Difference between revisions of "CLI"

From CRIU
Jump to navigation Jump to search
(Reformatted, added RPC)
Line 110: Line 110:
 
In the latter case, the following security restrictions would apply:
 
In the latter case, the following security restrictions would apply:
 
* criu will refuse to dump or restore processes whose <code>[se]?[ug]id</code> is not equal to the corresponding value of the calling user
 
* criu will refuse to dump or restore processes whose <code>[se]?[ug]id</code> is not equal to the corresponding value of the calling user
 +
* criu will refuse to dump or restore any bits set in any capability set
  
 
== Further reading ==
 
== Further reading ==

Revision as of 11:04, 17 October 2013

Since the tools and overall concept are still under heavy development, there are some known limitations applied, in particular only pure x86-64 environment is supported, no IA32 emulation allowed.

Synopsis

criu <command> -t <pid> [<options>]

Description

criu is command line utility to steer checkpoint and restore procedure.

Options

<command>::
    One of the follwong commands
        * 'dump'
                to initiate checkpoint procedure
        * 'restore'
                to restore previously checkpointed processes
        * 'show'
                to decode binary dump files and show their contents in human
                readable format
        * 'check'
                to test whether the kernel support is up-to-date
        * 'exec'
                to execute a system call from another task's context
        * 'page-server'
                to launch a page-server
        * 'service'
                to start RPC service

-c::
    In case of 'show' command the dumped pages content will be shown in hex format.

-D <path>::
    Use path 'path' as a base directory where to look for dump files set. This
    commands allpies to any <command>.

-s::
    Leave tasks in stopped state after checkpoint instead of killing them.

-f <file>::
    This option is valid for 'show' command only and allows to see content of
    the <file> specified.

-t <pid>::
    Checkpoint the whole process tree starting from 'pid'.

-d::
    Detach criu itself once restore is complete.

-n <ns>::
    Checkpoint namespaces. Namespaces must be separated by comma.
    We now support all namespaces -- uts, ipc, net and mnt

-o <file>::
    Write logging messages to 'file'.

-v <num>::
    Set logging level to 'num'. Valid options are: 0 - (silent, error messages
    only), 1 - informative (default), 2 - debug messages.

Examples

First thing to do is to check the kernel support being up-to-date with the

# criu check

command. If it says "Looks good", then you can proceed, otherwise dump/restore may not work. If you are using the mainstream kernel, but not our one with some custom patches applied, you should try the

# criu check --ms

command instead. If will skip checking for some kernel functionality, that is known to be not yet merged upstream (criu knows how to work without it, though it's sometimes not correct).

To checkpoint a program with pid 1234 and write all image files into directory checkpoint one should type

# criu dump -D checkpoint -t 1234

To restore this program detaching criu itself, one should type

criu restore -d -D checkpoint

"Detaching" (the -d option) here means, that criu will exit after restoring the processes and the latter will get re-parent-ed to the init task.

To close a file descriptor number 1 in task with pid 1234 run

criu exec -t 1234 close 1

To open a file named /foo/bar for read-write in the task with pid 1234 run

criu exec -t 1234 open '&/foo/bar' 2

Security

Due to restrictions imposed by several kernel APIs CRIU uses, the tools can only work with run with root privileges. However, if the node administrator sets the +suid bit on the criu binary, or runs criu as an RPC service, criu will be able to work on behalf of regular user.

In the latter case, the following security restrictions would apply:

  • criu will refuse to dump or restore processes whose [se]?[ug]id is not equal to the corresponding value of the calling user
  • criu will refuse to dump or restore any bits set in any capability set

Further reading