On 25/05/2020 22:53, Jann Horn wrote:
On Fri, May 22, 2020 at 7:55 AM Adrian Reber <areber@xxxxxxxxxx> wrote:
This enables CRIU to checkpoint and restore a process as non-root.
Over the last years CRIU upstream has been asked a couple of time if it
is possible to checkpoint and restore a process as non-root. The answer
usually was: 'almost'.
The main blocker to restore a process was that selecting the PID of the
restored process, which is necessary for CRIU, is guarded by CAP_SYS_ADMIN.
And if you were restoring the process into your own PID namespace, so
that you actually have a guarantee that this isn't going to blow up in
your face because one of your PIDs is allocated for a different
process, this part of the problem could be simplified.
I don't get why your users are fine with a "oh it kinda works 99% of
the time but sometimes it randomly doesn't and then you have to go
reboot or whatever" model.
Transparent checkpoint and restore of a process tree is not simple,
especially when it is done entirely in user-space. To best of my
knowledge, CRIU is the only tool out there that is able to achieve this,
it is actively being tested and maintained, and it has been integrated
into several container runtimes. Like any other software, CRIU has
limitations but, as said in the README file, contributions are welcome.