Mirrors/criu

mirror of https://github.com/checkpoint-restore/criu.git synced 2026-01-23 02:14:37 +00:00

No description

blcr checkpoint container containers criu dmtcp highly-available linux memory-tracking migration parasite post-copy restore snapshot suspend userfaultfd zero-downtime

Find a file

Radostin Stoyanov 76a41209b0 page-xfer: Add TLS support with X509 certificates This commit adds Transport Layer Security (TLS) support for remote page-server connections. The following command-line options are introduced with this commit: --tls-cacert FILE Trust certificates signed only by this CA --tls-cacrl FILE CA certificate revocation list --tls-cert FILE TLS certificate --tls-key FILE TLS private key --tls Use TLS to secure remote connections The default PKI locations are: CA certificate /etc/pki/CA/cacert.pem CA revocation list /etc/pki/CA/cacrl.pem Client/server certificate /etc/pki/criu/cert.pem Client/server private key /etc/pki/criu/private/key.pem The files cacert.pem and cacrl.pem are optional. If they are not present, and not explicitly specified with a command-line option, CRIU will use only the system's trusted CAs to verify the remote peer's identity. This implies that if a CA certificate is specified using "--tls-cacert" only this CA will be used for verification. If CA certificate (cacert.pem) is not present, certificate revocation list (cacrl.pem) will be ignored. Both (client and server) sides require a private key and certificate. When the "--tls" option is specified, a TLS handshake (key exchange) will be performed immediately after the remote TCP connection has been accepted. X.509 certificates can be generated as follows: -------------------------%<------------------------- # Generate CA key and certificate echo -ne "ca\ncert_signing_key" > temp certtool --generate-privkey > cakey.pem certtool --generate-self-signed \ --template temp \ --load-privkey cakey.pem \ --outfile cacert.pem # Generate server key and certificate echo -ne "cn=$HOSTNAME\nencryption_key\nsigning_key" > temp certtool --generate-privkey > key.pem certtool --generate-certificate \ --template temp \ --load-privkey key.pem \ --load-ca-certificate cacert.pem \ --load-ca-privkey cakey.pem \ --outfile cert.pem rm temp mkdir -p /etc/pki/CA mkdir -p /etc/pki/criu/private mv cacert.pem /etc/pki/CA/ mv cert.pem /etc/pki/criu/ mv key.pem /etc/pki/criu/private -------------------------%<------------------------- Usage Example: Page-server: [src]# criu page-server -D <PATH> --port <PORT> --tls [dst]# criu dump --page-server --address <SRC> --port <PORT> \ -t <PID> -D <PATH> --tls Lazy migration: [src]# criu dump --lazy-pages --port <PORT> -t <PID> -D <PATH> --tls [dst]# criu lazy-pages --page-server --address <SRC> --port <PORT> \ -D <PATH> --tls [dst]# criu restore -D <PATH> --lazy-pages Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>		2019-09-07 15:59:53 +03:00
compel	arm/pie: Provide __clear_cache()	2019-09-07 15:59:52 +03:00
contrib	scripts/install-debian-packages: add libnl-route-3-dev	2017-05-10 03:56:47 +03:00
coredump	[coredump]: correct the parsing of reg_files from files.img	2019-09-07 15:59:49 +03:00
crit	crit: enable python2 or python3 based crit	2018-07-09 18:25:16 +03:00
criu	page-xfer: Add TLS support with X509 certificates	2019-09-07 15:59:53 +03:00
Documentation	page-xfer: Add TLS support with X509 certificates	2019-09-07 15:59:53 +03:00
images	shmem: Save pages stats too	2019-09-07 15:59:51 +03:00
include/common	arm: Provide aeabi helpers in ARM format	2019-09-07 15:59:52 +03:00
lib	c-lib: Install and uninstall libcriu.a	2019-09-07 15:59:53 +03:00
scripts	make: Use asciidoctor by default	2019-09-07 15:59:51 +03:00
soccr	Convert spaces to tabs	2019-09-07 14:16:36 +03:00
test	zdtm: Fix memory and resource leaks	2019-09-07 15:59:53 +03:00
.gitignore	crit: enable python2 or python3 based crit	2018-07-09 18:25:16 +03:00
.mailmap	repo: Add mailmap file	2012-03-25 23:31:20 +04:00
.travis.yml	travis-ci: Enable ia32 tests	2019-04-20 20:25:26 -07:00
COPYING	COPYING: fix a typo in a preamble	2016-08-11 16:18:43 +03:00
CREDITS	Add the CREDITS file	2012-07-30 13:52:37 +04:00
INSTALL.md	Makefile.install: rm unused vars/target	2017-02-06 13:48:49 +03:00
Makefile	page-xfer: Add TLS support with X509 certificates	2019-09-07 15:59:53 +03:00
Makefile.compel	compel: Make sure the hostprog is built early	2018-10-30 19:27:56 +03:00
Makefile.config	make: config -- Link with GnuTLS	2019-09-07 15:59:53 +03:00
Makefile.install	Make the Makefile variables externally configurable.	2017-08-15 15:24:11 +03:00
Makefile.versions	criu: Version 3.12.1	2019-05-16 09:39:30 -07:00
README.md	readme: Update asciinema demo	2019-04-20 20:25:26 -07:00

