Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker checkpoint create failed: Error (compel/src/lib/ptrace.c:27): suspending seccomp failed: Operation not permitted #2391

Open
HeyKerwin opened this issue Apr 17, 2024 · 2 comments
Open

docker checkpoint create failed: Error (compel/src/lib/ptrace.c:27): suspending seccomp failed: Operation not permitted #2391

HeyKerwin opened this issue Apr 17, 2024 · 2 comments
Labels
stale-issue

Comments

@HeyKerwin
Copy link

HeyKerwin commented Apr 17, 2024
edited

Description

I'm trying to use docker checkpoint, but I get this error:
Error (compel/src/lib/ptrace.c:27): suspending seccomp failed: Operation not permitted

Steps to reproduce the issue:

  1. create container
docker run -d --name looper --security-opt seccomp:unconfined busybox /bin/sh -c 'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'

or

docker run -d --name looper --privileged busybox /bin/sh -c 'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'

errors are same

  1. create checkpoint
docker checkpoint create looper checkpoint1

then error occurs:

Error response from daemon: Cannot checkpoint container looper: runc did not terminate successfully: exit status 1: criu failed: type NOTIFY errno 0 path= /run/containerd/io.containerd.runtime.v2.task/moby/756b8282257018b1f9daf2f924bc8e4f7c24bb43b7b40b707e4dfc4506b5a7a2/criu-dump.log: unknown

CRIU logs and information:

