1CRIU(8)                           CRIU Manual                          CRIU(8)
2
3
4

NAME

6       criu - checkpoint/restore in userspace
7

SYNOPSIS

9       criu command [option ...]
10

DESCRIPTION

12       criu is a tool for checkpointing and restoring running applications. It
13       does this by saving their state as a collection of files (see the  dump
14       command)  and  creating  equivalent processes from those files (see the
15       restore command). The restore operation can be  performed  at  a  later
16       time, on a different system, or both.
17

OPTIONS

19       Most  of  the  long flags can be prefixed with no- to negate the option
20       (example: --display-stats and --no-display-stats).
21
22   Common options
23       Common options are applicable to any command.
24
25       -v[v...], --verbosity
26           Increase verbosity up from the default level. In case of short  op‐
27           tion, multiple v can be used, each increasing verbosity by one.
28
29       -vnum, --verbosity=num
30           Set  verbosity  level to num. The higher the level, the more output
31           is produced.
32
33           The following levels are available:
34
35-v0 no output;
36
37-v1 only errors;
38
39-v2 above plus warnings (this is the default level);
40
41-v3 above plus information messages and timestamps;
42
43-v4 above plus lots of debug.
44
45       --config file
46           Pass a specific configuration file to criu.
47
48       --no-default-config
49           Disable parsing of default configuration files.
50
51       --pidfile file
52           Write root task, service or page-server pid into a file.
53
54       -o, --log-file file
55           Write logging messages to a file.
56
57       --display-stats
58           During dump, as well as during restore, criu collects some  statis‐
59           tics, like the time required to dump or restore the process, or the
60           number of pages dumped or  restored.  This  information  is  always
61           saved  to  the stats-dump and stats-restore files, and can be shown
62           using crit(1). The option --display-stats prints out this  informa‐
63           tion on the console at the end of a dump or restore operation.
64
65       -D, --images-dir path
66           Use path as a base directory where to look for sets of image files.
67
68       --stream
69           dump/restore      images     using     criu-image-streamer.     See
70           https://github.com/checkpoint-restore/criu-image-streamer  for  de‐
71           tailed usage.
72
73       --prev-images-dir path
74           Use  path  as  a  parent  directory where to look for sets of image
75           files. This option makes sense in case of incremental dumps.
76
77       -W, --work-dir dir
78           Use directory dir for putting logs, pidfiles and statistics. If not
79           specified, path from -D option is taken.
80
81       --close fd
82           Close file descriptor fd before performing any actions.
83
84       -L, --libdir path
85           Path to plugins directory.
86
87       --enable-fs [fs[,fs...]]
88           Specify  a  comma-separated list of filesystem names that should be
89           auto-detected.  The  value  all  enables  auto-detection  for   all
90           filesystems.
91
92           Note: This option is not safe, use at your own risk. Auto-detecting
93           a filesystem mount assumes that the mountpoint can be restored with
94           mount(src, mountpoint, flags, options). When used, dump is expected
95           to always succeed if a mountpoint is to be  auto-detected,  however
96           restore  may fail (or do something wrong) if the assumption for re‐
97           store logic is incorrect. This option is not compatable with  --ex‐
98           ternal dev.
99
100       --action-script script
101           Add an external action script to be executed at certain stages. The
102           environment variable  CRTOOLS_SCRIPT_ACTION  is  available  to  the
103           script  to  find  out which action is being executed, and its value
104           can be one of the following:
105
106           pre-dump
107               run prior to beginning a dump
108
109           post-dump
110               run upon dump completion
111
112           pre-restore
113               run prior to beginning a restore
114
115           post-restore
116               run upon restore completion
117
118           pre-resume
119               run when all processes and resources are restored but tasks are
120               stopped waiting for final kick to run. Must not fail.
