Checkpoint/restore of ICMP sockets is not supported #2557

kissaxin572 · 2024-12-23T07:54:06Z

Description
My environment is Ubuntu20.04 with Docker version 27.4.0, Criu version 4.0. I tried to checkpoint a container running a command "ping www.baidu.com", but i failed. From the logs, it seems to be related to the ICMP protocol. When i tried to checkpoint a container running a command "tcpdump", it also failed.

Steps to reproduce the issue:

docker run -d --name base --privileged --security-opt seccomp:unconfined pure_ubuntu20 /bin/bash -c "ping www.baidu.com; tail -f /dev/null"
docker checkpoint create --leave-running=true base ck1

Describe the results you received:
root@ubuntu20:/home/ubuntu20/Workspace/Scripts# docker run -d --name base --privileged --security-opt seccomp:unconfined pure_ubuntu20 /bin/bash -c "ping www.baidu.com; tail -f /dev/null"
baea6deb367e3f341b46d5f8e40bba5fc6b250beda63fc3af5727b6276f001ea
root@ubuntu20:/home/ubuntu20/Workspace/Scripts# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
baea6deb367e pure_ubuntu20 "/bin/bash -c 'ping …" 2 seconds ago Up 2 seconds base
root@ubuntu20:/home/ubuntu20/Workspace/Scripts# docker checkpoint create --leave-running=true base ck1
Error response from daemon: Cannot checkpoint container base: runc did not terminate successfully: exit status 1: criu failed: type DUMP errno 0 path= /run/containerd/io.containerd.runtime.v2.task/moby/baea6deb367e3f341b46d5f8e40bba5fc6b250beda63fc3af5727b6276f001ea/criu-dump.log: unknown

Describe the results you expected:

Additional information you deem important (e.g. issue happens only occasionally):

CRIU logs and information:

CRIU full dump/restore logs:

(00.049250) Error (criu/sk-inet.c:130): inet: Unsupported proto 1 for socket 6160e2
(00.049256) ----------------------------------------
(00.049268) Error (criu/cr-dump.c:1681): Dump files (pid: 1095920) failed with -1
(00.049273) Waiting for 1095920 to trap
(00.049276) Daemon 1095920 exited trapping
(00.049282) Sent msg to daemon 3 0 0
pie: 7: __fetched msg: 3 0 0
pie: 7: 7: new_sp=0x7f7e5f74c908 ip 0x7f7e5f8b76a7
(00.049322) 1095920 was trapped
(00.049334) 1095920 was trapped
(00.049338) 1095920 (native) is going to execute the syscall 15, required is 15
(00.049350) 1095920 was stopped
(00.049470) net: Unlock network
(00.049473) Running network-unlock scripts
(00.049476) 	RPC
(00.053172) Unfreezing tasks into 1
(00.053182) 	Unseizing 1095893 into 1
(00.053188) 	Unseizing 1095920 into 1
(00.053201) Error (criu/cr-dump.c:2111): Dumping FAILED.

Output of `criu --version`:

root@ubuntu20:/home/ubuntu20/Workspace/Scripts# criu --version
Version: 4.0

Output of `criu check --all`:

root@ubuntu20:/home/ubuntu20/Workspace/Scripts# criu check --all
Warn  (criu/cr-check.c:1348): Nftables based locking requires libnftables and set concatenations support
Looks good but some kernel features are missing
which, depending on your process tree, may cause
dump or restore failure.

Additional environment details:
root@ubuntu20:/home/ubuntu20/Workspace/Scripts# uname -r
5.15.0-125-generic
root@ubuntu20:/home/ubuntu20/Workspace/Scripts# docker --version
Docker version 27.4.0, build bde2b89

The text was updated successfully, but these errors were encountered:

adrianreber · 2024-12-23T14:12:46Z

I am not 100% sure, but taking a quick look at source code it seems CRIU cannot checkpoint ICMP sockets. My ping does the following, to open a socket: socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = 3.

CRIU has following code:

        /* Make sure it's a proto we support */
        switch (proto) {
        case IPPROTO_IP:
        case IPPROTO_TCP:
        case IPPROTO_UDP:
        case IPPROTO_UDPLITE:
                break;
        default:
                pr_err("Unsupported proto %d for socket %x\n", proto, ino);
                return 0;
        }

IPPROTO_ICMP is not part of the supported protocols. As this just looks to be a test case from your side, try something else. Not ping.

kissaxin572 · 2024-12-24T07:02:10Z

@adrianreber Yeah, i am doing a test. Thanks very much for your reply! Hope IPPROTO_ICMP will be supported some day

adrianreber · 2024-12-24T09:42:46Z

Hope IPPROTO_ICMP will be supported some day

Best way would be to contribute this feature yourself.

Please close the ticket if you have no more questions.

rst0git · 2024-12-24T11:11:47Z

Please close the ticket if you have no more questions.

It might good to keep the issue open.

Currently there is no option to checkpoint/restore programs that use ICMP sockets, such as `ping`. This patch adds support for the same. Fixes checkpoint-restore#2557 Signed-off-by: समीर सिंह Sameer Singh <[email protected]>

rst0git · 2024-12-27T10:55:58Z

Hope IPPROTO_ICMP will be supported some day

@kissaxin572 The patch in #2558 seems to work. Since ICMP is a stateless protocol, the checkpoint/restore implementation is very similar to that of UDP.

rst0git changed the title ~~Error (criu/sk-inet.c:130): inet: Unsupported proto 1 for socket 6160e2~~ Checkpoint/restore of ICMP sockets is not supported Dec 24, 2024

rst0git added the new feature label Dec 24, 2024

ss141309 linked a pull request Dec 26, 2024 that will close this issue

sk-inet: Add support for checkpoint/restore of ICMP sockets #2558

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Checkpoint/restore of ICMP sockets is not supported #2557

Checkpoint/restore of ICMP sockets is not supported #2557

kissaxin572 commented Dec 23, 2024

adrianreber commented Dec 23, 2024

kissaxin572 commented Dec 24, 2024

adrianreber commented Dec 24, 2024

rst0git commented Dec 24, 2024

rst0git commented Dec 27, 2024

Checkpoint/restore of ICMP sockets is not supported #2557

Checkpoint/restore of ICMP sockets is not supported #2557

Comments

kissaxin572 commented Dec 23, 2024

adrianreber commented Dec 23, 2024

kissaxin572 commented Dec 24, 2024

adrianreber commented Dec 24, 2024

rst0git commented Dec 24, 2024

rst0git commented Dec 27, 2024