criu
criu copied to clipboard
checkpoint-restore
iptables prevents multiple restores
Posting this as an FYI as I could not find a related issue on this.
The issue:
Running criu restore using --tcp-established multiple times fails due to:
Error (criu/netfilter.c:90): Iptables configuration failed
iptables: Bad rule (does a matching rule exist in that chain?).
Expected behavior is that once a process has exited it can be restored again. In this case, when restoring the process the second time, an iptables rule doesn't exist and cannot be deleted, which causes the error to be thrown.
Current workaround:
Currently I just run iptables -A ... (append rule) command every time before I want to restore the process again. This way I add the rule and then iptables is able to delete the rule successfully (and criu restore succeeds).
Tested on:
Criu version 2.6 Ubuntu version 16.04.4 Linux version 4.4.0-116-generic
Dump command: criu dump -t 22615 -vvvv --tcp-established
Restore command: criu restore -d -vvvv --tcp-established
Program being dumped is libstrophe
Logs:
stats-dump:
"freezing_time": 153
"frozen_time": 9266
"memdump_time": 491
"memwrite_time": 162
"pages_scanned": 6035
"pages_skipped_parent": 0
"pages_written": 146
"irmap_resolve": 0
stats-restore:
"pages_compared": 0
"pages_skipped_cow": 0
"forking_time": 21838
"restore_time": 25918
"pages_restored": 146
This error isn't fatal. Iptables rules are needed to block dumped TCP connections. What is your use-case? Do you need to restore tcp connections?
It is fatal in the sense that the process doesn't run after calling criu restore for a second time.
The problem in this case is that the iptables rule is added during dump, is removed during restore but is not added back after the process finishes running, so the restore cannot be conducted again.
My use case is to test/debug the program (potentially a client/server pair with TCP connection) at a particular point during execution, several times. The workaround works well for me (simply adding the iptables rule back manually is easy to do), but a more permanent solution would be to check if iptable rule exists before deleting it, making multiple subsequent restores possible by default.
Perhaps it is too much of an edge-case, which is why I mention it as an FYI.
@vasilyrud I think I understand the problem. I would suggest running these processes in a container, in this case, you will not have this problem.
Currently I just run iptables -A ... (append rule) command every time before I want to restore the process again. This way I add the rule and then iptables is able to delete the rule successfully (and criu restore succeeds I encounter the same problem. sunsky@sunsky:/popcorn/hcontainer-experiment/redis-het/aarch64$ sudo criu restore -j --tcp-established iptables: Bad rule (does a matching rule exist in that chain?). Error (criu/util.c:816): exited, status=1 Error (criu/netfilter.c:103): Iptables configuration failed
could you pls tell me how to add the rule and then criu can restore successfully?
@vasilyrud I met the same problem with restore ... Could you show the way to workaroud or just to fix it ?
['./criu-ns', 'restore', '-j', '-D', './graph500-ckpt/', '--tcp-established'] iptables: Bad rule (does a matching rule exist in that chain?). Error (criu/util.c:618): exited, status=1 Error (criu/netfilter.c:103): Iptables configuration failed iptables: Bad rule (does a matching rule exist in that chain?). Error (criu/util.c:618): exited, status=1
A friendly reminder that this issue had no activity for 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
