1CRIU(8) CRIU Manual CRIU(8)
2
6 criu - checkpoint/restore in userspace
7
9 criu command [option ...]
10
12 criu is a tool for checkpointing and restoring running applications. It
13 does this by saving their state as a collection of files (see the dump
14 command) and creating equivalent processes from those files (see the
15 restore command). The restore operation can be performed at a later
16 time, on a different system, or both.
17
19 Most of the long flags can be prefixed with no- to negate the option
20 (example: --display-stats and --no-display-stats).
21 Common options
23 Common options are applicable to any command.
24 -v[v...], --verbosity
26 Increase verbosity up from the default level. In case of short
27 option, multiple v can be used, each increasing verbosity by one.
28 -vnum, --verbosity=num
30 Set verbosity level to num. The higher the level, the more
31 output is produced.
32 The following levels are available:
34 • -v0 no output;
36 • -v1 only errors;
38 • -v2 above plus warnings (this is the default level);
40 • -v3 above plus information messages and timestamps;
42 • -v4 above plus lots of debug.
44 --config file
46 Pass a specific configuration file to criu.
47 --no-default-config
49 Disable parsing of default configuration files.
50 --pidfile file
52 Write root task, service or page-server pid into a file.
53 -o, --log-file file
55 Write logging messages to a file.
56 --display-stats
58 During dump, as well as during restore, criu collects some
59 statistics, like the time required to dump or restore the process,
60 or the number of pages dumped or restored. This information is
61 always saved to the stats-dump and stats-restore files, and can be
62 shown using crit(1). The option --display-stats prints out this
63 information on the console at the end of a dump or restore
64 operation.
65 -D, --images-dir path
67 Use path as a base directory where to look for sets of image files.
68 --stream
70 dump/restore images using criu-image-streamer. See
71 https://github.com/checkpoint-restore/criu-image-streamer for
72 detailed usage.
73 --prev-images-dir path
75 Use path as a parent directory where to look for sets of image
76 files. This option makes sense in case of incremental dumps.
77 -W, --work-dir dir
79 Use directory dir for putting logs, pidfiles and statistics. If not
80 specified, path from -D option is taken.
81 --close fd
83 Close file descriptor fd before performing any actions.
84 -L, --libdir path
86 Path to plugins directory.
87 --enable-fs [fs[,fs...]]
89 Specify a comma-separated list of filesystem names that should be
90 auto-detected. The value all enables auto-detection for all
91 filesystems.
92 Note: This option is not safe, use at your own risk. Auto-detecting
94 a filesystem mount assumes that the mountpoint can be restored with
95 mount(src, mountpoint, flags, options). When used, dump is expected
96 to always succeed if a mountpoint is to be auto-detected, however
97 restore may fail (or do something wrong) if the assumption for
98 restore logic is incorrect. This option is not compatible with
99 --external dev.
100 --action-script script
102 Add an external action script to be executed at certain stages. The
103 environment variable CRTOOLS_SCRIPT_ACTION is available to the
104 script to find out which action is being executed, and its value
105 can be one of the following:
106 pre-dump
108 run prior to beginning a dump
109 post-dump
111 run upon dump completion
112 pre-restore
114 run prior to beginning a restore
115 post-restore
117 run upon restore completion
118 pre-resume
120 run when all processes and resources are restored but tasks are
121 stopped waiting for final kick to run. Must not fail.
122 post-resume
124 called at the very end, when everything is restored and
125 processes were resumed
126 network-lock
128 run to lock network in a target network namespace
129 network-unlock
131 run to unlock network in a target network namespace
132 setup-namespaces
134 run once root task has just been created with required
135 namespaces. Note it is an early stage of restore, when nothing
136 is restored yet, except for namespaces themselves
137 post-setup-namespaces
139 called after the namespaces are configured
140 orphan-pts-master
142 called after master pty is opened and unlocked. This hook can
143 be used only in the RPC mode, and the notification message
144 contains a file descriptor for the master pty
145 -V, --version
147 Print program version and exit.
148 -h, --help
150 Print some help and exit.
151 pre-dump
153 Performs the pre-dump procedure, during which criu creates a snapshot
154 of memory changes since the previous pre-dump. Note that during this
155 criu also creates the fsnotify cache which speeds up the restore
156 procedure. pre-dump requires at least -t option (see dump below). In
157 addition, page-server options may be specified.