README.md

CRIU -- A project to implement checkpoint/restore functionality for Linux

CRIU (stands for Checkpoint and Restore in Userspace) is a utility to checkpoint/restore Linux tasks.

Using this tool, you can freeze a running application (or part of it) and checkpoint it to a hard drive as a collection of files. You can then use the files to restore and run the application from the point it was frozen at. The distinctive feature of the CRIU project is that it is mainly implemented in user space. There are some more projects doing C/R for Linux, and so far CRIU appears to be the most feature-rich and up-to-date with the kernel.

The project started as the way to do live migration for OpenVZ Linux containers, but later grew to more sophisticated and flexible tool. It is currently used by (integrated into) OpenVZ, LXC/LXD, Docker, and other software, project gets tremendous help from the community, and its packages are included into many Linux distributions.

The project home is at http://criu.org. This wiki contains all the knowledge base for CRIU we have. Pages worth starting with are:

Installation instructions
A simple example of usage
Examples of more advanced usage
Troubleshooting can be hard, some help can be found here, here and here

Checkpoint and restore of simple loop process

Advanced features

As main usage for CRIU is live migration, there's a library for it called P.Haul. Also the project exposes two cool core features as standalone libraries. These are libcompel for parasite code injection and libsoccr for TCP connections checkpoint-restore.

Live migration

True live migration using CRIU is possible, but doing all the steps by hands might be complicated. The phaul sub-project provides a Go library that encapsulates most of the complexity. This library and the Go bindings for CRIU are stored in the go-criu repository.

Parasite code injection

In order to get state of the running process CRIU needs to make this process execute some code, that would fetch the required information. To make this happen without killing the application itself, CRIU uses the parasite code injection technique, which is also available as a standalone library called libcompel.

TCP sockets checkpoint-restore

One of the CRIU features is the ability to save and restore state of a TCP socket without breaking the connection. This functionality is considered to be useful by itself, and we have it available as the libsoccr library.

How to contribute

CRIU project is (almost) the never-ending story, because we have to always keep up with the Linux kernel supporting checkpoint and restore for all the features it provides. Thus we're looking for contributors of all kinds -- feedback, bug reports, testing, coding, writing, etc. Here are some useful hints to get involved.

We have both -- very simple and more sophisticated coding tasks;
CRIU does need extensive testing;
Documentation is always hard, we have some information that is to be extracted from people's heads into wiki pages as well as some texts that all need to be converted into useful articles;
Feedback is expected on the github issues page and on the mailing list;
For historical reasons we do not accept PRs, instead patches are welcome;
Spread the word about CRIU in social networks;
If you're giving a talk about CRIU -- let us know, we'll mention it on the wiki main page;

Licence

The project is licensed under GPLv2 (though files sitting in the lib/ directory are LGPLv2.1).