Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

link-remap: Add --keep-link-remaps option #2028

Open
wants to merge 122 commits into
base: criu-dev
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
122 commits
Select commit Hold shift + click to select a range
6f8d543
Add flog to CRIU
prakritigoyal19 Jun 7, 2020
bf7b517
flog: Missing varargs init or cleanup (VARARGS)
adrianreber Sep 28, 2020
09348a2
Run 'make indent' on 'flog/'
adrianreber Aug 4, 2021
d355c36
flog: typo: mmaped -> mmapped
kolyshkin Apr 7, 2022
6eafe4e
flog: fix some codespell warnings
kolyshkin Mar 31, 2022
4795374
cr-dump: do not report success to logs if post-dump script failed
Snorch Apr 27, 2022
03539d4
ci: Fix unsafe repository error
rst0git May 8, 2022
df67400
mem: Skip pre-dumping on hugetlb mappings
minhbq-99 May 8, 2022
2de7eea
Revert "ci: skip new hugetlb maps09/maps10 tests for pre-dump"
minhbq-99 May 8, 2022
a1fb2ec
zdtm: skip zdtm/static/shm-hugetlb when hugetlb is not supported
mihalicyn May 10, 2022
3c8aa30
crit: Use same version as criu
rst0git May 11, 2022
be6d7ca
page-pipe: fix limiting a pipe size
avagin Apr 27, 2022
d84e2e4
page-xfer: use negative values for error codes
avagin Apr 27, 2022
6d879d5
page-xfer: adjust a buffer to a pipe size
avagin Apr 27, 2022
a6aae07
pre-dump: call vmsplice with SPLICE_F_GIFT
avagin Apr 27, 2022
574f396
page-xfer: refactoring analyze_iov and fill_userbuf
avagin Apr 28, 2022
45641ab
ci: test the read mode of pre-dump
avagin Apr 28, 2022
cd0ed7e
amdgpu/Makefile: Fix include path
rst0git May 15, 2022
2b3763f
amdgpu: Set PLUGINDIR to /usr/lib/criu
rst0git May 8, 2022
98eda32
github: use git-clang-format instead of make indent
Snorch May 31, 2022
0db600d
Fix the check for mnt namespace in criu-ns
ashu-mehra May 30, 2022
baa4516
sk-unix: make add_fake_unix_queuers earier and rework find_queuer_for
Snorch Jun 9, 2022
8a147da
zdtm/scm: add scm09 test with closed sender fd
Snorch Jun 9, 2022
ac27245
mount-v2: split out restore_one_sharing helper
Snorch May 18, 2022
7e37618
mount-v2: workaround for multiple external bindmounts with no common …
Snorch May 18, 2022
58a2d98
zdtm: test multiple ext bindmounts with no common root and same master
Snorch May 20, 2022
edb3b8f
amdgpu: Add gitignore
rst0git May 12, 2022
fa6efbf
hugetlb: don't dump anonymous private hugetlb mapping using memfd app…
minhbq-99 May 12, 2022
dc160c0
util/mount-v2: fix resolve_mountpoint() to always return freeable poi…
Snorch Jun 17, 2022
f82b71c
zdtm: add mnt_root_ext test
Snorch Jun 20, 2022
28581f2
config: fail on --track-mem option if dirty tracking is not available
Snorch Jun 21, 2022
029ca22
ci: Fix code indent
rst0git Jun 21, 2022
7968e71
infect: add SIGTSTP support
uravas Jan 20, 2022
c8f9880
zdtm: add tests for SIGTSTP
uravas Jan 18, 2022
290a998
config/files-reg: Add opt to skip file r/w/x check on restore
ymanton May 30, 2022
8f04c13
Add --skip-file-rwx-check opt test
ymanton Jun 3, 2022
1e6e826
rseq: fix headers conflict on Mariner GNU/Linux
mihalicyn Jul 8, 2022
90c0f08
x86/compel/fault-inject: fixup mxcsr for PTRACE_SETFPREGS
mihalicyn May 10, 2022
ebe9db9
zdtm: Remove permission part check for skipping vsyscall vma
minhbq-99 Jul 21, 2022
e15690b
vdso-compat: Increase the reserved buffer for compat vdso
minhbq-99 Jul 21, 2022
973b4b6