158 --track-mem
160 Turn on memory changes tracker in the kernel. If the option is not
161 passed the memory tracker get turned on implicitly.
162 --pre-dump-mode=mode
164 There are two mode to operate pre-dump algorithm. The splice mode
165 is parasite based, whereas read mode is based on process_vm_readv
166 syscall. The read mode incurs reduced frozen time and reduced
167 memory pressure as compared to splice mode. Default is splice mode.
168 dump
170 Performs a checkpoint procedure.
171 -t, --tree pid
173 Checkpoint the whole process tree starting from pid.
174 -R, --leave-running
176 Leave tasks in running state after checkpoint, instead of killing.
177 This option is pretty dangerous and should be used only if you
178 understand what you are doing.
179 Note if task is about to run after been checkpointed, it can modify
181 TCP connections, delete files and do other dangerous actions.
182 Therefore, criu can not guarantee that the next restore action will
183 succeed. Most likely if this option is used, at least the file
184 system snapshot must be made with the help of post-dump action
185 script.
186 In other words, do not use it unless really needed.
188 -s, --leave-stopped
190 Leave tasks in stopped state after checkpoint, instead of killing.
191 --external type[id]:value
193 Dump an instance of an external resource. The generic syntax is
194 type of resource, followed by resource id (enclosed in literal
195 square brackets), and optional value (prepended by a literal
196 colon). The following resource types are currently supported: mnt,
197 dev, file, tty, unix. Syntax depends on type. Note to restore
198 external resources, either --external or --inherit-fd is used,
199 depending on resource type.
200 --external mnt[mountpoint]:name
202 Dump an external bind mount referenced by mountpoint, saving it to
203 image under the identifier name.
204 --external mnt[]:flags
206 Dump all external bind mounts, autodetecting those. Optional flags
207 can contain m to also dump external master mounts, s to also dump
208 external shared mounts (default behavior is to abort dumping if
209 such mounts are found). If flags are not provided, colon is
210 optional.
211 --external dev[major/minor]:name
213 Allow to dump a mount namespace having a real block device mounted.
214 A block device is identified by its major and minor numbers, and
215 criu saves its information to image under the identifier name.
216 --external file[mnt_id:inode]
218 Dump an external file, i.e. an opened file that is can not be
219 resolved from the current mount namespace, which can not be dumped
220 without using this option. The file is identified by mnt_id (a
221 field obtained from /proc/pid/fdinfo/N) and inode (as returned by
222 stat(2)).
223 --external tty[rdev:dev]
225 Dump an external TTY, identified by st_rdev and st_dev fields
226 returned by stat(2).
227 --external unix[id]
229 Tell criu that one end of a pair of UNIX sockets (created by
230 socketpair(2)) with the given id is OK to be disconnected.
231 --external net[inode]:name
233 Mark a network namespace as external and do not include it in the
234 checkpoint. The label name can be used with --inherit-fd during
235 restore to specify a file descriptor to a preconfigured network
236 namespace.
237 --external pid[inode]:name
239 Mark a PID namespace as external. This can be later used to restore
240 a process into an existing PID namespace. The label name can be
241 used to assign another PID namespace during restore with the help
242 of --inherit-fd.
243 --freeze-cgroup
245 Use cgroup freezer to collect processes.
246 --manage-cgroups
248 Collect cgroups into the image thus they gonna be restored then.
249 Without this option, criu will not save cgroups configuration
250 associated with a task.
251 --cgroup-props spec
253 Specify controllers and their properties to be saved into the image
254 file. criu predefines specifications for common controllers, but
255 since the kernel can add new controllers and modify their
256 properties, there should be a way to specify ones matched the
257 kernel.
258 spec argument describes the controller and properties specification
260 in a simplified YAML form:
261 "c1":
263 - "strategy": "merge"
264 - "properties": ["a", "b"]
265 "c2":
266 - "strategy": "replace"
267 - "properties": ["c", "d"]
268 where c1 and c2 are controllers names, and a, b, c, d are their
270 properties.
