can not make checkpoint of container start by non root user

[darkgirl]

hi,
one of the reason i chose podman is i do not need to use podman by root user.
today, when i try to use podman container checkpoint to test podman contaner restore,
but i got these message:
Error: checkpointing a container requires root
when use root permission, I got these message:
Error: no container with name or ID b281916d9b79 found: no such container
And I found when i start a container by non root user, I can find it from ' podman container ls -a '.

so, how to make checkpoin of a container start by non root user?

and my podman version is 'podman version 1.6.4'

Thanks for your time.

[rhatdan]

Sorry but checkpoint and restore are still currently require privileged operations.
@adrianreber Is there any chance this will ever not require privs? Or do we need a sudo based solution?

[mheon]

I have heard a lot about the new checkpoint/restore capability in new kernels, but I have not verified if it allows CRIU as rootless.

[mheon]

(I suspect is does not because we're only getting a namespaced version of the capability in the rootless user namespace but would be happy to be proven wrong)

[mheon]

This would also all be academic if you're on RHEL/CentOS 7 or 8 as I don't believe there's any chance of the new capability being backported there. Assuming this functionality were to become available, it would only be on extremely new kernels.

[adrianreber]

Sorry but checkpoint and restore are still currently require privileged operations.
@adrianreber Is there any chance this will ever not require privs? Or do we need a sudo based solution?

I was able to add CAP_CHECKPOINT_RESTORE to the kernel with version 5.9. This is the first step to enable non-root checkpoint restore. Now that the necessary kernel interfaces are accessible with CAP_CHECKPOINT_RESTORE instead of CAP_SYS_ADMIN it is possible to change CRIU to work with those capabilities. The CRIU part is currently open at checkpoint-restore/criu#1155 (unfortunately the progress has stalled). With the changes from that PR and a 5.9 kernel it is possible to checkpoint/restore as non-root.

So there is chance that we might get checkpoint/restore in rootless mode, but it will not happen for a long time.

I would say to close this for now as not fixable within a reasonable amount of time.

[rhatdan]

@adrianreber Is CAP_CHECKPOINT_RESTORE going to be a User Namespaced capability or will users still need a full CAP_CHECKPOINT_RESTORE caps via filecap program?

[saeidscorp]

I will be happy using sudo for the occasions of checkpointing and live migrations. But, as sudo changes the UID, podman runs the commands under the root account, which of course doesn't have the rootless containers in it.

Is there a way to have the checkpoint/restore functionality for rootless environments using sudo or something? I'm aware that non-root criu and its support are in the works but for the time being, a workaround would suit many use-cases.

[adrianreber]

Is there a way to have the checkpoint/restore functionality for rootless environments using sudo or something? I'm aware that non-root criu and its support are in the works but for the time being, a workaround would suit many use-cases.

No. There is currently no easy way to checkpoint and restore rootless containers.

[arlyon]

Apologies for reviving a dead thread, but it is not clear to me why this issue was closed. Is it because it is 'impossible' or because podman does not intend to support it?

[adrianreber]

Apologies for reviving a dead thread, but it is not clear to me why this issue was closed. Is it because it is 'impossible' or because podman does not intend to support it?

It depends on CRIU having support for checkpointing as non-root (checkpoint-restore/criu#1930) and then runc/crun need to support it. So it is a long way until Podman can theoretically support it.

[arlyon]

Thanks for clarifying :) Have a nice weekend.

[nickurak]

FWIW, checkpoint-restore/criu#1930 was merged a few months ago.