121
122           post-resume
123               called  at  the  very end, when everything is restored and pro‐
124               cesses were resumed
125
126           network-lock
127               run to lock network in a target network namespace
128
129           network-unlock
130               run to unlock network in a target network namespace
131
132           setup-namespaces
133               run once root task has just been created  with  required  name‐
134               spaces.  Note  it is an early stage of restore, when nothing is
135               restored yet, except for namespaces themselves
136
137           post-setup-namespaces
138               called after the namespaces are configured
139
140           orphan-pts-master
141               called after master pty is opened and unlocked. This  hook  can
142               be used only in the RPC mode, and the notification message con‐
143               tains a file descriptor for the master pty
144
145       -V, --version
146           Print program version and exit.
147
148       -h, --help
149           Print some help and exit.
150
151   pre-dump
152       Performs the pre-dump procedure, during which criu creates  a  snapshot
153       of  memory  changes  since the previous pre-dump. Note that during this
154       criu also creates the fsnotify cache which speeds up the restore proce‐
155       dure.  pre-dump  requires at least -t option (see dump below). In addi‐
156       tion, page-server options may be specified.
157
158       --track-mem
159           Turn on memory changes tracker in the kernel. If the option is  not
160           passed the memory tracker get turned on implicitly.
161
162       --pre-dump-mode=mode
163           There  are  two mode to operate pre-dump algorithm. The splice mode
164           is parasite based, whereas read mode is based  on  process_vm_readv
165           syscall.  The read mode incurs reduced frozen time and reduced mem‐
166           ory pressure as compared to splice mode. Default is splice mode.
167
168   dump
169       Performs a checkpoint procedure.
170
171       -t, --tree pid
172           Checkpoint the whole process tree starting from pid.
173
174       -R, --leave-running
175           Leave tasks in running state after checkpoint, instead of  killing.
176           This  option is pretty dangerous and should be used only if you un‐
177           derstand what you are doing.
178
179           Note if task is about to run after been checkpointed, it can modify
180           TCP  connections,  delete  files  and  do  other dangerous actions.
181           Therefore, criu can not guarantee that the next restore action will
182           succeed. Most likely if this option is used, at least the file sys‐
183           tem snapshot must be made with the help of post-dump action script.
184
185           In other words, do not use it unless really needed.
186
187       -s, --leave-stopped
188           Leave tasks in stopped state after checkpoint, instead of killing.
189
190       --external type[id]:value
191           Dump an instance of an external resource.  The  generic  syntax  is
192           type  of  resource,  followed  by  resource id (enclosed in literal
193           square brackets),  and  optional  value  (prepended  by  a  literal
194           colon).  The following resource types are currently supported: mnt,
195           dev, file, tty, unix. Syntax depends on type. Note to  restore  ex‐
196           ternal  resources,  either  --external or --inherit-fd is used, de‐
197           pending on resource type.
198
199       --external mnt[mountpoint]:name
200           Dump an external bind mount referenced by mountpoint, saving it  to
201           image under the identifier name.
202
203       --external mnt[]:flags
204           Dump  all external bind mounts, autodetecting those. Optional flags
205           can contain m to also dump external master mounts, s to  also  dump
206           external  shared  mounts  (default  behavior is to abort dumping if
207           such mounts are found). If flags are not  provided,  colon  is  op‐
208           tional.
209
210       --external dev[major/minor]:name
211           Allow to dump a mount namespace having a real block device mounted.
212           A block device is identified by its major and  minor  numbers,  and
213           criu saves its information to image under the identifier name.
214
215       --external file[mnt_id:inode]
216           Dump  an  external file, i.e. an opened file that is can not be re‐
217           solved from the current mount namespace, which can  not  be  dumped
218           without  using  this  option.  The  file is identified by mnt_id (a
219           field obtained from /proc/pid/fdinfo/N) and inode (as  returned  by
220           stat(2)).
221
222       --external tty[rdev:dev]
223           Dump  an  external TTY, identified by st_rdev and st_dev fields re‐
224           turned by stat(2).
225
226       --external unix[id]
227           Tell criu that one end of a pair of UNIX sockets (created by  sock‐
228           etpair(2)) with the given id is OK to be disconnected.