271 Note the format: double quotes, spaces and new lines are required.
273 The strategy specifies what to do if a controller specified already
274 exists as a built-in one: criu can either merge or replace such.
275 For example, the command line for the above example should look
277 like this:
278 --cgroup-props "\"c1\":\n - \"strategy\": \"merge\"\n - \"properties\": [\"a\", \"b\"]\n \"c2\":\n - \"strategy\": \"replace\"\n - \"properties\": [\"c\", \"d\"]"
280 --cgroup-props-file file
282 Same as --cgroup-props, except the specification is read from the
283 file.
284 --cgroup-dump-controller name
286 Dump a controller with name only, skipping anything else that was
287 discovered automatically (usually via /proc). This option is useful
288 when one needs criu to skip some controllers.
289 --cgroup-yard path
291 Instead of trying to mount cgroups in CRIU, provide a path to a
292 directory with already created cgroup yard. Useful if you don’t
293 want to grant CAP_SYS_ADMIN to CRIU. For every cgroup mount there
294 should be exactly one directory. If there is only one controller in
295 this mount, the dir’s name should be just the name of the
296 controller. If there are multiple controllers comounted, the
297 directory name should have them be separated by a comma.
298 For example, if /proc/cgroups looks like this:
300 #subsys_name hierarchy num_cgroups enabled
302 cpu 1 1 1
303 devices 2 2 1
304 freezer 2 2 1
305 then you can create the cgroup yard by the following commands:
307 mkdir private_yard
309 cd private_yard
310 mkdir cpu
311 mount -t cgroup -o cpu none cpu
312 mkdir devices,freezer
313 mount -t cgroup -o devices,freezer none devices,freezer
314 --tcp-established
316 Checkpoint established TCP connections.
317 --tcp-close
319 Don’t dump the state of, or block, established tcp connections
320 (including the connection is once established but now closed). This
321 is useful when tcp connections are not going to be restored.
322 --skip-in-flight
324 This option skips in-flight TCP connections. If any TCP connections
325 that are not yet completely established are found, criu ignores
326 these connections, rather than errors out. The TCP stack on the
327 client side is expected to handle the re-connect gracefully.
328 --evasive-devices
330 Use any path to a device file if the original one is inaccessible.
331 --page-server
333 Send pages to a page server (see the page-server command).
334 --force-irmap
336 Force resolving names for inotify and fsnotify watches.
337 --auto-dedup
339 Deduplicate "old" data in pages images of previous dump. This
340 option implies incremental dump mode (see the pre-dump command).
341 -l, --file-locks
343 Dump file locks. It is necessary to make sure that all file lock
344 users are taken into dump, so it is only safe to use this for
345 enclosed containers where locks are not held by any processes
346 outside of dumped process tree.
347 --link-remap
349 Allows to link unlinked files back, if possible (modifies
350 filesystem during restore).
351 --timeout number
353 Set a time limit in seconds for collecting tasks during the dump
354 operation. The timeout is 10 seconds by default.
355 --ghost-limit size
357 Set the maximum size of deleted file to be carried inside image. By
358 default, up to 1M file is allowed. Using this option allows to not
359 put big deleted files inside images. Argument size may be postfixed
360 with a K, M or G, which stands for kilo-, mega, and gigabytes,
361 accordingly.
362 -j, --shell-job
364 Allow one to dump shell jobs. This implies the restored task will
365 inherit session and process group ID from the criu itself. This
366 option also allows to migrate a single external tty connection, to
367 migrate applications like top. If used with dump command, it must
368 be specified with restore as well.
369 --cpu-cap [cap[,cap...]]
371 Specify CPU capabilities to write to an image file. The argument is
372 a comma-separated list of:
373 • none to ignore capabilities at all; the image will not be
375 produced on dump, neither any check performed on restore;
376 • fpu to check if FPU module is compatible;
378 • ins to check if CPU supports all instructions required;
380 • cpu to check if CPU capabilities are exactly matching;
382 • all for all above set.
384 By default the option is set to fpu and ins.
386 --cgroup-root [controller:]/newroot
388 Change the root for the controller that will be dumped. By default,
389 criu simply dumps everything below where any of the tasks live.