(00.000000) Unable to get $HOME directory, local configuration file will not be used.
(00.000041) Version: 3.16.1 (gitid 0)
(00.000046) Running on Laptop-Kerwin Linux 5.15.133.1-microsoft-standard-WSL2 #1 SMP Thu Oct 5 21:02:42 UTC 2023 x86_64
(00.000049) Would overwrite RPC settings with values from /etc/criu/runc.conf
(00.000060) Loaded kdat cache from /run/criu.kdat
(00.000188) ========================================
(00.000193) Dumping processes (pid: 157934)
(00.000195) ========================================
(00.000226) rlimit: RLIMIT_NOFILE unlimited for self
(00.000239) Running pre-dump scripts
(00.000242)     RPC
(00.000506) irmap: Searching irmap cache in work dir
(00.000526) No irmap-cache image
(00.000530) irmap: Searching irmap cache in parent
(00.000535) No parent images directory provided
(00.000538) irmap: No irmap cache
(00.000551) cpu: x86_family 6 x86_vendor_id GenuineIntel x86_model_id Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz
(00.000556) cpu: fpu: xfeatures_mask 0x5 xsave_size 832 xsave_size_max 832 xsaves_size 832
(00.000564) cpu: fpu: x87 floating point registers     xstate_offsets      0 / 0      xstate_sizes    160 / 160
(00.000567) cpu: fpu: AVX registers                    xstate_offsets    576 / 576    xstate_sizes    256 / 256
(00.000570) cpu: fpu:1 fxsr:1 xsave:1 xsaveopt:1 xsavec:1 xgetbv1:1 xsaves:1
(00.000732) cg-prop: Parsing controller "cpu"
(00.000737) cg-prop:    Strategy "replace"
(00.000739) cg-prop:    Property "cpu.shares"
(00.000742) cg-prop:    Property "cpu.cfs_period_us"
(00.000744) cg-prop:    Property "cpu.cfs_quota_us"
(00.000747) cg-prop:    Property "cpu.rt_period_us"
(00.000749) cg-prop:    Property "cpu.rt_runtime_us"
(00.000751) cg-prop: Parsing controller "memory"
(00.000754) cg-prop:    Strategy "replace"
(00.000756) cg-prop:    Property "memory.limit_in_bytes"
(00.000759) cg-prop:    Property "memory.memsw.limit_in_bytes"
(00.000761) cg-prop:    Property "memory.swappiness"
(00.000763) cg-prop:    Property "memory.soft_limit_in_bytes"
(00.000766) cg-prop:    Property "memory.move_charge_at_immigrate"
(00.000768) cg-prop:    Property "memory.oom_control"
(00.000770) cg-prop:    Property "memory.use_hierarchy"
(00.000773) cg-prop:    Property "memory.kmem.limit_in_bytes"
(00.000775) cg-prop:    Property "memory.kmem.tcp.limit_in_bytes"
(00.000777) cg-prop: Parsing controller "cpuset"
(00.000780) cg-prop:    Strategy "replace"
(00.000783) cg-prop:    Property "cpuset.cpus"
(00.000785) cg-prop:    Property "cpuset.mems"
(00.000787) cg-prop:    Property "cpuset.memory_migrate"
(00.000790) cg-prop:    Property "cpuset.cpu_exclusive"
(00.000792) cg-prop:    Property "cpuset.mem_exclusive"
(00.000794) cg-prop:    Property "cpuset.mem_hardwall"
(00.000797) cg-prop:    Property "cpuset.memory_spread_page"
(00.000799) cg-prop:    Property "cpuset.memory_spread_slab"
(00.000801) cg-prop:    Property "cpuset.sched_load_balance"
(00.000825) cg-prop:    Property "cpuset.sched_relax_domain_level"
(00.000831) cg-prop: Parsing controller "blkio"
(00.000834) cg-prop:    Strategy "replace"
(00.000836) cg-prop:    Property "blkio.weight"
(00.000839) cg-prop: Parsing controller "freezer"
(00.000842) cg-prop:    Strategy "replace"
(00.000844) cg-prop: Parsing controller "perf_event"
(00.000847) cg-prop:    Strategy "replace"
(00.000850) cg-prop: Parsing controller "net_cls"
(00.000852) cg-prop:    Strategy "replace"
(00.000855) cg-prop:    Property "net_cls.classid"
(00.000857) cg-prop: Parsing controller "net_prio"
(00.000860) cg-prop:    Strategy "replace"
(00.000862) cg-prop:    Property "net_prio.ifpriomap"
(00.000865) cg-prop: Parsing controller "pids"
(00.000867) cg-prop:    Strategy "replace"
(00.000870) cg-prop:    Property "pids.max"
(00.000872) cg-prop: Parsing controller "devices"
(00.000875) cg-prop:    Strategy "replace"
(00.000877) cg-prop:    Property "devices.list"
(00.000902) Preparing image inventory (version 1)
(00.000961) Add pid ns 1 pid 158122
(00.000972) Add net ns 2 pid 158122
(00.000979) Add ipc ns 3 pid 158122
(00.000987) Add uts ns 4 pid 158122
(00.000994) Add time ns 5 pid 158122
(00.001005) Add mnt ns 6 pid 158122
(00.001013) Add user ns 7 pid 158122
(00.001026) Add cgroup ns 8 pid 158122
(00.001029) cg: Dumping cgroups for 158122
(00.001044) cg:  `- New css ID 1
(00.001047) cg:     `- [] -> [/system.slice/containerd.service] [0]
(00.001049) cg: Set 1 is criu one
(00.001080) Detected cgroup V2 freezer
(00.001082) freezing processes: 100000 attempts with 100 ms steps
(00.001094) cgroup.freeze=1
(00.001145) SEIZE 157934: success
(00.001618) Error (compel/src/lib/ptrace.c:27): suspending seccomp failed: Operation not permitted
(00.001744) Unlock network
(00.001768) Unfreezing tasks into 1
(00.001771)     Unseizing 157934 into 1
(00.001775) Error (compel/src/lib/infect.c:355): Unable to detach from 157934: No such process
(00.001782) Error (criu/cr-dump.c:1781): Dumping FAILED.

