docker checkpoint create failed: Error (compel/src/lib/ptrace.c:27): suspending seccomp failed: Operation not permitted

[HeyKerwin]

Description

I'm trying to use docker checkpoint, but I get this error: Error (compel/src/lib/ptrace.c:27): suspending seccomp failed: Operation not permitted

Steps to reproduce the issue:

1. create container

   docker run -d --name looper --security-opt seccomp:unconfined busybox /bin/sh -c 'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'

   or

   docker run -d --name looper --privileged busybox /bin/sh -c 'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'

   errors are same

2. create checkpoint

   docker checkpoint create looper checkpoint1

   then error occurs:

   Error response from daemon: Cannot checkpoint container looper: runc did not terminate successfully: exit status 1: criu failed: type NOTIFY errno 0 path= /run/containerd/io.containerd.runtime.v2.task/moby/756b8282257018b1f9daf2f924bc8e4f7c24bb43b7b40b707e4dfc4506b5a7a2/criu-dump.log: unknown

CRIU logs and information:

(00.000000) Unable to get $HOME directory, local configuration file will not be used.
(00.000041) Version: 3.16.1 (gitid 0)
(00.000046) Running on Laptop-Kerwin Linux 5.15.133.1-microsoft-standard-WSL2 #1 SMP Thu Oct 5 21:02:42 UTC 2023 x86_64
(00.000049) Would overwrite RPC settings with values from /etc/criu/runc.conf
(00.000060) Loaded kdat cache from /run/criu.kdat
(00.000188) ========================================
(00.000193) Dumping processes (pid: 157934)
(00.000195) ========================================
(00.000226) rlimit: RLIMIT_NOFILE unlimited for self
(00.000239) Running pre-dump scripts
(00.000242)     RPC
(00.000506) irmap: Searching irmap cache in work dir
(00.000526) No irmap-cache image
(00.000530) irmap: Searching irmap cache in parent
(00.000535) No parent images directory provided
(00.000538) irmap: No irmap cache
(00.000551) cpu: x86_family 6 x86_vendor_id GenuineIntel x86_model_id Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz
(00.000556) cpu: fpu: xfeatures_mask 0x5 xsave_size 832 xsave_size_max 832 xsaves_size 832
(00.000564) cpu: fpu: x87 floating point registers     xstate_offsets      0 / 0      xstate_sizes    160 / 160
(00.000567) cpu: fpu: AVX registers                    xstate_offsets    576 / 576    xstate_sizes    256 / 256
(00.000570) cpu: fpu:1 fxsr:1 xsave:1 xsaveopt:1 xsavec:1 xgetbv1:1 xsaves:1
(00.000732) cg-prop: Parsing controller "cpu"
(00.000737) cg-prop:    Strategy "replace"
(00.000739) cg-prop:    Property "cpu.shares"
(00.000742) cg-prop:    Property "cpu.cfs_period_us"
(00.000744) cg-prop:    Property "cpu.cfs_quota_us"
(00.000747) cg-prop:    Property "cpu.rt_period_us"
(00.000749) cg-prop:    Property "cpu.rt_runtime_us"
(00.000751) cg-prop: Parsing controller "memory"
(00.000754) cg-prop:    Strategy "replace"
(00.000756) cg-prop:    Property "memory.limit_in_bytes"
(00.000759) cg-prop:    Property "memory.memsw.limit_in_bytes"
(00.000761) cg-prop:    Property "memory.swappiness"
(00.000763) cg-prop:    Property "memory.soft_limit_in_bytes"
(00.000766) cg-prop:    Property "memory.move_charge_at_immigrate"
(00.000768) cg-prop:    Property "memory.oom_control"
(00.000770) cg-prop:    Property "memory.use_hierarchy"
(00.000773) cg-prop:    Property "memory.kmem.limit_in_bytes"
(00.000775) cg-prop:    Property "memory.kmem.tcp.limit_in_bytes"
(00.000777) cg-prop: Parsing controller "cpuset"
(00.000780) cg-prop:    Strategy "replace"
(00.000783) cg-prop:    Property "cpuset.cpus"
(00.000785) cg-prop:    Property "cpuset.mems"
(00.000787) cg-prop:    Property "cpuset.memory_migrate"
(00.000790) cg-prop:    Property "cpuset.cpu_exclusive"
(00.000792) cg-prop:    Property "cpuset.mem_exclusive"
(00.000794) cg-prop:    Property "cpuset.mem_hardwall"
(00.000797) cg-prop:    Property "cpuset.memory_spread_page"
(00.000799) cg-prop:    Property "cpuset.memory_spread_slab"
(00.000801) cg-prop:    Property "cpuset.sched_load_balance"
(00.000825) cg-prop:    Property "cpuset.sched_relax_domain_level"
(00.000831) cg-prop: Parsing controller "blkio"
(00.000834) cg-prop:    Strategy "replace"
(00.000836) cg-prop:    Property "blkio.weight"
(00.000839) cg-prop: Parsing controller "freezer"
(00.000842) cg-prop:    Strategy "replace"
(00.000844) cg-prop: Parsing controller "perf_event"
(00.000847) cg-prop:    Strategy "replace"
(00.000850) cg-prop: Parsing controller "net_cls"
(00.000852) cg-prop:    Strategy "replace"
(00.000855) cg-prop:    Property "net_cls.classid"
(00.000857) cg-prop: Parsing controller "net_prio"
(00.000860) cg-prop:    Strategy "replace"
(00.000862) cg-prop:    Property "net_prio.ifpriomap"
(00.000865) cg-prop: Parsing controller "pids"
(00.000867) cg-prop:    Strategy "replace"
(00.000870) cg-prop:    Property "pids.max"
(00.000872) cg-prop: Parsing controller "devices"
(00.000875) cg-prop:    Strategy "replace"
(00.000877) cg-prop:    Property "devices.list"
(00.000902) Preparing image inventory (version 1)
(00.000961) Add pid ns 1 pid 158122
(00.000972) Add net ns 2 pid 158122
(00.000979) Add ipc ns 3 pid 158122
(00.000987) Add uts ns 4 pid 158122
(00.000994) Add time ns 5 pid 158122
(00.001005) Add mnt ns 6 pid 158122
(00.001013) Add user ns 7 pid 158122
(00.001026) Add cgroup ns 8 pid 158122
(00.001029) cg: Dumping cgroups for 158122
(00.001044) cg:  `- New css ID 1
(00.001047) cg:     `- [] -> [/system.slice/containerd.service] [0]
(00.001049) cg: Set 1 is criu one
(00.001080) Detected cgroup V2 freezer
(00.001082) freezing processes: 100000 attempts with 100 ms steps
(00.001094) cgroup.freeze=1
(00.001145) SEIZE 157934: success
(00.001618) Error (compel/src/lib/ptrace.c:27): suspending seccomp failed: Operation not permitted
(00.001744) Unlock network
(00.001768) Unfreezing tasks into 1
(00.001771)     Unseizing 157934 into 1
(00.001775) Error (compel/src/lib/infect.c:355): Unable to detach from 157934: No such process
(00.001782) Error (criu/cr-dump.c:1781): Dumping FAILED.