229
230       --external pid[inode]:name
231           Mark a PID namespace as external. This can be later used to restore
232           a process into an existing PID namespace. The  label  name  can  be
233           used  to  assign another PID namespace during restore with the help
234           of --inherit-fd.
235
236       --freeze-cgroup
237           Use cgroup freezer to collect processes.
238
239       --manage-cgroups
240           Collect cgroups into the image thus they gonna  be  restored  then.
241           Without this option, criu will not save cgroups configuration asso‐
242           ciated with a task.
243
244       --cgroup-props spec
245           Specify controllers and their properties to be saved into the image
246           file.   criu  predefines specifications for common controllers, but
247           since the kernel can add new controllers and modify  their  proper‐
248           ties, there should be a way to specify ones matched the kernel.
249
250           spec argument describes the controller and properties specification
251           in a simplified YAML form:
252
253               "c1":
254                - "strategy": "merge"
255                - "properties": ["a", "b"]
256               "c2":
257                - "strategy": "replace"
258                - "properties": ["c", "d"]
259
260           where c1 and c2 are controllers names, and a, b,  c,  d  are  their
261           properties.
262
263           Note  the format: double quotes, spaces and new lines are required.
264           The strategy specifies what to do if a controller specified already
265           exists as a built-in one: criu can either merge or replace such.
266
267           For  example,  the  command  line for the above example should look
268           like this:
269
270               --cgroup-props "\"c1\":\n - \"strategy\": \"merge\"\n - \"properties\": [\"a\", \"b\"]\n \"c2\":\n - \"strategy\": \"replace\"\n - \"properties\": [\"c\", \"d\"]"
271
272       --cgroup-props-file file
273           Same as --cgroup-props, except the specification is read  from  the
274           file.
275
276       --cgroup-dump-controller name
277           Dump  a  controller with name only, skipping anything else that was
278           discovered automatically (usually via /proc). This option is useful
279           when one needs criu to skip some controllers.
280
281       --cgroup-yard path
282           Instead of trying to mount cgroups in CRIU, provide a path to a di‐
283           rectory with already created cgroup yard. Useful if you don’t  want
284           to grant CAP_SYS_ADMIN to CRIU. For every cgroup mount there should
285           be exactly one directory. If there is only one controller  in  this
286           mount, the dir’s name should be just the name of the controller. If
287           there are multiple controllers comounted, the directory name should
288           have them be separated by a comma.
289
290           For example, if /proc/cgroups looks like this:
291
292               #subsys_name hierarchy num_cgroups enabled
293               cpu          1         1           1
294               devices      2         2           1
295               freezer      2         2           1
296
297           then you can create the cgroup yard by the following commands:
298
299               mkdir private_yard
300               cd private_yard
301               mkdir cpu
302               mount -t cgroup -o cpu none cpu
303               mkdir devices,freezer
304               mount -t cgroup -o devices,freezer none devices,freezer
305
306       --tcp-established
307           Checkpoint established TCP connections.
308
309       --tcp-close
310           Don’t  dump  the  state  of, or block, established tcp connections.
311           This is useful when tcp connections are not going to be restored.
312
313       --skip-in-flight
314           This option skips in-flight TCP connections. If any TCP connections
315           that  are  not  yet  completely established are found, criu ignores
316           these connections, rather than errors out. The  TCP  stack  on  the
317           client side is expected to handle the re-connect gracefully.
318
319       --evasive-devices
320           Use any path to a device file if the original one is inaccessible.
321
322       --page-server
323           Send pages to a page server (see the page-server command).
324
325       --force-irmap
326           Force resolving names for inotify and fsnotify watches.
327
328       --auto-dedup
329           Deduplicate  "old"  data in pages images of previous dump. This op‐
330           tion implies incremental dump mode (see the pre-dump command).
331
332       -l, --file-locks
333           Dump file locks. It is necessary to make sure that  all  file  lock
334           users  are  taken into dump, so it is only safe to use this for en‐
335           closed containers where locks are not held by any processes outside
336           of dumped process tree.
337
338       --link-remap
339           Allows  to link unlinked files back, if possible (modifies filesys‐
340           tem during restore).
341
342       --ghost-limit size
343           Set the maximum size of deleted file to be carried inside image. By
344           default,  up to 1M file is allowed. Using this option allows to not
345           put big deleted files inside images. Argument size may be postfixed
346           with  a K, M or G, which stands for kilo-, mega, and gigabytes, ac‐
347           cordingly.
348
349       -j, --shell-job
350           Allow one to dump shell jobs. This implies the restored  task  will
351           inherit session and process group ID from the criu itself. This op‐
352           tion also allows to migrate a single external  tty  connection,  to
353           migrate  applications  like top. If used with dump command, it must
354           be specified with restore as well.
355
356       --cpu-cap [cap[,cap...]]
357           Specify CPU capabilities to write to an image file. The argument is
358           a comma-separated list of:
359
360none  to ignore capabilities at all; the image will not be pro‐
361               duced on dump, neither any check performed on restore;
362
363fpu to check if FPU module is compatible;
364
365ins to check if CPU supports all instructions required;
366
367cpu to check if CPU capabilities are exactly matching;
368
369all for all above set.
370
371           By default the option is set to fpu and ins.
372
373       --cgroup-root [controller:]/newroot
374           Change the root for the controller that will be dumped. By default,
375           criu  simply  dumps  everything  below where any of the tasks live.
376           However, if a container moves all of its tasks into a cgroup direc‐
377           tory below the container engine’s default directory for tasks, per‐
378           missions will not be preserved on the  upper  directories  with  no
379           tasks in them, which may cause problems.
380
381       --lazy-pages
382           Perform  the  dump  procedure without writing memory pages into the
383           image files and prepare to service page requests over the  network.
384           When dump runs in this mode it presumes that lazy-pages daemon will
385           connect to it and fetch memory pages to lazily inject them into the
386           restored  process  address  space.  This  option  is  intended  for
387           post-copy (lazy) migration and should be used in  conjunction  with
388           restore with appropriate options.
389
390       --file-validation [mode]
391           Set  the  method  to  be used to validate open files. Validation is
392           done to ensure that the version of the file being restored  is  the
393           same version when it was dumped.
394
395       The mode may be one of the following:
396
397       filesize
398           To  explicitly  use  only the file size check all the time. This is
399           the fastest and least intensive check.
400
401       buildid
402           To validate ELF files with their build-ID. If the  build-ID  cannot
403           be  obtained,  chksm-first method will be used. This is the default
404           if mode is unspecified.
405
406           --network-lock [mode]
407               Set the method to be used for network locking/unlocking.  Lock‐
408               ing is done to ensure that tcp packets are dropped between dump
409               and restore. This is done to avoid the kernel sending RST  when
410               a packet arrives destined for the dumped process.
411
412               The mode may be one of the following:
413
414       iptables
415           Use iptables rules to drop the packets. This is the default if mode
416           is not specified.
417
418       nftables
419           Use nftables rules to drop the packets.
420
421   restore
422       Restores previously checkpointed processes.
423
424       --inherit-fd fd[N]:resource
425           Inherit a file descriptor. This option lets  criu  use  an  already
426           opened  file  descriptor  N  for restoring a file identified by re‐
427           source. This option can be used to  restore  an  external  resource
428           dumped with the help of --external file, tty, pid and unix options.
429
430           The resource argument can be one of the following:
431
432tty[rdev:dev]
433
434pipe[inode]
435
436socket[inode*]*
437
438file[mnt_id:inode]
439
440path/to/file
441
442           Note  that square brackets used in this option arguments are liter‐
443           als and usually need to be escaped from shell.
444
445       -d, --restore-detached
446           Detach criu itself once restore is complete.
447
448       -s, --leave-stopped
449           Leave tasks in stopped state after restore  (rather  than  resuming
450           their execution).
451
452       -S, --restore-sibling
453           Restore root task as a sibling (makes sense only with --restore-de‐
454           tached).
