1CRIU(8) CRIU Manual CRIU(8)
2
6 criu - checkpoint/restore in userspace
7
9 criu command [option ...]
10
12 criu is a tool for checkpointing and restoring running applications. It
13 does this by saving their state as a collection of files (see the dump
14 command) and creating equivalent processes from those files (see the
15 restore command). The restore operation can be performed at a later
16 time, on a different system, or both.
17
19 Most of the long flags can be prefixed with no- to negate the option
20 (example: --display-stats and --no-display-stats).
21 Common options
23 Common options are applicable to any command.
24 -v[v...], --verbosity
26 Increase verbosity up from the default level. In case of short op‐
27 tion, multiple v can be used, each increasing verbosity by one.
28 -vnum, --verbosity=num
30 Set verbosity level to num. The higher the level, the more output
31 is produced.
32 The following levels are available:
34 • -v0 no output;
36 • -v1 only errors;
38 • -v2 above plus warnings (this is the default level);
40 • -v3 above plus information messages and timestamps;
42 • -v4 above plus lots of debug.
44 --config file
46 Pass a specific configuration file to criu.
47 --no-default-config
49 Disable parsing of default configuration files.
50 --pidfile file
52 Write root task, service or page-server pid into a file.
53 -o, --log-file file
55 Write logging messages to a file.
56 --display-stats
58 During dump, as well as during restore, criu collects some statis‐
59 tics, like the time required to dump or restore the process, or the
60 number of pages dumped or restored. This information is always
61 saved to the stats-dump and stats-restore files, and can be shown
62 using crit(1). The option --display-stats prints out this informa‐
63 tion on the console at the end of a dump or restore operation.
64 -D, --images-dir path
66 Use path as a base directory where to look for sets of image files.
67 --stream
69 dump/restore images using criu-image-streamer. See
70 https://github.com/checkpoint-restore/criu-image-streamer for de‐
71 tailed usage.
72 --prev-images-dir path
74 Use path as a parent directory where to look for sets of image
75 files. This option makes sense in case of incremental dumps.
76 -W, --work-dir dir
78 Use directory dir for putting logs, pidfiles and statistics. If not
79 specified, path from -D option is taken.
80 --close fd
82 Close file descriptor fd before performing any actions.
83 -L, --libdir path
85 Path to plugins directory.
86 --enable-fs [fs[,fs...]]
88 Specify a comma-separated list of filesystem names that should be
89 auto-detected. The value all enables auto-detection for all
90 filesystems.
91 Note: This option is not safe, use at your own risk. Auto-detecting
93 a filesystem mount assumes that the mountpoint can be restored with
94 mount(src, mountpoint, flags, options). When used, dump is expected
95 to always succeed if a mountpoint is to be auto-detected, however
96 restore may fail (or do something wrong) if the assumption for re‐
97 store logic is incorrect. This option is not compatable with --ex‐
98 ternal dev.
99 --action-script script
101 Add an external action script to be executed at certain stages. The
102 environment variable CRTOOLS_SCRIPT_ACTION is available to the
103 script to find out which action is being executed, and its value
104 can be one of the following:
105 pre-dump
107 run prior to beginning a dump
108 post-dump
110 run upon dump completion
111 pre-restore
113 run prior to beginning a restore
114 post-restore
116 run upon restore completion
117 pre-resume
119 run when all processes and resources are restored but tasks are
120 stopped waiting for final kick to run. Must not fail.
121 post-resume
123 called at the very end, when everything is restored and pro‐
124 cesses were resumed
125 network-lock
127 run to lock network in a target network namespace
128 network-unlock
130 run to unlock network in a target network namespace
131 setup-namespaces
133 run once root task has just been created with required name‐
134 spaces. Note it is an early stage of restore, when nothing is
135 restored yet, except for namespaces themselves
136 post-setup-namespaces
138 called after the namespaces are configured
139 orphan-pts-master
141 called after master pty is opened and unlocked. This hook can
142 be used only in the RPC mode, and the notification message con‐
143 tains a file descriptor for the master pty
144 -V, --version
146 Print program version and exit.
147 -h, --help
149 Print some help and exit.
150 pre-dump
152 Performs the pre-dump procedure, during which criu creates a snapshot
153 of memory changes since the previous pre-dump. Note that during this
154 criu also creates the fsnotify cache which speeds up the restore proce‐
155 dure. pre-dump requires at least -t option (see dump below). In addi‐
156 tion, page-server options may be specified.