Output of `criu --version`: 

Version: 3.16.1

Output of `criu check --all`: 

Error (criu/cr-check.c:803): couldn't suspend seccomp: Operation not permitted
Error (criu/cr-check.c:845): Dumping seccomp filters not supported: Permission denied
Warn  (criu/cr-check.c:855): Dirty tracking is OFF. Memory snapshot will not work.
Looks good but some kernel features are missing
which, depending on your process tree, may cause
dump or restore failure.

Additional environment details:

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.4 LTS
Release:        22.04
Codename:       jammy

# uname -a
Linux Laptop-Kerwin 5.15.133.1-microsoft-standard-WSL2 #1 SMP Thu Oct 5 21:02:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

# docker version
Client:
 Version:           24.0.5
 API version:       1.43
 Go version:        go1.20.3
 Git commit:        24.0.5-0ubuntu1~22.04.1
 Built:             Mon Aug 21 19:50:14 2023
 OS/Arch:           linux/amd64
 Context:           default

Server:
 Engine:
  Version:          24.0.5
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.3
  Git commit:       24.0.5-0ubuntu1~22.04.1
  Built:            Mon Aug 21 19:50:14 2023
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          1.7.2
  GitCommit:
 runc:
  Version:          1.1.7-0ubuntu1~22.04.2
  GitCommit:
 docker-init:
  Version:          0.19.0
  GitCommit:

