("please use a fresh directory for the dump directory"); |
aef3d51e TA |
1340 | return false; |
1341 | } | |
1342 | ||
b2c3710f | 1343 | return do_dump(c, "dump", opts); |
aef3d51e TA |
1344 | } |
1345 | ||
b2c3710f | 1346 | bool __criu_restore(struct lxc_container *c, struct migrate_opts *opts) |
aef3d51e TA |
1347 | { |
1348 | pid_t pid; | |
1349 | int status, nread; | |
1350 | int pipefd[2]; | |
f1954503 | 1351 | char *criu_version = NULL; |
aef3d51e | 1352 | |
aef3d51e | 1353 | if (geteuid()) { |
9f1f54b0 | 1354 | ERROR("Must be root to restore"); |
aef3d51e TA |
1355 | return false; |
1356 | } | |
1357 | ||
1358 | if (pipe(pipefd)) { | |
1359 | ERROR("failed to create pipe"); | |
1360 | return false; | |
1361 | } | |
1362 | ||
7177e6b1 DJ |
1363 | if (!criu_ok(c, &criu_version)) { |
1364 | close(pipefd[0]); | |
1365 | close(pipefd[1]); | |
1366 | return false; | |
1367 | } | |
1368 | ||
aef3d51e TA |
1369 | pid = fork(); |
1370 | if (pid < 0) { | |
1371 | close(pipefd[0]); | |
1372 | close(pipefd[1]); | |
7177e6b1 | 1373 | free(criu_version); |
aef3d51e TA |
1374 | return false; |
1375 | } | |
1376 | ||
1377 | if (pid == 0) { | |
1378 | close(pipefd[0]); | |
1a0e70ac | 1379 | /* this never returns */ |
f1954503 | 1380 | do_restore(c, pipefd[1], opts, criu_version); |
aef3d51e TA |
1381 | } |
1382 | ||
1383 | close(pipefd[1]); | |
7177e6b1 | 1384 | free(criu_version); |
aef3d51e | 1385 | |
668ba602 | 1386 | nread = lxc_read_nointr(pipefd[0], &status, sizeof(status)); |
aef3d51e TA |
1387 | close(pipefd[0]); |
1388 | if (sizeof(status) != nread) { | |
1389 | ERROR("reading status from pipe failed"); | |
1390 | goto err_wait; | |
1391 | } | |
1392 | ||
1a0e70ac CB |
1393 | /* If the criu process was killed or exited nonzero, wait() for the |
1394 | * handler, since the restore process died. Otherwise, we don't need to | |
1395 | * wait, since the child becomes the monitor process. | |
1396 | */ | |
aef3d51e TA |
1397 | if (!WIFEXITED(status) || WEXITSTATUS(status)) |
1398 | goto err_wait; | |
1399 | return true; | |
1400 | ||
1401 | err_wait: | |
1402 | if (wait_for_pid(pid)) | |
1403 | ERROR("restore process died"); | |
1404 | return false; | |
1405 | } |