157 --track-mem
159 Turn on memory changes tracker in the kernel. If the option is not
160 passed the memory tracker get turned on implicitly.
161 --pre-dump-mode=mode
163 There are two mode to operate pre-dump algorithm. The splice mode
164 is parasite based, whereas read mode is based on process_vm_readv
165 syscall. The read mode incurs reduced frozen time and reduced mem‐
166 ory pressure as compared to splice mode. Default is splice mode.
167 dump
169 Performs a checkpoint procedure.
170 -t, --tree pid
172 Checkpoint the whole process tree starting from pid.
173 -R, --leave-running
175 Leave tasks in running state after checkpoint, instead of killing.
176 This option is pretty dangerous and should be used only if you un‐
177 derstand what you are doing.
178 Note if task is about to run after been checkpointed, it can modify
180 TCP connections, delete files and do other dangerous actions.
181 Therefore, criu can not guarantee that the next restore action will
182 succeed. Most likely if this option is used, at least the file sys‐
183 tem snapshot must be made with the help of post-dump action script.
184 In other words, do not use it unless really needed.
186 -s, --leave-stopped
188 Leave tasks in stopped state after checkpoint, instead of killing.
189 --external type[id]:value
191 Dump an instance of an external resource. The generic syntax is
192 type of resource, followed by resource id (enclosed in literal
193 square brackets), and optional value (prepended by a literal
194 colon). The following resource types are currently supported: mnt,
195 dev, file, tty, unix. Syntax depends on type. Note to restore ex‐
196 ternal resources, either --external or --inherit-fd is used, de‐
197 pending on resource type.
198 --external mnt[mountpoint]:name
200 Dump an external bind mount referenced by mountpoint, saving it to
201 image under the identifier name.
202 --external mnt[]:flags
204 Dump all external bind mounts, autodetecting those. Optional flags
205 can contain m to also dump external master mounts, s to also dump
206 external shared mounts (default behavior is to abort dumping if
207 such mounts are found). If flags are not provided, colon is op‐
208 tional.
209 --external dev[major/minor]:name
211 Allow to dump a mount namespace having a real block device mounted.
212 A block device is identified by its major and minor numbers, and
213 criu saves its information to image under the identifier name.
214 --external file[mnt_id:inode]
216 Dump an external file, i.e. an opened file that is can not be re‐
217 solved from the current mount namespace, which can not be dumped
218 without using this option. The file is identified by mnt_id (a
219 field obtained from /proc/pid/fdinfo/N) and inode (as returned by
220 stat(2)).
221 --external tty[rdev:dev]
223 Dump an external TTY, identified by st_rdev and st_dev fields re‐
224 turned by stat(2).
225 --external unix[id]
227 Tell criu that one end of a pair of UNIX sockets (created by sock‐
228 etpair(2)) with the given id is OK to be disconnected.
229 --external pid[inode]:name
231 Mark a PID namespace as external. This can be later used to restore
232 a process into an existing PID namespace. The label name can be
233 used to assign another PID namespace during restore with the help
234 of --inherit-fd.
235 --freeze-cgroup
237 Use cgroup freezer to collect processes.
238 --manage-cgroups
240 Collect cgroups into the image thus they gonna be restored then.
241 Without this option, criu will not save cgroups configuration asso‐
242 ciated with a task.
243 --cgroup-props spec
245 Specify controllers and their properties to be saved into the image
246 file. criu predefines specifications for common controllers, but
247 since the kernel can add new controllers and modify their proper‐
248 ties, there should be a way to specify ones matched the kernel.
249 spec argument describes the controller and properties specification
251 in a simplified YAML form:
252 "c1":
254 - "strategy": "merge"
255 - "properties": ["a", "b"]
256 "c2":
257 - "strategy": "replace"
258 - "properties": ["c", "d"]
259 where c1 and c2 are controllers names, and a, b, c, d are their
261 properties.
262 Note the format: double quotes, spaces and new lines are required.
264 The strategy specifies what to do if a controller specified already
265 exists as a built-in one: criu can either merge or replace such.