zdtm: make root mount private in criu mntns
Snorch Jul 26, 2022
0576f68
zdtm/mnt_root_ext: don't allow propagation from test mntns to criu mntns
Snorch Jul 27, 2022
2549276
files-reg.c: modify the check of ghost_limit to support large sparse …
featherchen Jul 26, 2022
4cc4d1d
unlink_largefile.desc: remove crfail, since criu now can support
featherchen Jul 26, 2022
d9009f6
zdtm: add two tests for large ghost sparse file
featherchen Jul 28, 2022
8a01859
MAINTAINERS: Add Radostin (myself) to maintainers
rst0git Aug 4, 2022
f32e626
ci: unset XDG_RUNTIME_DIR when invoking podman
rst0git Jul 23, 2022
4c86d6a
criu: fix conflicting headers
rst0git Jul 31, 2022
6a1260a
Revert "ci: Switch to non overlaysfs tests"
rst0git Aug 5, 2022
557ab8c
docker-test: use containerd installed from package
rst0git Aug 5, 2022
5f801c4
cr-check: fix check for apparmor stacking
rst0git Aug 5, 2022
ce1b705
cr-check: optimize check for apparmor stacking
Snorch Aug 6, 2022
f0b0a64
cr-restore: rseq: dynamically handle *libc with rseq
mihalicyn Jul 20, 2022
db9781e
cr-restore: rseq: use glibc-specific way to unregister only as fallback
mihalicyn Jul 20, 2022
6206067
Add Alexander Mikhalitsyn to maintainers
avagin Aug 9, 2022
58fa267
docker-test: handle race condition error
rst0git Aug 11, 2022
3019db3
ci/cirrus: add CentOS Stream 9
kolyshkin Mar 31, 2022
2410079
ci/cirrus: centos 8 job nits
kolyshkin Apr 13, 2022
373281f
compel: set TRACESYSGOOD to distinguish breakpoints from syscalls
avagin Aug 7, 2022
40f5d9b
compel: clear a breakpoint right after it's been triggered
avagin Aug 7, 2022
267c9bc
compel: switch breakpoint functions to non-inline at arm64 platform
Apr 15, 2022
cc8c6b4
breakpoint: implement hw breakpoint for arm64 platform
Aug 7, 2022
ec49f42
breakpoint: enable breakpoints by default on amd64 and arm64
Aug 9, 2022
6e35c59
criu: fail migration if data was sent to an in-flight socket
mclapinski Apr 6, 2022
edb3e52
zdtm: return 1 from pr_err, pr_perror, fail
avagin Apr 15, 2022
309e131
test/unix: check C/R of unix listen queues
avagin Apr 15, 2022
3aafc55
gitignore: Ignore top-evel build dir only
ymanton Aug 25, 2022
84a7269
ci: Rename openj9 Dockerfiles to hotspot
ymanton Aug 25, 2022
8556d83
ci: Add Dockerfile for openj9 on Ubuntu
ymanton Aug 25, 2022
1ba1c39
ci: Clean up and improve Java testing
ymanton Aug 25, 2022
517c094
mount: add definition for FSOPEN_CLOEXEC
rst0git Aug 24, 2022
94bfff7
criu-ns: capture controlling tty
Snorch Jun 22, 2022
2666eec
files-reg: skip failed mount lookup for shell-job's tty
Snorch Jun 22, 2022
c056f99
ci/gha/lint: install a recent shellcheck
kolyshkin Apr 13, 2022
01e643a
scripts/ci/apt-install: fix (not ignore) shellcheck warning
kolyshkin Apr 12, 2022
527a4ce
scripts/ci/asan.sh: fix, not ignore, shellcheck warning
kolyshkin Apr 12, 2022
06e1cad
Fix, not ignore, shellcheck SC1091 warnings
kolyshkin Apr 12, 2022
0fce00f
scripts/ci/run-ci-tests: use bash arrays
kolyshkin Apr 13, 2022
72d27e9
scripts/ci: rm shellcheck disable annotations
kolyshkin Apr 13, 2022
ebe8770
scripts/protobuf-gen.sh: fix (not ignore) shellcheck warnings
kolyshkin Apr 13, 2022
6128eb6
test/others/crit/test.sh: use bash array
kolyshkin Apr 13, 2022
58257cb
seize: do not overwrite exit code from failpath
Sep 14, 2022
6e9a908
compel: Add APIs to facilitate testing
ymanton Sep 2, 2022
