Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple Child Processes Restoration Delay #7

Open
n-tk11 opened this issue Oct 13, 2023 · 1 comment
Open

Multiple Child Processes Restoration Delay #7

n-tk11 opened this issue Oct 13, 2023 · 1 comment

Comments

@n-tk11
Copy link

n-tk11 commented Oct 13, 2023

Hello,
Our team has been using FastFreeze and encountered a performance issue in PID controlling; we would like to share our fix here for future FastFreeze users. We also suggest that you update it to the README.

Issue Description
We've noticed that restoring applications with multiple child processes running in a Docker container takes an unusually long time.
We found that CRIU didn't sort restoration orders by PID, so it will fall into the set_ns_last_pid fork hack code.
Adding CAP_CHECKPOINT_RESTORE cannot solve the problem because Docker default security still prevents writing to files in the /proc filesystem.

To bypass this, you have to add:
docker run ... --security-opt systempaths=unconfined --security-opt apparmor=unconfined ...
Or use a custom AppArmor profile only to allow writing to the ns_last_pid file:

...snip...

deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**}-@{PROC}/sys/kernel/ns_last_pid  w,  # deny everything except shm* and ns*(ns_last_pid) in /proc/sys/kernel/

...snip...

We've also written a blog post detailing our findings and the steps we took. You can find the blog post here: Link to Blog Post.
If you have any questions, please feel free to contact us:
[email protected]
[email protected]

@nviennot
Copy link
Member

nviennot commented Dec 7, 2023

Cool, thank you for the writeup. Did you try the dev branch?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants