Skip to content

restore: move cgroup restore after creds are prepared#2903

Merged
avagin merged 1 commit intocheckpoint-restore:criu-devfrom
everzakov:move-cgroup-restore
Feb 26, 2026
Merged

restore: move cgroup restore after creds are prepared#2903
avagin merged 1 commit intocheckpoint-restore:criu-devfrom
everzakov:move-cgroup-restore

Conversation

@everzakov
Copy link
Copy Markdown
Contributor

@everzakov everzakov commented Feb 20, 2026

This PR moves cgroup restore after creds are prepared because prepare_cgns uses usernsd call to move root that's why uid / gid should be right to send msg. Otherwise, the Kernel will return Invalid Argument error.

Fixes #2902

@avagin
Copy link
Copy Markdown
Member

avagin commented Feb 22, 2026

could you please update the commit message with more details https://www.kernel.org/doc/html/v5.7/process/submitting-patches.html#describe-your-changes

@everzakov
Copy link
Copy Markdown
Contributor Author

everzakov commented Feb 24, 2026

could you please update the commit message with more details https://www.kernel.org/doc/html/v5.7/process/submitting-patches.html#describe-your-changes

Hello!

This commit changes the order of prepare_cgroup_namespace and prepare_userns_creds. The first one should be called after the second function. prepare_cgroup_namespace calls prepare_cgns function. If cgroup is v2 then there will be usernsd call to userns_move. Now if CLONE_USERNS is provided and lower_first is not equal to 0 then criu won't be able to send request to usernsd because the uid from getuid is used to build a package. getuid syscall returns the overflow uid (65534) because the current uid is equal to 0 but lower_first is not equal to 0. Overflow id returns the error Invalid Argument in __scm_send function. The current version works only if the lower_first is equal to 0. When setuid is called, then the right uid is placed to the current credentials that's why getuid won't return the overflow id.

Something like this?

@avagin avagin requested a review from kolyshkin February 25, 2026 02:16
@everzakov @avagin
restore: move cgroup restore after creds are prepared
a38c0af 
prepare_cgroup_namespace() can call userns_call() to move
the task into a cgroup. userns_call() uses
sendmsg() with SCM_CREDENTIALS to communicate with usernsd.

If the user namespace maps are configured such that the parent's UID
(typically 0) is not mapped to the same UID in the child namespace
(i.e., lower_first != 0), the getuid() syscall in the child will return
the overflow UID (65534) until the child's credentials are explicitly
set within the namespace.

When sendmsg() is called with SCM_CREDENTIALS containing the overflow UID,
the kernel's __scm_send function returns -EINVAL, causing the restore
to fail.

[avagin: tweaked the commit message]
Signed-off-by: Efim Verzakov <efimverzakov@gmail.com>
Signed-off-by: Andrei Vagin <avagin@gmail.com>
@avagin avagin force-pushed the move-cgroup-restore branch from 4db94b5 to a38c0af Compare February 26, 2026 17:41
@avagin avagin merged commit f22c95d into checkpoint-restore:criu-dev Feb 26, 2026
28 of 43 checks passed
@everzakov everzakov mentioned this pull request Feb 26, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kolyshkin kolyshkin Awaiting requested review from kolyshkin

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Can not restore container with user namespace and host id not equal to 0

2 participants

@everzakov @avagin