266 For example, the command line for the above example should look
268 like this:
269 --cgroup-props "\"c1\":\n - \"strategy\": \"merge\"\n - \"properties\": [\"a\", \"b\"]\n \"c2\":\n - \"strategy\": \"replace\"\n - \"properties\": [\"c\", \"d\"]"
271 --cgroup-props-file file
273 Same as --cgroup-props, except the specification is read from the
274 file.
275 --cgroup-dump-controller name
277 Dump a controller with name only, skipping anything else that was
278 discovered automatically (usually via /proc). This option is useful
279 when one needs criu to skip some controllers.
280 --cgroup-yard path
282 Instead of trying to mount cgroups in CRIU, provide a path to a di‐
283 rectory with already created cgroup yard. Useful if you don’t want
284 to grant CAP_SYS_ADMIN to CRIU. For every cgroup mount there should
285 be exactly one directory. If there is only one controller in this
286 mount, the dir’s name should be just the name of the controller. If
287 there are multiple controllers comounted, the directory name should
288 have them be separated by a comma.
289 For example, if /proc/cgroups looks like this:
291 #subsys_name hierarchy num_cgroups enabled
293 cpu 1 1 1
294 devices 2 2 1
295 freezer 2 2 1
296 then you can create the cgroup yard by the following commands:
298 mkdir private_yard
300 cd private_yard
301 mkdir cpu
302 mount -t cgroup -o cpu none cpu
303 mkdir devices,freezer
304 mount -t cgroup -o devices,freezer none devices,freezer
305 --tcp-established
307 Checkpoint established TCP connections.
308 --tcp-close
310 Don’t dump the state of, or block, established tcp connections.
311 This is useful when tcp connections are not going to be restored.
312 --skip-in-flight
314 This option skips in-flight TCP connections. If any TCP connections
315 that are not yet completely established are found, criu ignores
316 these connections, rather than errors out. The TCP stack on the
317 client side is expected to handle the re-connect gracefully.
318 --evasive-devices
320 Use any path to a device file if the original one is inaccessible.
321 --page-server
323 Send pages to a page server (see the page-server command).
324 --force-irmap
326 Force resolving names for inotify and fsnotify watches.
327 --auto-dedup
329 Deduplicate "old" data in pages images of previous dump. This op‐
330 tion implies incremental dump mode (see the pre-dump command).
331 -l, --file-locks
333 Dump file locks. It is necessary to make sure that all file lock
334 users are taken into dump, so it is only safe to use this for en‐
335 closed containers where locks are not held by any processes outside
336 of dumped process tree.
337 --link-remap
339 Allows to link unlinked files back, if possible (modifies filesys‐
340 tem during restore).
341 --ghost-limit size
343 Set the maximum size of deleted file to be carried inside image. By
344 default, up to 1M file is allowed. Using this option allows to not
345 put big deleted files inside images. Argument size may be postfixed
346 with a K, M or G, which stands for kilo-, mega, and gigabytes, ac‐
347 cordingly.
348 -j, --shell-job
350 Allow one to dump shell jobs. This implies the restored task will
351 inherit session and process group ID from the criu itself. This op‐
352 tion also allows to migrate a single external tty connection, to
353 migrate applications like top. If used with dump command, it must
354 be specified with restore as well.
355 --cpu-cap [cap[,cap...]]
357 Specify CPU capabilities to write to an image file. The argument is
358 a comma-separated list of:
359 • none to ignore capabilities at all; the image will not be pro‐
361 duced on dump, neither any check performed on restore;
362 • fpu to check if FPU module is compatible;
364 • ins to check if CPU supports all instructions required;
366 • cpu to check if CPU capabilities are exactly matching;
368 • all for all above set.
370 By default the option is set to fpu and ins.
372 --cgroup-root [controller:]/newroot
374 Change the root for the controller that will be dumped. By default,
375 criu simply dumps everything below where any of the tasks live.
376 However, if a container moves all of its tasks into a cgroup direc‐
377 tory below the container engine’s default directory for tasks, per‐
378 missions will not be preserved on the upper directories with no
379 tasks in them, which may cause problems.