50dda15
compel: Fix infect test to not override failures
ymanton Sep 27, 2022
a7cbdcb
compel: Add test to check parasite stack setup
ymanton Aug 30, 2022
615763e
compel: Fix ppc64le parasite stack layout
ymanton Aug 30, 2022
4cd295b
ci: enable EPEL for CentOS 7
rst0git Oct 1, 2022
294aedc
non-root: add infrastructure to run as non-root
adrianreber Jul 24, 2020
de70d2c
non-root: add functions to work with capabilities
adrianreber Jul 24, 2020
3b5f5c7
non-root: enable non-root checkpoint/restore
ymanton Aug 12, 2022
2cb3da2
non-root: Introduce unprivileged mode to kerndat
ymanton Aug 12, 2022
1db95af
Documentation: add details about --unprivileged
adrianreber May 3, 2021
0add1b6
non-root: extend zdtm.py to be able to run tests as non-root
adrianreber Jul 24, 2020
8cf8fe8
non-root: add non-root test case to cirrus runs
adrianreber Jul 24, 2020
18c6426
cgroup: add a comment to restore_cgroup_prop about path argument requ…
Snorch Oct 20, 2022
5bcde6f
ipc_sysctl: Prioritize restoring IPC variables using non usernsd appr…
minhbq-99 Oct 23, 2022
83ed54b
Switch aarch64 builds to Cirrus CI
adrianreber Oct 25, 2022
f5ad26c
cgroup-v2: Checkpoint and restore some global properties
minhbq-99 Sep 4, 2022
1304415
zdtm: Add write_value/read_value helpers into zdtm library
minhbq-99 Sep 13, 2022
a8328c7
zdtm: Add test to check global properties of cgroup-v2 are preserved
minhbq-99 Sep 4, 2022
c3a5192
cgroup-v2: Dump cgroup controllers of every threads in a process
minhbq-99 Sep 4, 2022
da84213
cgroup-v2: Restore threads in a process into correct threaded control…
minhbq-99 Sep 4, 2022
030c5ab
zdtm: Check threads are restored into correct threaded controllers
minhbq-99 Sep 4, 2022
d3ed3e9
ci: Make cpuset move to cgroup-v2 hierarchy
minhbq-99 Sep 6, 2022
f47f5c0
ci: Do not fail if latest epel repository definition is already insta…
adrianreber Nov 7, 2022
979c842
ci: move cgroup unmounting to run-ci-tests.sh
adrianreber Nov 7, 2022
614fb7d
kerndat: Mark memfd_create(MFD_HUGETLB) unavailable when ENOSYS is re…
minhbq-99 Nov 8, 2022
52435d7
cgroup: Remove redundant code that handles zombie tasks
minhbq-99 Nov 3, 2022
1c6517a
Remove execute bit from source file
Nov 17, 2022
7fee7d2
amdgpu: define __nmk_dir if missing
rst0git Nov 9, 2022
6f3b81d
Fix warnings from -Wstrict-prototypes in clang 16.0.0
ajwock Nov 21, 2022
b50d3d7
ci/lint: install ShellCheck with dnf
rst0git Nov 23, 2022
5b9f7a9
ci/alpine: remove symlink for /usr/bin/python
rst0git Nov 23, 2022
4f659d5
ci: fix make indent
rst0git Nov 24, 2022
7819a11
files-reg.c: fiemap algorithm for ghost file
featherchen Sep 6, 2022
f4a91fc
zdtm: add two tests for highly sparse ghost file
featherchen Sep 11, 2022
50db2be
Fix typo in comment
VermaSh Dec 1, 2022
b3c7286
non-root: Rework socket bufs for unprivileged mode
ymanton Nov 14, 2022
318ff08
non-root: Don't dump socket option SO_MARK if 0
ymanton Nov 21, 2022
6e11e7f
sockets: tiny style fix
avagin Dec 12, 2022
008c2b9
test/javaTests: update org.testng:testng (Maven)
avagin Dec 13, 2022
972ae4e
link-remap: Add --keep-link-remaps option
ajwock Dec 15, 2022
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
98 changes: 94 additions & 4 deletions .cirrus.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,34 @@ task:
build_script: |
make -C scripts/ci vagrant-fedora-no-vdso

