-
Notifications
You must be signed in to change notification settings - Fork 617
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sk-inet: Add support for checkpoint/restore of ICMP sockets #2558
base: criu-dev
Are you sure you want to change the base?
Conversation
Currently there is no option to checkpoint/restore programs that use ICMP sockets, such as `ping`. This patch adds support for the same. Fixes checkpoint-restore#2557 Signed-off-by: समीर सिंह Sameer Singh <[email protected]>
@ss141309 Thank you for opening this pull request! Would you be able to add a ZDTM test for this functionality? Example: |
Add a ZDTM static test for the ICMP socket feature. Signed-off-by: समीर सिंह Sameer Singh <[email protected]>
@rst0git oops, it looks like I forgot to add an IP6 version of the test, do I need to create it? |
It would be good to have test for this. CRIU is used in some production environments where only IPv6 addresses are being used. |
As far as I remember, ICMP sockets can have attached filters and we need to dump them. Pls take a look at c2cbcaf, maybe some code can be reused. |
ZDTM test suite creates separate network namespaces to run tests. These namespaces do not preserve the value of the sysctl variable `net.ipv4.ping_group_range` which allows the creation of unprivileged ICMP sockets. This commit modifies the variable after the namespaces have been created to allow every GID to create unprivileged ICMP sockets. Signed-off-by: समीर सिंह Sameer Singh <[email protected]>
it seems that the tests are failing because of the GIDs being set in the ping_group_range variable. What should I set them to in the |
The test gid is 58467: Line 507 in 7c66617
Line 444 in 7c66617
I think "58467 58468" is the right range in this case. |
ICMP filters are only attached when using SOCK_RAW, since unprivileged ICMP sockets only accept ICMP_ECHO and ICMP_ECHOREPLY type messages |
6f97c64
to
9c54c86
Compare
criu/sk-inet.c
Outdated
char buffer[16]; | ||
|
||
struct sysctl_req req[] = { | ||
{ "net/ipv4/ping_group_range", &buffer, CTL_STR(16) }, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
C/R of net/ipv4/ping_group_range should be in dump_netns_conf and restore_netns_conf.
Overall, it looks good to me. We need to move C/R of the sysctl to the proper place and resort patches. I will do all of that this week. Thanks for the contribution. |
@ss141309 Would you be able update the pull request to apply the fixup changes into previous commits? |
Dump and restore the net.ipv4.ping_group_range variable to allow the creation of unprivileged ICMP sockets. Signed-off-by: समीर सिंह Sameer Singh <[email protected]>
Set the sysctl variable net.ipv4.ping_group_range to 40000-50000 to allow other tests to pass. Signed-off-by: समीर सिंह Sameer Singh <[email protected]>
@rst0git I did the changes, is it now alright? |
@ss141309 Would you be able to apply the change from |
modify the IP4/ICMP test so that the socket is created before the call to `test_daemon()` and `test_waitsig()`. Also add a test IP6/ICMP. Signed-off-by: समीर सिंह Sameer Singh <[email protected]>
Set the sysctl variable net.ipv4.ping_group_range to 0-58468 since the zdtm test GID is in this range. Signed-off-by: समीर सिंह Sameer Singh <[email protected]>
Fixes the `stack-use-after-scope` error from the address sanitizer since the local variable `buffer`, goes out of scope. Signed-off-by: समीर सिंह Sameer Singh <[email protected]>
We need to integrate it into dump_netns_conf/restore_netns_conf, probably taking as an example ebe3b52353c This value belongs to namespace, not to socket. |
Should I make a new commit or edit the existing one and force push the changes? |
@ss141309 I did proper handling of ping_group_range c/r here #2565, you can rebase on top of it when/if it is merged. Machinery of sysctls in CRIU is a bit too complex, I must admit. And so I helped you a bit here, as you can see there is a lot of code to do one more sysctl in the directory which is not yet handled. |
@@ -332,6 +344,10 @@ int ns_init(int argc, char **argv) | |||
if (create_timens()) | |||
exit(1); | |||
|
|||
if (set_ping_group_range() < 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this should not be done in generic code, please move this logic into test/zdtm/static/socket6_icmp.c the test itself.
Currently there is no option to checkpoint/restore programs that use ICMP sockets, such as
ping
. This patch adds support for the same.Fixes #2557