455
456       --log-pid
457           Write separate logging files per each pid.
458
459       -r, --root path
460           Change the root filesystem to path (when run in a mount namespace).
461           This option is required to restore a mount namespace. The directory
462           path must be a mount point and its parent must not be overmounted.
463
464       --external type[id]:value
465           Restore an instance of an external resource. The generic syntax  is
466           type  of  resource,  followed  by  resource id (enclosed in literal
467           square brackets),  and  optional  value  (prepended  by  a  literal
468           colon).  The following resource types are currently supported: mnt,
469           dev, veth, macvlan. Syntax depends on type. Note to restore  exter‐
470           nal  resources dealing with opened file descriptors (such as dumped
471           with the help of --external file, tty, and  unix  options),  option
472           --inherit-fd should be used.
473
474       --external mnt[name]:mountpoint
475           Restore  an  external  bind  mount referenced in the image by name,
476           bind-mounting it from the host mountpoint to a proper mount point.
477
478       --external mnt[]
479           Restore all external bind mounts (dumped with the help of  --exter‐
480           nal mnt[] auto-detection).
481
482       --external dev[name]:/dev/path
483           Restore  an external mount device, identified in the image by name,
484           using the existing block device /dev/path.
485
486       --external veth[inner_dev]:outer_dev@bridge
487           Set the outer VETH device name (corresponding  to  inner_dev  being
488           restored) to outer_dev. If optional @bridge is specified, outer_dev
489           is added to that bridge. If the option is not used, outer_dev  will
490           be autogenerated by the kernel.
491
492       --external macvlan[inner_dev]:outer_dev
493           When  restoring an image that have a MacVLAN device in it, this op‐
494           tion must be used to specify to which outer_dev (an  existing  net‐
495           work  device  in  CRIU  namespace) the restored inner_dev should be
496           bound to.
497
498       -J, --join-ns NS:{PID|NS_FILE}[,EXTRA_OPTS]
499           Restore process tree inside an existing  namespace.  The  namespace
500           can  be specified in PID or NS_FILE path format (example: --join-ns
501           net:12345 or --join-ns net:/foo/bar).  Currently  supported  values
502           for NS are: ipc, net, time, user, and uts. This option doesn’t sup‐
503           port joining a PID namespace, however, this is possible using --ex‐
504           ternal  and --inheritfd.  EXTRA_OPTS is optional and can be used to
505           specify  UID  and  GID  for   user   namespace   (e.g.,   --join-ns
506           user:PID,UID,GID).
507
508       --manage-cgroups [mode]
509           Restore  cgroups  configuration associated with a task from the im‐
510           age. Controllers are always restored in an optimistic way — if  al‐
511           ready  present in system, criu reuses it, otherwise it will be cre‐
512           ated.
513
514       The mode may be one of the following:
515
516       none
517           Do not restore cgroup properties but require cgroup to pre-exist at
518           the moment of restore procedure.
519
520       props
521           Restore cgroup properties and require cgroup to pre-exist.
522
523       soft
524           Restore  cgroup properties if only cgroup has been created by criu,
525           otherwise do not restore properties. This is the default if mode is
526           unspecified.
527
528       full
529           Always restore all cgroups and their properties.
530
531       strict
532           Restore  all cgroups and their properties from the scratch, requir‐
533           ing them to not present in the system.
534
535       ignore
536           Don’t deal with cgroups and pretend that they don’t exist.
537
538           --cgroup-yard path
539               Instead of trying to mount cgroups in CRIU, provide a path to a
540               directory  with  already created cgroup yard. For more informa‐
541               tion look in the dump section.
542
543           --cgroup-root [controller:]/newroot
544               Change the root cgroup the controller will be  installed  into.
545               No  controller  means  that  root  is  the default for all con‐
546               trollers not specified.
547
548           --tcp-established
549               Restore previously dumped established TCP connections. This im‐
550               plies that the network has been locked between dump and restore
551               phases so other side of a connection simply notice  a  kind  of
552               lag.