task:
name: CentOS Stream 9 based test
environment:
HOME: "/root"
CIRRUS_WORKING_DIR: "/tmp/criu"

compute_engine_instance:
image_project: centos-cloud
image: family/centos-stream-9
platform: linux
cpu: 4
memory: 8G

setup_script: |
ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
dnf config-manager --set-enabled crb # Same as CentOS 8 powertools
dnf -y install epel-release epel-next-release
dnf -y install --allowerasing asciidoc gcc git gnutls-devel libaio-devel libasan libcap-devel libnet-devel libnl3-devel libbsd-devel libselinux-devel make protobuf-c-devel protobuf-devel python-devel python-PyYAML python-future python-protobuf python-junit_xml python-flake8 xmlto
systemctl stop sssd
# Even with selinux in permissive mode the selinux tests will be executed.
# The Cirrus CI user runs as a service from selinux point of view and is
# much more restricted than a normal shell (system_u:system_r:unconfined_service_t:s0).
# The test case above (vagrant-fedora-no-vdso) should run selinux tests in enforcing mode.
setenforce 0

build_script: |
make -C scripts/ci local SKIP_CI_PREP=1 CC=gcc CD_TO_TOP=1 ZDTM_OPTS="-x zdtm/static/socket-raw"

task:
name: Vagrant Fedora Rawhide based test
environment:
Expand All @@ -41,7 +69,28 @@ task:
make -C scripts/ci vagrant-fedora-rawhide

task:
name: CentOS 8 based test
name: Vagrant Fedora based test (non-root)
environment:
HOME: "/root"
CIRRUS_WORKING_DIR: "/tmp/criu"

compute_engine_instance:
image_project: cirrus-images
image: family/docker-kvm
platform: linux
cpu: 4
memory: 16G
nested_virtualization: true

setup_script: |
scripts/ci/apt-install make gcc pkg-config git perl-modules iproute2 kmod wget cpu-checker
sudo kvm-ok
ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
build_script: |
make -C scripts/ci vagrant-fedora-non-root

task:
name: CentOS Stream 8 based test
environment:
HOME: "/root"
CIRRUS_WORKING_DIR: "/tmp/criu"
Expand All @@ -55,17 +104,18 @@ task:

setup_script: |
ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm dnf-plugins-core
# Do not fail if latest epel repository definition is already installed
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm || :
yum install -y dnf-plugins-core
yum config-manager --set-enabled powertools
yum install -y --allowerasing asciidoc gcc git gnutls-devel libaio-devel libasan libcap-devel libnet-devel libnl3-devel libbsd-devel libselinux-devel make protobuf-c-devel protobuf-devel python3-devel python3-flake8 python3-PyYAML python3-future python3-protobuf xmlto
yum install -y --allowerasing asciidoc gcc git gnutls-devel libaio-devel libasan libcap-devel libnet-devel libnl3-devel libbsd-devel libselinux-devel make protobuf-c-devel protobuf-devel python3-devel python3-flake8 python3-PyYAML python3-future python3-protobuf python3-junit_xml xmlto
alternatives --set python /usr/bin/python3
systemctl stop sssd
# Even with selinux in permissive mode the selinux tests will be executed
# The Cirrus CI user runs as a service from selinux point of view and is
# much more restricted than a normal shell (system_u:system_r:unconfined_service_t:s0)
# The test case above (vagrant-fedora-no-vdso) should run selinux tests in enforcing mode
setenforce 0
pip3 install junit_xml