390 However, if a container moves all of its tasks into a cgroup
391 directory below the container engine’s default directory for tasks,
392 permissions will not be preserved on the upper directories with no
393 tasks in them, which may cause problems.
394 --lazy-pages
396 Perform the dump procedure without writing memory pages into the
397 image files and prepare to service page requests over the network.
398 When dump runs in this mode it presumes that lazy-pages daemon will
399 connect to it and fetch memory pages to lazily inject them into the
400 restored process address space. This option is intended for
401 post-copy (lazy) migration and should be used in conjunction with
402 restore with appropriate options.
403 --file-validation [mode]
405 Set the method to be used to validate open files. Validation is
406 done to ensure that the version of the file being restored is the
407 same version when it was dumped.
408 The mode may be one of the following:
410 filesize
412 To explicitly use only the file size check all the time. This
413 is the fastest and least intensive check.
414 buildid
416 To validate ELF files with their build-ID. If the build-ID
417 cannot be obtained, chksm-first method will be used. This is
418 the default if mode is unspecified.
419 --network-lock [mode]
421 Set the method to be used for network locking/unlocking. Locking is
422 done to ensure that tcp packets are dropped between dump and
423 restore. This is done to avoid the kernel sending RST when a packet
424 arrives destined for the dumped process.
425 The mode may be one of the following:
427 iptables
429 Use iptables rules to drop the packets. This is the default if
430 mode is not specified.
431 nftables
433 Use nftables rules to drop the packets.
434 restore
436 Restores previously checkpointed processes.
437 --inherit-fd fd[N]:resource
439 Inherit a file descriptor. This option lets criu use an already
440 opened file descriptor N for restoring a file identified by
441 resource. This option can be used to restore an external resource
442 dumped with the help of --external file, tty, pid and unix options.
443 The resource argument can be one of the following:
445 • tty[rdev:dev]
447 • pipe[inode]
449 • socket[inode*]*
451 • file[mnt_id:inode]
453 • path/to/file
455 Note that square brackets used in this option arguments are
457 literals and usually need to be escaped from shell.
458 -d, --restore-detached
460 Detach criu itself once restore is complete.
461 -s, --leave-stopped
463 Leave tasks in stopped state after restore (rather than resuming
464 their execution).
465 -S, --restore-sibling
467 Restore root task as a sibling (makes sense only with
468 --restore-detached).
469 --log-pid
471 Write separate logging files per each pid.
472 -r, --root path
474 Change the root filesystem to path (when run in a mount namespace).
475 This option is required to restore a mount namespace. The directory
476 path must be a mount point and its parent must not be overmounted.
477 --external type[id]:value
479 Restore an instance of an external resource. The generic syntax is
480 type of resource, followed by resource id (enclosed in literal
481 square brackets), and optional value (prepended by a literal
482 colon). The following resource types are currently supported: mnt,
483 dev, veth, macvlan. Syntax depends on type. Note to restore
484 external resources dealing with opened file descriptors (such as
485 dumped with the help of --external file, tty, and unix options),
486 option --inherit-fd should be used.
487 --external mnt[name]:mountpoint
489 Restore an external bind mount referenced in the image by name,
490 bind-mounting it from the host mountpoint to a proper mount point.
491 --external mnt[]
493 Restore all external bind mounts (dumped with the help of
494 --external mnt[] auto-detection).
495 --external dev[name]:/dev/path
497 Restore an external mount device, identified in the image by name,
498 using the existing block device /dev/path.
499 --external veth[inner_dev]:outer_dev@bridge
501 Set the outer VETH device name (corresponding to inner_dev being
502 restored) to outer_dev. If optional @bridge is specified, outer_dev
503 is added to that bridge. If the option is not used, outer_dev will
504 be autogenerated by the kernel.
505 --external macvlan[inner_dev]:outer_dev
507 When restoring an image that have a MacVLAN device in it, this
508 option must be used to specify to which outer_dev (an existing
509 network device in CRIU namespace) the restored inner_dev should be
510 bound to.
