New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pipe: Fall back to write() on vmsplice() EPERM #2294
base: criu-dev
Are you sure you want to change the base?
Conversation
vmsplice can be blocked via seccomp and currently is in Podman containers. Signed-off-by: Younes Manton <ymanton@ca.ibm.com>
Hm, this seems like a workaround for a specific environment setup, rather than for a kernel code. |
@ymanton I look at the list [1] and can't firgure out why they decide to block vmsplice. It looks like a mistake. |
Thanks. The discussion on lkml is very long and deep in kernel internals that I don't understand, but from what I can gather there is some worry that https://lore.kernel.org/linux-mm/X+Kxy3oBMSLz8Eaq@redhat.com/:
https://lore.kernel.org/linux-mm/X+PoXCizo392PBX7@redhat.com/:
So unless you guys think otherwise I doubt we will convince the Podman folks to unblock it any time soon, and some others might follow in their footsteps. I don't mind making it a config option. Do we want an option that avoids all uses of |
Can we in CRIU temporary disable this seccomp rule while restoring (e.g. only for restored container) or even restore seccomp rules later after vmsplicing everything we need to? |
@Snorch I think it is about unprivileged C/R. In this case, we can't suspend seccomp. |
A friendly reminder that this PR had no activity for 30 days. |
vmsplice can be blocked via seccomp and currently is in Podman containers. CRIU uses vmsplice a lot on the checkpoint side, so it's easier to just run with
seccomp=unconfined
in that case. On the restore side I've only seen one use in restore_pipe_data being reached, so rather than forcing users to run with a custom profile or disable seccomp altogether it might be better to just fall back to calling write, which this patch does.