380 --lazy-pages
382 Perform the dump procedure without writing memory pages into the
383 image files and prepare to service page requests over the network.
384 When dump runs in this mode it presumes that lazy-pages daemon will
385 connect to it and fetch memory pages to lazily inject them into the
386 restored process address space. This option is intended for
387 post-copy (lazy) migration and should be used in conjunction with
388 restore with appropriate options.
389 --file-validation [mode]
391 Set the method to be used to validate open files. Validation is
392 done to ensure that the version of the file being restored is the
393 same version when it was dumped.
394 The mode may be one of the following:
396 filesize
398 To explicitly use only the file size check all the time. This is
399 the fastest and least intensive check.
400 buildid
402 To validate ELF files with their build-ID. If the build-ID cannot
403 be obtained, chksm-first method will be used. This is the default
404 if mode is unspecified.
405 --network-lock [mode]
407 Set the method to be used for network locking/unlocking. Lock‐
408 ing is done to ensure that tcp packets are dropped between dump
409 and restore. This is done to avoid the kernel sending RST when
410 a packet arrives destined for the dumped process.
411 The mode may be one of the following:
413 iptables
415 Use iptables rules to drop the packets. This is the default if mode
416 is not specified.
417 nftables
419 Use nftables rules to drop the packets.
420 restore
422 Restores previously checkpointed processes.
423 --inherit-fd fd[N]:resource
425 Inherit a file descriptor. This option lets criu use an already
426 opened file descriptor N for restoring a file identified by re‐
427 source. This option can be used to restore an external resource
428 dumped with the help of --external file, tty, pid and unix options.
429 The resource argument can be one of the following:
431 • tty[rdev:dev]
433 • pipe[inode]
435 • socket[inode*]*
437 • file[mnt_id:inode]
439 • path/to/file
441 Note that square brackets used in this option arguments are liter‐
443 als and usually need to be escaped from shell.
444 -d, --restore-detached
446 Detach criu itself once restore is complete.
447 -s, --leave-stopped
449 Leave tasks in stopped state after restore (rather than resuming
450 their execution).
451 -S, --restore-sibling
453 Restore root task as a sibling (makes sense only with --restore-de‐
454 tached).
455 --log-pid
457 Write separate logging files per each pid.
458 -r, --root path
460 Change the root filesystem to path (when run in a mount namespace).
461 This option is required to restore a mount namespace. The directory
462 path must be a mount point and its parent must not be overmounted.
463 --external type[id]:value
465 Restore an instance of an external resource. The generic syntax is
466 type of resource, followed by resource id (enclosed in literal
467 square brackets), and optional value (prepended by a literal
468 colon). The following resource types are currently supported: mnt,
469 dev, veth, macvlan. Syntax depends on type. Note to restore exter‐
470 nal resources dealing with opened file descriptors (such as dumped
471 with the help of --external file, tty, and unix options), option
472 --inherit-fd should be used.
473 --external mnt[name]:mountpoint
475 Restore an external bind mount referenced in the image by name,
476 bind-mounting it from the host mountpoint to a proper mount point.
477 --external mnt[]
479 Restore all external bind mounts (dumped with the help of --exter‐
480 nal mnt[] auto-detection).
481 --external dev[name]:/dev/path
483 Restore an external mount device, identified in the image by name,
484 using the existing block device /dev/path.
485 --external veth[inner_dev]:outer_dev@bridge
487 Set the outer VETH device name (corresponding to inner_dev being
488 restored) to outer_dev. If optional @bridge is specified, outer_dev
489 is added to that bridge. If the option is not used, outer_dev will
490 be autogenerated by the kernel.
491 --external macvlan[inner_dev]:outer_dev
493 When restoring an image that have a MacVLAN device in it, this op‐
494 tion must be used to specify to which outer_dev (an existing net‐
495 work device in CRIU namespace) the restored inner_dev should be
496 bound to.
497 -J, --join-ns NS:{PID|NS_FILE}[,EXTRA_OPTS]
499 Restore process tree inside an existing namespace. The namespace
500 can be specified in PID or NS_FILE path format (example: --join-ns
501 net:12345 or --join-ns net:/foo/bar). Currently supported values
502 for NS are: ipc, net, time, user, and uts. This option doesn’t sup‐
503 port joining a PID namespace, however, this is possible using --ex‐
504 ternal and --inheritfd. EXTRA_OPTS is optional and can be used to
505 specify UID and GID for user namespace (e.g., --join-ns
506 user:PID,UID,GID).