511 -J, --join-ns NS:{PID|NS_FILE}[,EXTRA_OPTS]
513 Restore process tree inside an existing namespace. The namespace
514 can be specified in PID or NS_FILE path format (example: --join-ns
515 net:12345 or --join-ns net:/foo/bar). Currently supported values
516 for NS are: ipc, net, time, user, and uts. This option doesn’t
517 support joining a PID namespace, however, this is possible using
518 --external and --inheritfd. EXTRA_OPTS is optional and can be used
519 to specify UID and GID for user namespace (e.g., --join-ns
520 user:PID,UID,GID).
521 --manage-cgroups [mode]
523 Restore cgroups configuration associated with a task from the
524 image. Controllers are always restored in an optimistic way — if
525 already present in system, criu reuses it, otherwise it will be
526 created.
527 The mode may be one of the following:
529 none
531 Do not restore cgroup properties but require cgroup to
532 pre-exist at the moment of restore procedure.
533 props
535 Restore cgroup properties and require cgroup to pre-exist.
536 soft
538 Restore cgroup properties if only cgroup has been created by
539 criu, otherwise do not restore properties. This is the default
540 if mode is unspecified.
541 full
543 Always restore all cgroups and their properties.
544 strict
546 Restore all cgroups and their properties from the scratch,
547 requiring them to not present in the system.
548 ignore
550 Don’t deal with cgroups and pretend that they don’t exist.
551 --cgroup-yard path
553 Instead of trying to mount cgroups in CRIU, provide a path to a
554 directory with already created cgroup yard. For more information
555 look in the dump section.
556 --cgroup-root [controller:]/newroot
558 Change the root cgroup the controller will be installed into. No
559 controller means that root is the default for all controllers not
560 specified.
561 --tcp-established
563 Restore previously dumped established TCP connections. This implies
564 that the network has been locked between dump and restore phases so
565 other side of a connection simply notice a kind of lag.
566 --tcp-close
568 Restore connected TCP sockets in closed state.
569 --veth-pair IN=OUT
571 Correspondence between outside and inside names of veth devices.
572 -l, --file-locks
574 Restore file locks from the image.
575 --lsm-profile type:name
577 Specify an LSM profile to be used during restore. The type can be
578 either apparmor or selinux.
579 --lsm-mount-context context
581 Specify a new mount context to be used during restore.
582 This option will only replace existing mount context information
584 with the one specified with this option. Mounts without the
585 context= option will not be changed.
586 If a mountpoint has been checkpointed with an option like
588 context="system_u:object_r:container_file_t:s0:c82,c137"
590 it is possible to change this option using
592 --lsm-mount-context "system_u:object_r:container_file_t:s0:c204,c495"
594 which will result that the mountpoint will be restored with the new
596 context=.
597 This option is useful if using selinux and if the selinux labels
599 need to be changed on restore like if a container is restored into
600 an existing Pod.
601 --auto-dedup
603 As soon as a page is restored it get punched out from image.
604 -j, --shell-job
606 Restore shell jobs, in other words inherit session and process
607 group ID from the criu itself.
608 --cpu-cap [cap[,cap...]]
610 Specify CPU capabilities to be present on the CPU the process is
611 restoring. To inverse a capability, prefix it with ^. This option
612 implies that --cpu-cap has been passed on dump as well, except fpu
613 option case. The cap argument can be the following (or a set of
614 comma-separated values):
615 all
617 Require all capabilities. This is default mode if --cpu-cap is
618 passed without arguments. Most safe mode.
619 cpu
621 Require the CPU to have all capabilities in image to match
622 runtime CPU.
623 fpu
625 Require the CPU to have compatible FPU. For example the process
626 might be dumped with xsave capability but attempted to restore
627 without it present on target CPU. In such case we refuse to
628 proceed. This is default mode if --cpu-cap is not present in
629 command line. Note this argument might be passed even if on the
630 dump no --cpu-cap have been specified because FPU frames are
631 always encoded into images.
632 ins
634 Require CPU compatibility on instructions level.
635 none
637 Ignore capabilities. Most dangerous mode. The behaviour is
638 implementation dependent. Try to not use it until really
639 required.
640 For example, this option can be used in case --cpu-cap=cpu was
642 used during dump, and images are migrated to a less capable CPU
643 and are to be restored. By default, criu shows an error that
644 CPU capabilities are not adequate, but this can be suppressed
645 by using --cpu-cap=none.
