criu icon indicating copy to clipboard operation
criu copied to clipboard

Published 20 hours ago verified publisher icon checkpoint-restore

Non-root Restore Error: Uable to set real, effective and saved group ID: -1

Open zcharlesz opened this issue 2 years ago • 4 comments

I tried to use non-root to save and restore program;

Save works perfectly, while restore gives Error below:

pie: 34336: seccomp: mode 0 on tid 34336 .... Error (criu/pie/restorer.c:243): Uable to set real, effective and saved group ID: -1 Error (criu/pie/restorer.c:752): BUG at criu/pie/restorer.c:752 ....

I've set all linux capabilies for criu (include cap_setuid,cap_setgid,cap_fsetid):

Capabilies have been set : cap_syslog,cap_syslog,cap_mac_override,cap_setfcap,cap_audit_control,cap_audit_write,cap_lease,cap_mknod,cap_sys_tty_config,cap_sys_time,cap_sys_resource,cap_sys_nice,cap_sys_boot,cap_sys_admin,cap_sys_pacct,cap_sys_ptrace,cap_sys_chroot,cap_sys_rawio,cap_sys_module,cap_ipc_owner,cap_ipc_lock,cap_net_raw,cap_net_admin,cap_net_broadcast,cap_net_bind_service,cap_linux_immutable,cap_setpcap,cap_setuid,cap_setgid,cap_kill,cap_fsetid,cap_fowner,cap_dac_read_search,cap_dac_override,cap_chown+eip /usr/local/sbin/criu

Any ideas about this error?

CRIU full dump/restore logs: 

(paste your output here)
Output of `criu --version`: 

3.17
Output of `criu check --all`: 

![image](https://user-images.githubusercontent.com/120101215/212295763-d44add59-3c41-4a1e-9711-c2177e42b048.png)

Additional environment details:

CentOS Linux release 7.9.2009 (Core) kernel: 3.10.0-1160.el7.x86_64

zcharlesz avatar Jan 13 '23 10:01 zcharlesz

At this point I would not try to use CRIU on CentOS 7. That is a really old OS and CRIU was only available as a tech preview. You should try something newer. With all these capabilities set you can also run it just as root.

@ymanton any ideas? Have you seen something like this before?

adrianreber avatar Jan 13 '23 14:01 adrianreber

I've seen setgroups fail for reasons that I haven't completely figured out, but that is the first such call in that part of the code, where as in this case setgroups and others that require CAP_SETUID have succeeded but setresgid fails.

I'd suggest trying CentOS 8 as a first step.

https://github.com/checkpoint-restore/criu/blob/4109cfb2064f69bf9e00a3206a49b78b98433b6f/criu/pie/restorer.c#L188-L324

ymanton avatar Jan 13 '23 15:01 ymanton

Thanks for your reply, I'll try with newer system.

zcharlesz avatar Jan 16 '23 03:01 zcharlesz

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Feb 16 '23 00:02 github-actions[bot]