build_script: |
make -C scripts/ci local SKIP_CI_PREP=1 CC=gcc CD_TO_TOP=1 ZDTM_OPTS="-x zdtm/static/socket-raw"
Expand All @@ -84,6 +134,9 @@ task:
memory: 8G

setup_script: |
# EPEL is needed for python2-future, python2-junit_xml, python-flake8 and libbsd-devel.
# Do not fail if latest epel repository definition is already installed
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm || :
ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
yum install -y findutils gcc git gnutls-devel iproute iptables libaio-devel libasan libcap-devel libnet-devel libnl3-devel libbsd-devel make procps-ng protobuf-c-devel protobuf-devel protobuf-python python python-flake8 python-ipaddress python2-future python2-junit_xml python-yaml python-six sudo tar which e2fsprogs python2-pip rubygem-asciidoctor libselinux-devel
# Even with selinux in permissive mode the selinux tests will be executed
Expand All @@ -98,3 +151,40 @@ task:

build_script: |
make -C scripts/ci local SKIP_CI_PREP=1 CC=gcc CD_TO_TOP=1 ZDTM_IGNORE_TAINT=1 ZDTM_OPTS="-x zdtm/static/socket-raw -x zdtm/static/child_subreaper_existing_child -x zdtm/static/fifo_upon_unix_socket01 -x zdtm/static/overmount_sock -x zdtm/static/tempfs_overmounted"

task:
name: aarch64 build GCC (native)
arm_container:
image: docker.io/library/ubuntu:jammy
cpu: 4
memory: 4G
script: uname -a
build_script: |
scripts/ci/apt-install make
ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
make -C scripts/ci local

task:
name: aarch64 build CLANG (native)
arm_container:
image: docker.io/library/ubuntu:jammy
cpu: 4
memory: 4G
script: uname -a
build_script: |
scripts/ci/apt-install make
ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
make -C scripts/ci local CLANG=1

task:
name: aarch64 Fedora Rawhide
arm_container:
image: registry.fedoraproject.org/fedora:rawhide
cpu: 4
memory: 4G
script: uname -a
build_script: |
scripts/ci/prepare-for-fedora-rawhide.sh
ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
make -C scripts/ci/ local CC=gcc SKIP_CI_PREP=1 SKIP_CI_TEST=1 CD_TO_TOP=1
make -C test/zdtm -j 4
82 changes: 0 additions & 82 deletions .drone.yml

This file was deleted.

6 changes: 5 additions & 1 deletion .github/workflows/fedora-rawhide-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,8 @@ jobs:
steps:
- uses: actions/checkout@v2
- name: Run Fedora Rawhide Test
run: sudo -E make -C scripts/ci fedora-rawhide CONTAINER_RUNTIME=podman BUILD_OPTIONS="--security-opt seccomp=unconfined"
# We need to pass environment variables from the CI environment to
# distinguish between CI environments. However, we need to make sure that
# XDG_RUNTIME_DIR environment variable is not set due to a bug in Podman.
# FIXME: https://github.com/containers/podman/issues/14920
run: sudo -E XDG_RUNTIME_DIR= make -C scripts/ci fedora-rawhide CONTAINER_RUNTIME=podman BUILD_OPTIONS="--security-opt seccomp=unconfined"
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: OpenJ9 Test
name: Java Test

on: [push, pull_request]

Expand All @@ -7,5 +7,5 @@ jobs:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v2
- name: Run OpenJ9 Test
run: sudo make -C scripts/ci openj9-test
- name: Run Java Test
run: sudo make -C scripts/ci java-test
16 changes: 14 additions & 2 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,25 @@ jobs:
image: registry.fedoraproject.org/fedora:latest
steps:
- name: Install tools
run: sudo dnf -y install git make python3-flake8 ShellCheck clang-tools-extra which findutils codespell
run: sudo dnf -y install git make python3-flake8 xz clang-tools-extra which codespell git-clang-format ShellCheck

- uses: actions/checkout@v2

- name: Set git safe directory
# https://github.com/actions/checkout/issues/760
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"