507 --manage-cgroups [mode]
509 Restore cgroups configuration associated with a task from the im‐
510 age. Controllers are always restored in an optimistic way — if al‐
511 ready present in system, criu reuses it, otherwise it will be cre‐
512 ated.
513 The mode may be one of the following:
515 none
517 Do not restore cgroup properties but require cgroup to pre-exist at
518 the moment of restore procedure.
519 props
521 Restore cgroup properties and require cgroup to pre-exist.
522 soft
524 Restore cgroup properties if only cgroup has been created by criu,
525 otherwise do not restore properties. This is the default if mode is
526 unspecified.
527 full
529 Always restore all cgroups and their properties.
530 strict
532 Restore all cgroups and their properties from the scratch, requir‐
533 ing them to not present in the system.
534 ignore
536 Don’t deal with cgroups and pretend that they don’t exist.
537 --cgroup-yard path
539 Instead of trying to mount cgroups in CRIU, provide a path to a
540 directory with already created cgroup yard. For more informa‐
541 tion look in the dump section.
542 --cgroup-root [controller:]/newroot
544 Change the root cgroup the controller will be installed into.
545 No controller means that root is the default for all con‐
546 trollers not specified.
547 --tcp-established
549 Restore previously dumped established TCP connections. This im‐
550 plies that the network has been locked between dump and restore
551 phases so other side of a connection simply notice a kind of
552 lag.
553 --tcp-close
555 Restore connected TCP sockets in closed state.
556 --veth-pair IN=OUT
558 Correspondence between outside and inside names of veth de‐
559 vices.
560 -l, --file-locks
562 Restore file locks from the image.
563 --lsm-profile type:name
565 Specify an LSM profile to be used during restore. The type can
566 be either apparmor or selinux.
567 --lsm-mount-context context
569 Specify a new mount context to be used during restore.
570 This option will only replace existing mount context informa‐
572 tion with the one specified with this option. Mounts without
573 the context= option will not be changed.
574 If a mountpoint has been checkpointed with an option like
576 context="system_u:object_r:container_file_t:s0:c82,c137"
578 it is possible to change this option using
580 --lsm-mount-context "system_u:object_r:container_file_t:s0:c204,c495"
582 which will result that the mountpoint will be restored with the
584 new context=.
585 This option is useful if using selinux and if the selinux la‐
587 bels need to be changed on restore like if a container is re‐
588 stored into an existing Pod.
589 --auto-dedup
591 As soon as a page is restored it get punched out from image.
592 -j, --shell-job
594 Restore shell jobs, in other words inherit session and process
595 group ID from the criu itself.
596 --cpu-cap [cap[,cap...]]
598 Specify CPU capabilities to be present on the CPU the process
599 is restoring. To inverse a capability, prefix it with ^. This
600 option implies that --cpu-cap has been passed on dump as well,
601 except fpu option case. The cap argument can be the following
602 (or a set of comma-separated values):
603 all
605 Require all capabilities. This is default mode if --cpu-cap is
606 passed without arguments. Most safe mode.
607 cpu
609 Require the CPU to have all capabilities in image to match runtime
610 CPU.
611 fpu
613 Require the CPU to have compatible FPU. For example the process
614 might be dumped with xsave capability but attempted to restore
615 without it present on target CPU. In such case we refuse to pro‐
616 ceed. This is default mode if --cpu-cap is not present in command
617 line. Note this argument might be passed even if on the dump no
618 --cpu-cap have been specified because FPU frames are always encoded
619 into images.
620 ins
622 Require CPU compatibility on instructions level.
623 none
625 Ignore capabilities. Most dangerous mode. The behaviour is imple‐
626 mentation dependent. Try to not use it until really required.
627 For example, this option can be used in case --cpu-cap=cpu was used
629 during dump, and images are migrated to a less capable CPU and are
630 to be restored. By default, criu shows an error that CPU capabili‐
631 ties are not adequate, but this can be suppressed by using
632 --cpu-cap=none.