Output of `criu --version`:

``` Version: 3.16.1 ```

Output of `criu check --all`:

``` Error (criu/cr-check.c:803): couldn't suspend seccomp: Operation not permitted Error (criu/cr-check.c:845): Dumping seccomp filters not supported: Permission denied Warn (criu/cr-check.c:855): Dirty tracking is OFF. Memory snapshot will not work. Looks good but some kernel features are missing which, depending on your process tree, may cause dump or restore failure. ```

Additional environment details:

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.4 LTS
Release:        22.04
Codename:       jammy

# uname -a
Linux Laptop-Kerwin 5.15.133.1-microsoft-standard-WSL2 #1 SMP Thu Oct 5 21:02:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

# docker version
Client:
 Version:           24.0.5
 API version:       1.43
 Go version:        go1.20.3
 Git commit:        24.0.5-0ubuntu1~22.04.1
 Built:             Mon Aug 21 19:50:14 2023
 OS/Arch:           linux/amd64
 Context:           default

Server:
 Engine:
  Version:          24.0.5
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.3
  Git commit:       24.0.5-0ubuntu1~22.04.1
  Built:            Mon Aug 21 19:50:14 2023
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          1.7.2
  GitCommit:
 runc:
  Version:          1.1.7-0ubuntu1~22.04.2
  GitCommit:
 docker-init:
  Version:          0.19.0
  GitCommit:

