search

containers / crun

A fast and lightweight fully featured OCI runtime and C library for running containers
GNU General Public License v2.0
3.05k stars 308 forks source link

checkpoint of contianer with userns is not working #1207

Open Luap99 opened 1 year ago

Luap99 commented 1 year ago 
$ sudo bin/podman run -d --name test --uidmap 0:0:1000 quay.io/libpod/testimage:20221018 top
fcfc957177dec9a4ae308ad79713bb2a1b5598af76f1d128b24b576ad0a90021
$ sudo bin/podman container checkpoint test
2023-05-08T12:49:06.173711Z: CRIU checkpointing failed -52.  Please check CRIU logfile /var/lib/containers/storage/overlay-containers/fcfc957177dec9a4ae308ad79713bb2a1b5598af76f1d128b24b576ad0a90021/userdata/dump.log
Error: `/usr/bin/crun checkpoint --image-path /var/lib/containers/storage/overlay-containers/fcfc957177dec9a4ae308ad79713bb2a1b5598af76f1d128b24b576ad0a90021/userdata/checkpoint --work-path /var/lib/containers/storage/overlay-containers/fcfc957177dec9a4ae308ad79713bb2a1b5598af76f1d128b24b576ad0a90021/userdata fcfc957177dec9a4ae308ad79713bb2a1b5598af76f1d128b24b576ad0a90021` failed: exit status 1

Relevant line from the log: (00.120964) Error (criu/mount.c:753): mnt: 2049:./dev/urandom doesn't have a proper root mount Full log: dump.log

When the --uidmap argument is not used it works correctly, it works with runc but there is still a podman bug: https://github.com/containers/podman/issues/18502

$ crun --version
crun version 1.8.4
commit: 5a8fa99a5e41facba2eda4af12fa26313918805b
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
saschagrunert commented 1 month ago

@Luap99 is this still an issue? Do you think we could fix that in the near future somehow? cc @adrianreber

Luap99 commented 1 month ago

I would assume so, nothing has changed and my reproducer still fails with the same error message

In general restoring the network namespace for a userns is currently broken anyways with the runtime restore API as the process is started right away so podman has no chance to configure the netns after oci runtime created the namespaces as the process is started right away (unlike the normal container startup sequence with uses two steps for create then start so we can configure the netns in between there without issues).

But I guess crun first should be able to checkpoint before we can work on the restore side.