checkpoint-restore
Setting log file in runc.conf with enabled SELinux causes the parasite code to fail
The /etc/criu/runc.conf config file allows users to overwrite default CRIU options specified by the container runtime via RPC. This is particularly useful for options such as --log-file that allow setting a custom path for the file that contains CRIU logging messages. However, when SELinux is enabled, specifying this option causes CRIU to fail with the following error:
$ getenforce
Enforcing
$ cat /etc/criu/runc.conf
log-file=/tmp/criu.log
$ sudo podman run -d --name looper busybox /bin/sh -c \
'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'
$ sudo podman container checkpoint -l
$ sudo tail -n 25 /tmp/criu.log
(00.364416) x86: cwd:0x37f swd:0 twd:0 fop:0 mxcsr:0x1f80 mxcsr_mask:0xffff
(00.364421) x86: magic1:0x46505853 extended_size:580 xstate_bv:0x3 xstate_size:576
(00.364425) x86: xstate_bv: 0x3
(00.364427) x86: -----------------------
(00.364430) Putting tsock into pid 5946
(00.364844) Wait for parasite being daemonized...
(00.364854) Wait for ack 2 on daemon socket
(00.365266) Error (compel/src/lib/infect-rpc.c:44): Message reply from daemon is trimmed (12/0)
(00.365280) Error (compel/src/lib/infect.c:724): Can't switch parasite 5946 to daemon mode 0
(00.365300) Error (compel/src/lib/ptrace.c:73): POKEDATA failed: No such process
(00.365303) Error (compel/src/lib/ptrace.c:96): Can't poke 5946 @ 0x56361597c000 from 0x7ffc3b4fd0b8 sized 8
(00.365310) Error (compel/src/lib/ptrace.c:73): POKEDATA failed: No such process
(00.365312) Error (compel/src/lib/ptrace.c:100): Can't restore the original data with poke
(00.365315) Error (compel/src/lib/infect.c:635): Can't inject syscall blob (pid: 5946)
(00.365318) Warn (criu/parasite-syscall.c:442): Can't cure failed infection
(00.365322) Error (criu/cr-dump.c:1627): Can't infect (pid: 5946) with parasite
(00.365524) net: Unlock network
(00.365530) Running network-unlock scripts
(00.365534) RPC
(00.456471) amdgpu_plugin: finished amdgpu_plugin (AMDGPU/KFD)
(00.456905) Unfreezing tasks into 1
(00.456917) Unseizing 5946 into 1
(00.456931) Error (compel/src/lib/infect.c:416): Unable to detach from 5946: No such process
(00.456937) Unseizing 5988 into 1
(00.456974) Error (criu/cr-dump.c:2128): Dumping FAILED.
A friendly reminder that this issue had no activity for 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
A friendly reminder that this issue had no activity for 30 days.
Initially I wanted to say this is because Podman pre-creates an empty log-file with the correct SELinux context. The error, however, doesn't seem to be directly related to the log-file. I think it would be helpful to see the AVC denials. Run something like: ausearch -m AVC -m USER_AVC -ts recent. This will list all denials from the last 10 minutes.