Others

Simple_loop this demo can't also work well

# cat dump.log
(00.000046) Version: 3.16.1 (gitid 0)
(00.000067) Running on Laptop-Kerwin Linux 5.15.133.1-microsoft-standard-WSL2 #1 SMP Thu Oct 5 21:02:42 UTC 2023 x86_64
(00.000081) Loaded kdat cache from /run/criu.kdat
(00.000160) ========================================
(00.000173) Dumping processes (pid: 179729)
(00.000176) ========================================
(00.000183) rlimit: RLIMIT_NOFILE unlimited for self
(00.000192) Running pre-dump scripts
(00.000219) irmap: Searching irmap cache in work dir
(00.000236) No irmap-cache image
(00.000240) irmap: Searching irmap cache in parent
(00.000246) No parent images directory provided
(00.000249) irmap: No irmap cache
(00.000264) cpu: x86_family 6 x86_vendor_id GenuineIntel x86_model_id Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz
(00.000269) cpu: fpu: xfeatures_mask 0x5 xsave_size 832 xsave_size_max 832 xsaves_size 832
(00.000279) cpu: fpu: x87 floating point registers     xstate_offsets      0 / 0      xstate_sizes    160 / 160
(00.000283) cpu: fpu: AVX registers                    xstate_offsets    576 / 576    xstate_sizes    256 / 256
(00.000287) cpu: fpu:1 fxsr:1 xsave:1 xsaveopt:1 xsavec:1 xgetbv1:1 xsaves:1
(00.000663) cg-prop: Parsing controller "cpu"
(00.000672) cg-prop:    Strategy "replace"
(00.000676) cg-prop:    Property "cpu.shares"
(00.000679) cg-prop:    Property "cpu.cfs_period_us"
(00.000682) cg-prop:    Property "cpu.cfs_quota_us"
(00.000685) cg-prop:    Property "cpu.rt_period_us"
(00.000688) cg-prop:    Property "cpu.rt_runtime_us"
(00.000691) cg-prop: Parsing controller "memory"
(00.000694) cg-prop:    Strategy "replace"
(00.000697) cg-prop:    Property "memory.limit_in_bytes"
(00.000700) cg-prop:    Property "memory.memsw.limit_in_bytes"
(00.000703) cg-prop:    Property "memory.swappiness"
(00.000706) cg-prop:    Property "memory.soft_limit_in_bytes"
(00.000709) cg-prop:    Property "memory.move_charge_at_immigrate"
(00.000712) cg-prop:    Property "memory.oom_control"
(00.000715) cg-prop:    Property "memory.use_hierarchy"
(00.000718) cg-prop:    Property "memory.kmem.limit_in_bytes"
(00.000721) cg-prop:    Property "memory.kmem.tcp.limit_in_bytes"
(00.000724) cg-prop: Parsing controller "cpuset"
(00.000727) cg-prop:    Strategy "replace"
(00.000730) cg-prop:    Property "cpuset.cpus"
(00.000733) cg-prop:    Property "cpuset.mems"
(00.000736) cg-prop:    Property "cpuset.memory_migrate"
(00.000739) cg-prop:    Property "cpuset.cpu_exclusive"
(00.000742) cg-prop:    Property "cpuset.mem_exclusive"
(00.000745) cg-prop:    Property "cpuset.mem_hardwall"
(00.000748) cg-prop:    Property "cpuset.memory_spread_page"
(00.000751) cg-prop:    Property "cpuset.memory_spread_slab"
(00.000754) cg-prop:    Property "cpuset.sched_load_balance"
(00.000757) cg-prop:    Property "cpuset.sched_relax_domain_level"
(00.000760) cg-prop: Parsing controller "blkio"
(00.000763) cg-prop:    Strategy "replace"
(00.000766) cg-prop:    Property "blkio.weight"
(00.000769) cg-prop: Parsing controller "freezer"
(00.000772) cg-prop:    Strategy "replace"
(00.000775) cg-prop: Parsing controller "perf_event"
(00.000778) cg-prop:    Strategy "replace"
(00.000781) cg-prop: Parsing controller "net_cls"
(00.000784) cg-prop:    Strategy "replace"
(00.000787) cg-prop:    Property "net_cls.classid"
(00.000790) cg-prop: Parsing controller "net_prio"
(00.000793) cg-prop:    Strategy "replace"
(00.000796) cg-prop:    Property "net_prio.ifpriomap"
(00.000799) cg-prop: Parsing controller "pids"
(00.000802) cg-prop:    Strategy "replace"
(00.000805) cg-prop:    Property "pids.max"
(00.000808) cg-prop: Parsing controller "devices"
(00.000811) cg-prop:    Strategy "replace"
(00.000814) cg-prop:    Property "devices.list"
(00.000951) Preparing image inventory (version 1)
(00.000987) Add pid ns 1 pid 179931
(00.000998) Add net ns 2 pid 179931
(00.001007) Add ipc ns 3 pid 179931
(00.001015) Add uts ns 4 pid 179931
(00.001027) Add time ns 5 pid 179931
(00.001040) Add mnt ns 6 pid 179931
(00.001049) Add user ns 7 pid 179931
(00.001058) Add cgroup ns 8 pid 179931
(00.001062) cg: Dumping cgroups for 179931
(00.001079) cg:  `- New css ID 1
(00.001083) cg:     `- [] -> [/user.slice/user-0.slice/session-c6.scope] [0]
(00.001093) cg: Set 1 is criu one
(00.001160) Detected cgroup V1 freezer
(00.001529) Error (compel/src/lib/ptrace.c:27): suspending seccomp failed: Operation not permitted
(00.001754) Unlock network
(00.001812) Unfreezing tasks into 1
(00.001845)     Unseizing 179729 into 1
(00.001853) Error (compel/src/lib/infect.c:355): Unable to detach from 179729: No such process
(00.001967) Error (criu/cr-dump.c:1781): Dumping FAILED.

These are the same problem: suspending seccomp failed: Operation not permitted

[rst0git]

Running on Laptop-Kerwin Linux 5.15.133.1-microsoft-standard-WSL2 #1 SMP Thu Oct 5 21:02:42 UTC 2023 x86_64

@HeyKerwin Using CRIU with Windows Subsystem for Linux (WSL) has not been well tested. Would you be able to run docker in a Linux VM instead?

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.