CRIU 2.0发布,我们重组了criu-2的所有代码,新功能得以完善,漏洞得到修复。
更新日志:
New code layout for sub-projects (e.g. Compel)
Unprivileged dump
Dump/check cpuinfo support for PPC
Explorers for CRIT
Added "post-setup-namespaces" to action scripts
Added timeout for dump procedure (5 sec by default)
Ability to override LSM profile on restore with CLI/RPC option
External bind mounts can be fs-root mounts too
Skip netns' internals on dump and restore (for Docker integration)
Advanced support for external files
External TTYs
C/R for
Mode and uid/gid of cgroup files and dirs
Freeze cgroup state (frozen/thawed)
Task's loginuid and oom score
Per-thread credentials
Filter mode of seccomp
Ghost file in removed directory
Ghost files lutimes
Binfmt-misc FS contents
Netfilter conntracks and expectations
Multi-headed cgroups
CGroup namespaces (no nesting)
优化/提高:
Align parasite stack on 16 bits for correctness
Compilation with native libc syscall wrappers and helpers
Parasite code injection done via memfd system call
Make vaddr to pfn conversion with one less syscall
CRIT shows device numbers in "maj:min" manner
CRIT shows mmap's status in verbose
Docker files for builds on all supported arches
修复:
Absent readlink syscall on ARM (use readlinkat instead) could cause dump to fail
Wrong argument to timer_create system call could cause restore to crash
Extra tasks in freeze cgroup caused dump to fail/hand/crash
Unaligned restore-time object allocations caused lock operations to fail
Opened /proc/pid dir of dead task failed the dump
Unaligned stacks caused criu to fail on aarch64
Changed device numbers on restore side could cause random failures
Fixes in mount points sharing/slavery/propagation restore
Race between mntns creation and fds closing in different tasks could cause restore to fail
Hard kernel limit on TCP repair recv queue restore could cause big queue restore to fail
Unconnected dgram UNIX socket with data lost packets on restore
CRIT didn't show IPC objects
CRIT didn't convert IP addresses in images
Logs from PIE code contained corrupted addresses and sizes
Not loaded netfilter modules could cause dump/restore to stuck on dumping netlink socket
Shared external mounts were restored with error
安全:
User-mode
When checking for namespaces' CRIU entered userns with host creds
弃用/移除:
Completely removed 'show' action. Use CRIT instead.
下载地址:https://criu.org/Download/criu
来自:开源中国社区