Others

Simple_loop this demo can't also work well

# cat dump.log
(00.000046) Version: 3.16.1 (gitid 0)
(00.000067) Running on Laptop-Kerwin Linux 5.15.133.1-microsoft-standard-WSL2 #1 SMP Thu Oct 5 21:02:42 UTC 2023 x86_64
(00.000081) Loaded kdat cache from /run/criu.kdat
(00.000160) ========================================
(00.000173) Dumping processes (pid: 179729)
(00.000176) ========================================
(00.000183) rlimit: RLIMIT_NOFILE unlimited for self
(00.000192) Running pre-dump scripts
(00.000219) irmap: Searching irmap cache in work dir
(00.000236) No irmap-cache image
(00.000240) irmap: Searching irmap cache in parent
(00.000246) No parent images directory provided
(00.000249) irmap: No irmap cache
(00.000264) cpu: x86_family 6 x86_vendor_id GenuineIntel x86_model_id Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz
(00.000269) cpu: fpu: xfeatures_mask 0x5 xsave_size 832 xsave_size_max 832 xsaves_size 832
(00.000279) cpu: fpu: x87 floating point registers     xstate_offsets      0 / 0      xstate_sizes    160 / 160
(00.000283) cpu: fpu: AVX registers                    xstate_offsets    576 / 576    xstate_sizes    256 / 256
(00.000287) cpu: fpu:1 fxsr:1 xsave:1 xsaveopt:1 xsavec:1 xgetbv1:1 xsaves:1
(00.000663) cg-prop: Parsing controller "cpu"
(00.000672) cg-prop:    Strategy "replace"
(00.000676) cg-prop:    Property "cpu.shares"
(00.000679) cg-prop:    Property "cpu.cfs_period_us"
(00.000682) cg-prop:    Property "cpu.cfs_quota_us"
(00.000685) cg-prop:    Property "cpu.rt_period_us"
(00.000688) cg-prop:    Property "cpu.rt_runtime_us"
(00.000691) cg-prop: Parsing controller "memory"
(00.000694) cg-prop:    Strategy "replace"
(00.000697) cg-prop:    Property "memory.limit_in_bytes"
(00.000700) cg-prop:    Property "memory.memsw.limit_in_bytes"
(00.000703) cg-prop:    Property "memory.swappiness"
(00.000706) cg-prop:    Property "memory.soft_limit_in_bytes"
(00.000709) cg-prop:    Property "memory.move_charge_at_immigrate"
(00.000712) cg-prop:    Property "memory.oom_control"
(00.000715) cg-prop:    Property "memory.use_hierarchy"
(00.000718) cg-prop:    Property "memory.kmem.limit_in_bytes"
(00.000721) cg-prop:    Property "memory.kmem.tcp.limit_in_bytes"
(00.000724) cg-prop: Parsing controller "cpuset"
(00.000727) cg-prop:    Strategy "replace"
(00.000730) cg-prop:    Property "cpuset.cpus"
(00.000733) cg-prop:    Property "cpuset.mems"
(00.000736) cg-prop:    Property "cpuset.memory_migrate"
(00.000739) cg-prop:    Property "cpuset.cpu_exclusive"
(00.000742) cg-prop:    Property "cpuset.mem_exclusive"
(00.000745) cg-prop:    Property "cpuset.mem_hardwall"
(00.000748) cg-prop:    Property "cpuset.memory_spread_page"
(00.000751) cg-prop:    Property "cpuset.memory_spread_slab"
(00.000754) cg-prop:    Property "cpuset.sched_load_balance"
(00.000757) cg-prop:    Property "cpuset.sched_relax_domain_level"
(00.000760) cg-prop: Parsing controller "blkio"
(00.000763) cg-prop:    Strategy "replace"
(00.000766) cg-prop:    Property "blkio.weight"
(00.000769) cg-prop: Parsing controller "freezer"
(00.000772) cg-prop:    Strategy "replace"
(00.000775) cg-prop: Parsing controller "perf_event"
(00.000778) cg-prop:    Strategy "replace"
(00.000781) cg-prop: Parsing controller "net_cls"
(00.000784) cg-prop:    Strategy "replace"
(00.000787) cg-prop:    Property "net_cls.classid"
(00.000790) cg-prop: Parsing controller "net_prio"
(00.000793) cg-prop:    Strategy "replace"
(00.000796) cg-prop:    Property "net_prio.ifpriomap"
(00.000799) cg-prop: Parsing controller "pids"
(00.000802) cg-prop:    Strategy "replace"
(00.000805) cg-prop:    Property "pids.max"
(00.000808) cg-prop: Parsing controller "devices"
(00.000811) cg-prop:    Strategy "replace"
(00.000814) cg-prop:    Property "devices.list"
(00.000951) Preparing image inventory (version 1)
(00.000987) Add pid ns 1 pid 179931
(00.000998) Add net ns 2 pid 179931
(00.001007) Add ipc ns 3 pid 179931
(00.001015) Add uts ns 4 pid 179931
(00.001027) Add time ns 5 pid 179931
(00.001040) Add mnt ns 6 pid 179931
(00.001049) Add user ns 7 pid 179931
(00.001058) Add cgroup ns 8 pid 179931
(00.001062) cg: Dumping cgroups for 179931
(00.001079) cg:  `- New css ID 1
(00.001083) cg:     `- [] -> [/user.slice/user-0.slice/session-c6.scope] [0]
(00.001093) cg: Set 1 is criu one
(00.001160) Detected cgroup V1 freezer
(00.001529) Error (compel/src/lib/ptrace.c:27): suspending seccomp failed: Operation not permitted
(00.001754) Unlock network
(00.001812) Unfreezing tasks into 1
(00.001845)     Unseizing 179729 into 1
(00.001853) Error (compel/src/lib/infect.c:355): Unable to detach from 179729: No such process
(00.001967) Error (criu/cr-dump.c:1781): Dumping FAILED.

These are the same problem: suspending seccomp failed: Operation not permitted
@rst0git
Copy link
Member

rst0git commented Apr 17, 2024

Running on Laptop-Kerwin Linux 5.15.133.1-microsoft-standard-WSL2 #1 SMP Thu Oct 5 21:02:42 UTC 2023 x86_64

@HeyKerwin Using CRIU with Windows Subsystem for Linux (WSL) has not been well tested. Would you be able to run docker in a Linux VM instead?

@github-actions GitHub Actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale-issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rst0git @HeyKerwin