646 --weak-sysctls
648 Silently skip restoring sysctls that are not available. This allows
649 to restore on an older kernel, or a kernel configured without some
650 options.
651 --lazy-pages
653 Restore the processes without filling out the entire memory
654 contents. When this option is used, restore sets up the
655 infrastructure required to fill memory pages either on demand when
656 the process accesses them or in the background without stopping the
657 restored process. This option requires running lazy-pages daemon.
658 --file-validation [mode]
660 Set the method to be used to validate open files. Validation is
661 done to ensure that the version of the file being restored is the
662 same version when it was dumped.
663 The mode may be one of the following:
665 filesize
667 To explicitly use only the file size check all the time. This
668 is the fastest and least intensive check.
669 buildid
671 To validate ELF files with their build-ID. If the build-ID
672 cannot be obtained, chksm-first method will be used. This is
673 the default if mode is unspecified.
674 check
676 Checks whether the kernel supports the features needed by criu to dump
677 and restore a process tree.
678 There are three categories of kernel support, as described below. criu
680 check always checks Category 1 features unless --feature is specified
681 which only checks a specified feature.
682 Category 1
684 Absolutely required. These are features like support for
685 /proc/PID/map_files, NETLINK_SOCK_DIAG socket monitoring,
686 /proc/sys/kernel/ns_last_pid etc.
687 Category 2
689 Required only for specific cases. These are features like AIO
690 remap, /dev/net/tun and others that are only required if a process
691 being dumped or restored is using those.
692 Category 3
694 Experimental. These are features like task-diag that are used for
695 experimental purposes (mostly during development).
696 If there are no errors or warnings, criu prints "Looks good." and its
698 exit code is 0.
699 A missing Category 1 feature causes criu to print "Does not look good."
701 and its exit code is non-zero.
702 Missing Category 2 and 3 features cause criu to print "Looks good but
704 ..." and its exit code is be non-zero.
705 Without any options, criu check checks Category 1 features. This
707 behavior can be changed by using the following options:
708 --extra
710 Check kernel support for Category 2 features.
711 --experimental
713 Check kernel support for Category 3 features.
714 --all
716 Check kernel support for Category 1, 2, and 3 features.
717 --feature name
719 Check a specific feature. If name is list, a list of valid kernel
720 feature names that can be checked will be printed.
721 page-server
723 Launches criu in page server mode.
724 --daemon
726 Runs page server as a daemon (background process).
727 --status-fd
729 Write \0 to the FD and close it once page-server is ready to handle
730 requests. The status-fd allows to not daemonize a process and get
731 its exit code at the end. It isn’t supposed to use --daemon and
732 --status-fd together.
733 --address address
735 Page server IP address or hostname.
736 --port number
738 Page server port number.
739 --ps-socket fd
741 Use provided file descriptor as socket for incoming connection. In
742 this case --address and --port are ignored. Useful for intercepting
743 page-server traffic e.g. to add encryption or authentication.
744 --lazy-pages
746 Serve local memory dump to a remote lazy-pages daemon. In this mode
747 the page-server reads local memory dump and allows the remote
748 lazy-pages daemon to request memory pages in random order.
749 --tls-cacert file
751 Specifies the path to a trusted Certificate Authority (CA)
752 certificate file to be used for verification of a client or server
753 certificate. The file must be in PEM format. When this option is
754 used only the specified CA is used for verification. Otherwise, the
755 system’s trusted CAs and, if present, /etc/pki/CA/cacert.pem will
756 be used.
757 --tls-cacrl file
759 Specifies a path to a Certificate Revocation List (CRL) file which
760 contains a list of revoked certificates that should no longer be
761 trusted. The file must be in PEM format. When this option is not
762 specified, the file, if present, /etc/pki/CA/cacrl.pem will be
763 used.
764 --tls-cert file
766 Specifies a path to a file that contains a X.509 certificate to
767 present to the remote entity. The file must be in PEM format. When
768 this option is not specified, the default location
769 (/etc/pki/criu/cert.pem) will be used.
770 --tls-key file
772 Specifies a path to a file that contains TLS private key. The file
773 must be in PEM format. When this option is not the default location
774 (/etc/pki/criu/private/key.pem) will be used.