553
554           --tcp-close
555               Restore connected TCP sockets in closed state.
556
557           --veth-pair IN=OUT
558               Correspondence  between  outside  and  inside names of veth de‐
559               vices.
560
561           -l, --file-locks
562               Restore file locks from the image.
563
564           --lsm-profile type:name
565               Specify an LSM profile to be used during restore. The type  can
566               be either apparmor or selinux.
567
568           --lsm-mount-context context
569               Specify a new mount context to be used during restore.
570
571               This  option  will only replace existing mount context informa‐
572               tion with the one specified with this  option.  Mounts  without
573               the context= option will not be changed.
574
575               If a mountpoint has been checkpointed with an option like
576
577                   context="system_u:object_r:container_file_t:s0:c82,c137"
578
579               it is possible to change this option using
580
581                   --lsm-mount-context "system_u:object_r:container_file_t:s0:c204,c495"
582
583               which will result that the mountpoint will be restored with the
584               new context=.
585
586               This option is useful if using selinux and if the  selinux  la‐
587               bels  need  to be changed on restore like if a container is re‐
588               stored into an existing Pod.
589
590           --auto-dedup
591               As soon as a page is restored it get punched out from image.
592
593           -j, --shell-job
594               Restore shell jobs, in other words inherit session and  process
595               group ID from the criu itself.
596
597           --cpu-cap [cap[,cap...]]
598               Specify  CPU  capabilities to be present on the CPU the process
599               is restoring. To inverse a capability, prefix it with  ^.  This
600               option  implies that --cpu-cap has been passed on dump as well,
601               except fpu option case. The cap argument can be  the  following
602               (or a set of comma-separated values):
603
604       all
605           Require  all  capabilities.  This  is  default mode if --cpu-cap is
606           passed without arguments. Most safe mode.
607
608       cpu
609           Require the CPU to have all capabilities in image to match  runtime
610           CPU.
611
612       fpu
613           Require  the  CPU  to  have compatible FPU. For example the process
614           might be dumped with xsave  capability  but  attempted  to  restore
615           without  it  present  on target CPU. In such case we refuse to pro‐
616           ceed. This is default mode if --cpu-cap is not present  in  command
617           line.  Note  this  argument  might be passed even if on the dump no
618           --cpu-cap have been specified because FPU frames are always encoded
619           into images.
620
621       ins
622           Require CPU compatibility on instructions level.
623
624       none
625           Ignore  capabilities.  Most dangerous mode. The behaviour is imple‐
626           mentation dependent. Try to not use it until really required.
627
628           For example, this option can be used in case --cpu-cap=cpu was used
629           during  dump, and images are migrated to a less capable CPU and are
630           to be restored. By default, criu shows an error that CPU  capabili‐
631           ties  are  not  adequate,  but  this  can  be  suppressed  by using
632           --cpu-cap=none.
633
634           --weak-sysctls
635               Silently skip restoring sysctls that are  not  available.  This
636               allows  to  restore  on an older kernel, or a kernel configured
637               without some options.
638
639           --lazy-pages
640               Restore the processes without filling  out  the  entire  memory
641               contents.  When this option is used, restore sets up the infra‐
642               structure required to fill memory pages either on  demand  when
643               the process accesses them or in the background without stopping
644               the restored process. This option requires  running  lazy-pages
645               daemon.
646
647           --file-validation [mode]
648               Set the method to be used to validate open files. Validation is
649               done to ensure that the version of the file being  restored  is
650               the same version when it was dumped.
651
652       The mode may be one of the following:
653
654       filesize
655           To  explicitly  use  only the file size check all the time. This is
656           the fastest and least intensive check.
657
658       buildid
659           To validate ELF files with their build-ID. If the  build-ID  cannot
660           be  obtained,  chksm-first method will be used. This is the default
661           if mode is unspecified.
662
663   check
664       Checks whether the kernel supports the features needed by criu to  dump
665       and restore a process tree.
666
667       There  are three categories of kernel support, as described below. criu
668       check always checks Category 1 features unless --feature  is  specified
669       which only checks a specified feature.
