checkpoint: resolve symlink for external bind mount#2902
checkpoint: resolve symlink for external bind mount#2902mrunalp merged 1 commit intoopencontainers:masterfrom
Conversation
|
@liusdu thank you for the patch! Nice that you're using checkpoint/restore! Can you add a test case (to e.g. |
|
@liusdu ^^^ |
@kolyshkin Sorry for this late, checkpoint/restore of runc works very well for me. |
| options: ["bind"] | ||
| }]' | ||
| simple_cr | ||
|
|
|
|
||
| func (c *linuxContainer) addCriuDumpMount(req *criurpc.CriuReq, m *configs.Mount) { | ||
| mountDest := strings.TrimPrefix(m.Destination, c.config.Rootfs) | ||
|
|
|
LGTM except for a couple of nits. @adrianreber PTAL |
|
@liusdu Can you give an example where you saw this error. It looks correct, but I am curious when this can happen. |
|
@adrianreber Look at following Dockerfile If we pass configuration as volume to container, we can meet this type of error.
|
|
@kolyshkin thanks for you review~ |
runc resolves symlink before doing bind mount. So we should save original path while formatting CriuReq for checkpoint. Signed-off-by: Liu Hua <weldonliu@tencent.com>
|
ping @kolyshkin @adrianreber |
|
close/reopen to re-kick CI |
|
LGTM |
| func (c *linuxContainer) addCriuDumpMount(req *criurpc.CriuReq, m *configs.Mount) { | ||
| mountDest := strings.TrimPrefix(m.Destination, c.config.Rootfs) | ||
| if dest, err := securejoin.SecureJoin(c.config.Rootfs, mountDest); err == nil { | ||
| mountDest = dest[len(c.config.Rootfs):] |
There was a problem hiding this comment.
I do wonder -- what happens if the mount is moved from inside the container (with a simple rename) after the filesystem has been set up? Is this also something CRIU doesn't support / really doesn't like?
There was a problem hiding this comment.
Yes @cyphar Since CRIU does not know how to restore bind mounts(master in host namespace), CRIU need this type of mount marked as external(via --external). runc formats --external parameter according to spec
So for situation you mentioned, CRIU does not work properly. btw, should we export --external for runc. Then users can mark external resource themselves?
There was a problem hiding this comment.
I do wonder -- what happens if the mount is moved from inside the container (with a simple rename) after the filesystem has been set up? Is this also something CRIU doesn't support / really doesn't like?
I do not understand this question. But initially I would have said that CRIU can handle it. Now @liusdu says it is not possible. I probably misunderstood the question.
So for situation you mentioned, CRIU does not work properly. btw, should we export
--externalfor runc. Then users can mark external resource themselves?
For Kubernetes, restoring containers in different Pods, I will need CRIU's --external to be available at the runc level.
Currently runc informs CRIU about all external mounts but it is not possible to change the location of the external mount between checkpoint and restore. For Kubernetes I will need to change the location of an external mount. The most obvious bind mount currently is the location of the secrets directory which has the Pod UID in its container external path and I need to tell CRIU/runc that that directory should be mounted from some other location.
|
@haircommander can you approve this pr? |
|
It LGTM, but I'm not a maintainer so my approval wouldn't help unfortunately |
|
We're in the middle of 1.0.0 GA release. Once it's done, I think we can merge this. |
|
There's something wrong with CI :( |
|
Might be caused by #3029. @liusdu can you take a look? The failed CI can be seen from the Actions tab, https://github.com/opencontainers/runc/actions |
6 participants
runc resolves symlink before doing bind mount. So
we should save original path while formatting CriuReq for
checkpoint.
Signed-off-by: Liu Hua weldonliu@tencent.com