775 --tls
777 Use TLS to secure remote connections.
778 lazy-pages
780 Launches criu in lazy-pages daemon mode.
781 The lazy-pages daemon is responsible for managing user-level demand
783 paging for the restored processes. It gets information required to fill
784 the process memory pages from the restore and from the checkpoint
785 directory. When a restored process access certain memory page for the
786 first time, the lazy-pages daemon injects its contents into the process
787 address space. The memory pages that are not yet requested by the
788 restored processes are injected in the background.
789 exec
791 Executes a system call inside a destination task's context. This
792 functionality is deprecated; please use Compel instead.
793 service
795 Launches criu in RPC daemon mode, where criu is listening for RPC
796 commands over socket to perform. This is convenient for a case where
797 daemon itself is running in a privileged (superuser) mode but clients
798 are not.
799 dedup
801 Starts pagemap data deduplication procedure, where criu scans over all
802 pagemap files and tries to minimize the number of pagemap entries by
803 obtaining the references from a parent pagemap image.
804 cpuinfo dump
806 Fetches current CPU features and write them into an image file.
807 cpuinfo check
809 Fetches current CPU features (i.e. CPU the criu is running on) and test
810 if they are compatible with the ones present in an image file.
811
813 Criu supports usage of configuration files to avoid the need of writing
814 every option on command line, which is useful especially with repeated
815 usage of same options. A specific configuration file can be passed with
816 the "--config file" option. If no file is passed, the default
817 configuration files /etc/criu/default.conf and $HOME/.criu/default.conf
818 are parsed (if present on the system). If the environment variable
819 CRIU_CONFIG_FILE is set, it will also be parsed.
820 The options passed to CRIU via CLI, RPC or configuration file are
822 evaluated in the following order:
823 • apply_config(/etc/criu/default.conf)
825 • apply_config($HOME/.criu/default.conf)
827 • apply_config(CRIU_CONFIG_FILE)
829 • apply_config(--config file)
831 • apply_config(CLI) or apply_config(RPC)
833 • apply_config(RPC configuration file) (only for RPC mode)
835 Default configuration file parsing can be deactivated with
837 "--no-default-config" if needed. Parsed configuration files are merged
838 with command line options, which allows overriding boolean options.
839 Configuration file syntax
841 Comments are supported using '#' sign. The rest of the line is ignored.
842 Options are the same as command line options without the '--' prefix,
843 use one option per line (with corresponding argument if applicable,
844 divided by whitespaces). If needed, the argument can be provided in
845 double quotes (this should be needed only if the argument contains
846 whitespaces). In case this type of argument contains a literal double
847 quote as well, it can be escaped using the '\' sign. Usage of commands
848 is disallowed and all other escape sequences are interpreted literally.
849 Example of configuration file to illustrate syntax:
851 $ cat ~/.criu/default.conf
853 tcp-established
854 work-dir "/home/USERNAME/criu/my \"work\" directory"
855 #this is a comment
856 no-restore-sibling # this is another comment
857 Configuration files in RPC mode
859 Not only does criu evaluate configuration files in CLI mode, it also
860 evaluates configuration files in RPC mode. Just as in CLI mode the
861 configuration file values are evaluated first. This means that any
862 option set via RPC will overwrite the configuration file setting. The
863 user can thus change criu's default behavior but it is not possible to
864 change settings which are explicitly set by the RPC client.
865 The RPC client can, however, specify an additional configuration file
867 which will be evaluated after the RPC options (see above for option
868 evaluation order). The RPC client can specify this additional
869 configuration file via "req.opts.config_file = /path/to/file". The
870 values from this configuration file will overwrite all other
871 configuration file settings or RPC options. This can lead to undesired
872 behavior of criu and should only be used carefully.
873
875 To checkpoint a program with pid of 1234 and write all image files into
876 directory checkpoint:
877 criu dump -D checkpoint -t 1234
879 To restore this program detaching criu itself:
881 criu restore -d -D checkpoint
883
885 The CRIU team.
886
888 Copyright (C) 2011-2016, Parallels Holdings, Inc.
889criu 2022-07-20 CRIU(8)