633 --weak-sysctls
635 Silently skip restoring sysctls that are not available. This
636 allows to restore on an older kernel, or a kernel configured
637 without some options.
638 --lazy-pages
640 Restore the processes without filling out the entire memory
641 contents. When this option is used, restore sets up the infra‐
642 structure required to fill memory pages either on demand when
643 the process accesses them or in the background without stopping
644 the restored process. This option requires running lazy-pages
645 daemon.
646 --file-validation [mode]
648 Set the method to be used to validate open files. Validation is
649 done to ensure that the version of the file being restored is
650 the same version when it was dumped.
651 The mode may be one of the following:
653 filesize
655 To explicitly use only the file size check all the time. This is
656 the fastest and least intensive check.
657 buildid
659 To validate ELF files with their build-ID. If the build-ID cannot
660 be obtained, chksm-first method will be used. This is the default
661 if mode is unspecified.
662 check
664 Checks whether the kernel supports the features needed by criu to dump
665 and restore a process tree.
666 There are three categories of kernel support, as described below. criu
668 check always checks Category 1 features unless --feature is specified
669 which only checks a specified feature.
670 Category 1
672 Absolutely required. These are features like support for
673 /proc/PID/map_files, NETLINK_SOCK_DIAG socket monitoring,
674 /proc/sys/kernel/ns_last_pid etc.
675 Category 2
677 Required only for specific cases. These are features like AIO
678 remap, /dev/net/tun and others that are only required if a process
679 being dumped or restored is using those.
680 Category 3
682 Experimental. These are features like task-diag that are used for
683 experimental purposes (mostly during development).
684 If there are no errors or warnings, criu prints "Looks good." and its
686 exit code is 0.
687 A missing Category 1 feature causes criu to print "Does not look good."
689 and its exit code is non-zero.
690 Missing Category 2 and 3 features cause criu to print "Looks good but
692 ..." and its exit code is be non-zero.
693 Without any options, criu check checks Category 1 features. This behav‐
695 ior can be changed by using the following options:
696 --extra
698 Check kernel support for Category 2 features.
699 --experimental
701 Check kernel support for Category 3 features.
702 --all
704 Check kernel support for Category 1, 2, and 3 features.
705 --feature name
707 Check a specific feature. If name is list, a list of valid kernel
708 feature names that can be checked will be printed.
709 page-server
711 Launches criu in page server mode.
712 --daemon
714 Runs page server as a daemon (background process).
715 --status-fd
717 Write \0 to the FD and close it once page-server is ready to handle
718 requests. The status-fd allows to not daemonize a process and get
719 its exit code at the end. It isn’t supposed to use --daemon and
720 --status-fd together.
721 --address address
723 Page server IP address or hostname.
724 --port number
726 Page server port number.
727 --ps-socket fd
729 Use provided file descriptor as socket for incoming connection. In
730 this case --address and --port are ignored. Useful for intercepting
731 page-server traffic e.g. to add encryption or authentication.
732 --lazy-pages
734 Serve local memory dump to a remote lazy-pages daemon. In this mode
735 the page-server reads local memory dump and allows the remote
736 lazy-pages daemon to request memory pages in random order.
737 --tls-cacert file
739 Specifies the path to a trusted Certificate Authority (CA) certifi‐
740 cate file to be used for verification of a client or server cer‐
741 tificate. The file must be in PEM format. When this option is used
742 only the specified CA is used for verification. Otherwise, the sys‐
743 tem’s trusted CAs and, if present, /etc/pki/CA/cacert.pem will be
744 used.
745 --tls-cacrl file
747 Specifies a path to a Certificate Revocation List (CRL) file which
748 contains a list of revoked certificates that should no longer be
749 trusted. The file must be in PEM format. When this option is not
750 specified, the file, if present, /etc/pki/CA/cacrl.pem will be
751 used.
752 --tls-cert file
754 Specifies a path to a file that contains a X.509 certificate to
755 present to the remote entity. The file must be in PEM format. When
756 this option is not specified, the default location
757 (/etc/pki/criu/cert.pem) will be used.
758 --tls-key file
760 Specifies a path to a file that contains TLS private key. The file
761 must be in PEM format. When this option is not the default location
762 (/etc/pki/criu/private/key.pem) will be used.