- name: Run make lint
run: make lint

- name: Run make indent
run: >
make indent &&
if [ -z "${{github.base_ref}}" ]; then
make indent
else
git fetch origin ${{github.base_ref}} &&
git clang-format --style file --extensions c,h --quiet origin/${{github.base_ref}}
fi &&
STATUS=$(git status --porcelain) &&
if [ ! -z "$STATUS" ]; then
echo "FAIL: some files are not correctly formatted.";
Expand Down
2 changes: 1 addition & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -42,4 +42,4 @@ lib/.crit-setup.files
compel/include/asm
include/common/asm
include/common/config.h
build/
build/**
5 changes: 4 additions & 1 deletion Documentation/compel.txt
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,10 @@ Following steps are performed to infect the victim process:
- execute system call: *int compel_syscall(ctl, int syscall_nr, long *ret, int arg ...);*
- infect victim: *int compel_infect(ctl, nr_thread, size_of_args_area);*
- cure the victim: *int compel_cure(ctl);* //ctl pointer is freed by this call
- Resume victim: *int compel_resume_task(pid, orig_state, state);*
- Resume victim: *int compel_resume_task(pid, orig_state, state)* or
*int compel_resume_task_sig(pid, orig_state, state, stop_signo).*
//compel_resume_task_sig() could be used in case when victim is in stopped state.
stop_signo could be read by calling compel_parse_stop_signo().

*ctl* must be configured with blob information by calling *PREFIX_setup_c_header()*, with ctl as its argument.
*PREFIX* is the argument given to *-p* when calling hgen, else it is deduced from file name.
Expand Down
35 changes: 35 additions & 0 deletions Documentation/criu.txt
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,12 @@ not compatible with *--external* *dev*.
notification message contains a file descriptor for
the master pty

*--unprivileged*::
This option tells *criu* to accept the limitations when running
as non-root. Running as non-root requires *criu* at least to have
*CAP_SYS_ADMIN* or *CAP_CHECKPOINT_RESTORE*. For details about running
*criu* as non-root please consult the *NON-ROOT* section.

*-V*, *--version*::
Print program version and exit.

Expand Down Expand Up @@ -668,6 +674,9 @@ The 'mode' may be one of the following:
build-ID cannot be obtained, 'chksm-first' method will be
used. This is the default if mode is unspecified.

*--skip-file-rwx-check*::
Skip checking file permissions (r/w/x for u/g/o) on restore.

*check*
~~~~~~~
Checks whether the kernel supports the features needed by *criu* to
Expand Down Expand Up @@ -874,6 +883,32 @@ configuration file will overwrite all other configuration file settings
or RPC options. *This can lead to undesired behavior of criu and
should only be used carefully.*

NON-ROOT
--------
*criu* can be used as non-root with either the *CAP_SYS_ADMIN* capability
or with the *CAP_CHECKPOINT_RESTORE* capability introduces in Linux kernel 5.9.
*CAP_CHECKPOINT_RESTORE* is the minimum that is required.

*criu* also needs either *CAP_SYS_PTRACE* or a value of 0 in
*/proc/sys/kernel/yama/ptrace_scope* (see *ptrace*(2)) to be able to interrupt
the process for dumping.

Running *criu* as non-root has many limitations and depending on the process
to checkpoint and restore it may not be possible.

In addition to *CAP_CHECKPOINT_RESTORE* it is possible to give *criu* additional
capabilities to enable additional features in non-root mode.

Currently *criu* can benefit from the following additional capabilities:

- *CAP_NET_ADMIN*
- *CAP_SYS_CHROOT*
- *CAP_SETUID*
- *CAP_SYS_RESOURCE*

Independent of the capabilities it is always necessary to use "*--unprivileged*" to
accept *criu*'s limitation in non-root mode.

EXAMPLES
--------
To checkpoint a program with pid of *1234* and write all image files into
Expand Down
2 changes: 2 additions & 0 deletions MAINTAINERS
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,5 @@ Mike Rapoport <rppt@kernel.org>
Dmitry Safonov <0x7f454c46@gmail.com>
Adrian Reber <areber@redhat.com>
Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Radostin Stoyanov <rstoyanov@fedoraproject.org>
Alexander Mikhalitsyn <alexander@mihalicyn.com>
Loading