670
671       Category 1
672           Absolutely   required.   These   are   features  like  support  for
673           /proc/PID/map_files,    NETLINK_SOCK_DIAG    socket     monitoring,
674           /proc/sys/kernel/ns_last_pid etc.
675
676       Category 2
677           Required  only  for  specific  cases.  These  are features like AIO
678           remap, /dev/net/tun and others that are only required if a  process
679           being dumped or restored is using those.
680
681       Category 3
682           Experimental.  These  are features like task-diag that are used for
683           experimental purposes (mostly during development).
684
685       If there are no errors or warnings, criu prints "Looks good."  and  its
686       exit code is 0.
687
688       A missing Category 1 feature causes criu to print "Does not look good."
689       and its exit code is non-zero.
690
691       Missing Category 2 and 3 features cause criu to print "Looks  good  but
692       ..." and its exit code is be non-zero.
693
694       Without any options, criu check checks Category 1 features. This behav‐
695       ior can be changed by using the following options:
696
697       --extra
698           Check kernel support for Category 2 features.
699
700       --experimental
701           Check kernel support for Category 3 features.
702
703       --all
704           Check kernel support for Category 1, 2, and 3 features.
705
706       --feature name
707           Check a specific feature. If name is list, a list of  valid  kernel
708           feature names that can be checked will be printed.
709
710   page-server
711       Launches criu in page server mode.
712
713       --daemon
714           Runs page server as a daemon (background process).
715
716       --status-fd
717           Write \0 to the FD and close it once page-server is ready to handle
718           requests. The status-fd allows to not daemonize a process  and  get
719           its  exit  code  at  the end. It isn’t supposed to use --daemon and
720           --status-fd together.
721
722       --address address
723           Page server IP address or hostname.
724
725       --port number
726           Page server port number.
727
728       --ps-socket fd
729           Use provided file descriptor as socket for incoming connection.  In
730           this case --address and --port are ignored. Useful for intercepting
731           page-server traffic e.g. to add encryption or authentication.
732
733       --lazy-pages
734           Serve local memory dump to a remote lazy-pages daemon. In this mode
735           the  page-server  reads  local  memory  dump  and allows the remote
736           lazy-pages daemon to request memory pages in random order.
737
738       --tls-cacert file
739           Specifies the path to a trusted Certificate Authority (CA) certifi‐
740           cate  file  to  be used for verification of a client or server cer‐
741           tificate. The file must be in PEM format. When this option is  used
742           only the specified CA is used for verification. Otherwise, the sys‐
743           tem’s trusted CAs and, if present, /etc/pki/CA/cacert.pem  will  be
744           used.
745
746       --tls-cacrl file
747           Specifies  a path to a Certificate Revocation List (CRL) file which
748           contains a list of revoked certificates that should  no  longer  be
749           trusted.  The  file  must be in PEM format. When this option is not
750           specified, the file,  if  present,  /etc/pki/CA/cacrl.pem  will  be
751           used.
752
753       --tls-cert file
754           Specifies  a  path  to  a file that contains a X.509 certificate to
755           present to the remote entity. The file must be in PEM format.  When
756           this    option    is    not   specified,   the   default   location
757           (/etc/pki/criu/cert.pem) will be used.
758
759       --tls-key file
760           Specifies a path to a file that contains TLS private key. The  file
761           must be in PEM format. When this option is not the default location
762           (/etc/pki/criu/private/key.pem) will be used.
763
764       --tls
765           Use TLS to secure remote connections.
766
767   lazy-pages
768       Launches criu in lazy-pages daemon mode.
769
770       The lazy-pages daemon is responsible  for  managing  user-level  demand
771       paging for the restored processes. It gets information required to fill
772       the process memory pages from the restore and from the  checkpoint  di‐
773       rectory.  When  a  restored  process access certain memory page for the
774       first time, the lazy-pages daemon injects its contents into the process
775       address  space.  The memory pages that are not yet requested by the re‐
776       stored processes are injected in the background.
777
778   exec
779       Executes a system call inside a destination task's context. This  func‐
780       tionality is deprecated; please use Compel instead.