763 --tls
765 Use TLS to secure remote connections.
766 lazy-pages
768 Launches criu in lazy-pages daemon mode.
769 The lazy-pages daemon is responsible for managing user-level demand
771 paging for the restored processes. It gets information required to fill
772 the process memory pages from the restore and from the checkpoint di‐
773 rectory. When a restored process access certain memory page for the
774 first time, the lazy-pages daemon injects its contents into the process
775 address space. The memory pages that are not yet requested by the re‐
776 stored processes are injected in the background.
777 exec
779 Executes a system call inside a destination task's context. This func‐
780 tionality is deprecated; please use Compel instead.
781 service
783 Launches criu in RPC daemon mode, where criu is listening for RPC com‐
784 mands over socket to perform. This is convenient for a case where dae‐
785 mon itself is running in a privileged (superuser) mode but clients are
786 not.
787 dedup
789 Starts pagemap data deduplication procedure, where criu scans over all
790 pagemap files and tries to minimize the number of pagemap entries by
791 obtaining the references from a parent pagemap image.
792 cpuinfo dump
794 Fetches current CPU features and write them into an image file.
795 cpuinfo check
797 Fetches current CPU features (i.e. CPU the criu is running on) and test
798 if they are compatible with the ones present in an image file.
799
801 Criu supports usage of configuration files to avoid the need of writing
802 every option on command line, which is useful especially with repeated
803 usage of same options. A specific configuration file can be passed with
804 the "--config file" option. If no file is passed, the default configu‐
805 ration files /etc/criu/default.conf and $HOME/.criu/default.conf are
806 parsed (if present on the system). If the environment variable
807 CRIU_CONFIG_FILE is set, it will also be parsed.
808 The options passed to CRIU via CLI, RPC or configuration file are eval‐
810 uated in the following order:
811 • apply_config(/etc/criu/default.conf)
813 • apply_config($HOME/.criu/default.conf)
815 • apply_config(CRIU_CONFIG_FILE)
817 • apply_config(--config file)
819 • apply_config(CLI) or apply_config(RPC)
821 • apply_config(RPC configuration file) (only for RPC mode)
823 Default configuration file parsing can be deactivated with "--no-de‐
825 fault-config" if needed. Parsed configuration files are merged with
826 command line options, which allows overriding boolean options.
827 Configuration file syntax
829 Comments are supported using '#' sign. The rest of the line is ignored.
830 Options are the same as command line options without the '--' prefix,
831 use one option per line (with corresponding argument if applicable, di‐
832 vided by whitespaces). If needed, the argument can be provided in dou‐
833 ble quotes (this should be needed only if the argument contains white‐
834 spaces). In case this type of argument contains a literal double quote
835 as well, it can be escaped using the '\' sign. Usage of commands is
836 disallowed and all other escape sequences are interpreted literally.
837 Example of configuration file to illustrate syntax:
839 $ cat ~/.criu/default.conf
841 tcp-established
842 work-dir "/home/USERNAME/criu/my \"work\" directory"
843 #this is a comment
844 no-restore-sibling # this is another comment
845 Configuration files in RPC mode
847 Not only does criu evaluate configuration files in CLI mode, it also
848 evaluates configuration files in RPC mode. Just as in CLI mode the con‐
849 figuration file values are evaluated first. This means that any option
850 set via RPC will overwrite the configuration file setting. The user can
851 thus change criu's default behavior but it is not possible to change
852 settings which are explicitly set by the RPC client.
853 The RPC client can, however, specify an additional configuration file
855 which will be evaluated after the RPC options (see above for option
856 evaluation order). The RPC client can specify this additional configu‐
857 ration file via "req.opts.config_file = /path/to/file". The values from
858 this configuration file will overwrite all other configuration file
859 settings or RPC options. This can lead to undesired behavior of criu
860 and should only be used carefully.
861
863 To checkpoint a program with pid of 1234 and write all image files into
864 directory checkpoint:
865 criu dump -D checkpoint -t 1234
867 To restore this program detaching criu itself:
869 criu restore -d -D checkpoint
871
873 The CRIU team.
874
876 Copyright (C) 2011-2016, Parallels Holdings, Inc.
877criu 3.16.1 10/19/2021 CRIU(8)