781
782   service
783       Launches  criu in RPC daemon mode, where criu is listening for RPC com‐
784       mands over socket to perform. This is convenient for a case where  dae‐
785       mon  itself is running in a privileged (superuser) mode but clients are
786       not.
787
788   dedup
789       Starts pagemap data deduplication procedure, where criu scans over  all
790       pagemap  files  and  tries to minimize the number of pagemap entries by
791       obtaining the references from a parent pagemap image.
792
793   cpuinfo dump
794       Fetches current CPU features and write them into an image file.
795
796   cpuinfo check
797       Fetches current CPU features (i.e. CPU the criu is running on) and test
798       if they are compatible with the ones present in an image file.
799

CONFIGURATION FILES

801       Criu supports usage of configuration files to avoid the need of writing
802       every option on command line, which is useful especially with  repeated
803       usage of same options. A specific configuration file can be passed with
804       the "--config file" option. If no file is passed, the default  configu‐
805       ration  files  /etc/criu/default.conf  and $HOME/.criu/default.conf are
806       parsed  (if  present  on  the  system).  If  the  environment  variable
807       CRIU_CONFIG_FILE is set, it will also be parsed.
808
809       The options passed to CRIU via CLI, RPC or configuration file are eval‐
810       uated in the following order:
811
812       •   apply_config(/etc/criu/default.conf)
813
814       •   apply_config($HOME/.criu/default.conf)
815
816       •   apply_config(CRIU_CONFIG_FILE)
817
818       •   apply_config(--config file)
819
820       •   apply_config(CLI) or apply_config(RPC)
821
822       •   apply_config(RPC configuration file) (only for RPC mode)
823
824       Default configuration file parsing can be  deactivated  with  "--no-de‐
825       fault-config"  if  needed.  Parsed  configuration files are merged with
826       command line options, which allows overriding boolean options.
827
828   Configuration file syntax
829       Comments are supported using '#' sign. The rest of the line is ignored.
830       Options  are  the same as command line options without the '--' prefix,
831       use one option per line (with corresponding argument if applicable, di‐
832       vided  by whitespaces). If needed, the argument can be provided in dou‐
833       ble quotes (this should be needed only if the argument contains  white‐
834       spaces).  In case this type of argument contains a literal double quote
835       as well, it can be escaped using the '\' sign.  Usage  of  commands  is
836       disallowed and all other escape sequences are interpreted literally.
837
838       Example of configuration file to illustrate syntax:
839
840           $ cat ~/.criu/default.conf
841           tcp-established
842           work-dir "/home/USERNAME/criu/my \"work\" directory"
843           #this is a comment
844           no-restore-sibling   # this is another comment
845
846   Configuration files in RPC mode
847       Not  only  does  criu evaluate configuration files in CLI mode, it also
848       evaluates configuration files in RPC mode. Just as in CLI mode the con‐
849       figuration  file values are evaluated first. This means that any option
850       set via RPC will overwrite the configuration file setting. The user can
851       thus  change  criu's  default behavior but it is not possible to change
852       settings which are explicitly set by the RPC client.
853
854       The RPC client can, however, specify an additional  configuration  file
855       which  will  be  evaluated  after the RPC options (see above for option
856       evaluation order). The RPC client can specify this additional  configu‐
857       ration file via "req.opts.config_file = /path/to/file". The values from
858       this configuration file will overwrite  all  other  configuration  file
859       settings  or  RPC  options. This can lead to undesired behavior of criu
860       and should only be used carefully.
861

EXAMPLES

863       To checkpoint a program with pid of 1234 and write all image files into
864       directory checkpoint:
865
866               criu dump -D checkpoint -t 1234
867
868       To restore this program detaching criu itself:
869
870               criu restore -d -D checkpoint
871

AUTHOR

873       The CRIU team.
874
876       Copyright (C) 2011-2016, Parallels Holdings, Inc.
877
878
879
880criu 3.16.1                       10/19/2021                           CRIU(8)
Impressum