1CRIU(8) CRIU Manual CRIU(8)
2
6 criu - checkpoint/restore in userspace
7
9 criu command [option ...]
10
12 criu is a tool for checkpointing and restoring running applications. It
13 does this by saving their state as a collection of files (see the dump
14 command) and creating equivalent processes from those files (see the
15 restore command). The restore operation can be performed at a later
16 time, on a different system, or both.
17
19 Most of the long flags can be prefixed with no- to negate the option
20 (example: --display-stats and --no-display-stats).
21 Common options
23 Common options are applicable to any command.
24 -v[v...], --verbosity
26 Increase verbosity up from the default level. In case of short
27 option, multiple v can be used, each increasing verbosity by one.
28 -vnum, --verbosity=num
30 Set verbosity level to num. The higher the level, the more
31 output is produced.
32 The following levels are available:
34 • -v0 no output;
36 • -v1 only errors;
38 • -v2 above plus warnings (this is the default level);
40 • -v3 above plus information messages and timestamps;
42 • -v4 above plus lots of debug.
44 --config file
46 Pass a specific configuration file to criu.
47 --no-default-config
49 Disable parsing of default configuration files.
50 --pidfile file
52 Write root task, service or page-server pid into a file.
53 -o, --log-file file
55 Write logging messages to a file.
56 --display-stats
58 During dump, as well as during restore, criu collects some
59 statistics, like the time required to dump or restore the process,
60 or the number of pages dumped or restored. This information is
61 always saved to the stats-dump and stats-restore files, and can be
62 shown using crit(1). The option --display-stats prints out this
63 information on the console at the end of a dump or restore
64 operation.
65 -D, --images-dir path
67 Use path as a base directory where to look for sets of image files.
68 --stream
70 dump/restore images using criu-image-streamer. See
71 https://github.com/checkpoint-restore/criu-image-streamer for
72 detailed usage.
73 --prev-images-dir path
75 Use path as a parent directory where to look for sets of image
76 files. This option makes sense in case of incremental dumps.
77 -W, --work-dir dir
79 Use directory dir for putting logs, pidfiles and statistics. If not
80 specified, path from -D option is taken.
81 --close fd
83 Close file descriptor fd before performing any actions.
84 -L, --libdir path
86 Path to plugins directory.
87 --enable-fs [fs[,fs...]]
89 Specify a comma-separated list of filesystem names that should be
90 auto-detected. The value all enables auto-detection for all
91 filesystems.
92 Note: This option is not safe, use at your own risk. Auto-detecting
94 a filesystem mount assumes that the mountpoint can be restored with
95 mount(src, mountpoint, flags, options). When used, dump is expected
96 to always succeed if a mountpoint is to be auto-detected, however
97 restore may fail (or do something wrong) if the assumption for
98 restore logic is incorrect. This option is not compatible with
99 --external dev.
100 --action-script script
102 Add an external action script to be executed at certain stages. The
103 environment variable CRTOOLS_SCRIPT_ACTION is available to the
104 script to find out which action is being executed, and its value
105 can be one of the following:
106 pre-dump
108 run prior to beginning a dump
109 post-dump
111 run upon dump completion
112 pre-restore
114 run prior to beginning a restore
115 post-restore
117 run upon restore completion
118 pre-resume
120 run when all processes and resources are restored but tasks are
121 stopped waiting for final kick to run. Must not fail.
122 post-resume
124 called at the very end, when everything is restored and
125 processes were resumed
126 network-lock
128 run to lock network in a target network namespace
129 network-unlock
131 run to unlock network in a target network namespace
132 setup-namespaces
134 run once root task has just been created with required
135 namespaces. Note it is an early stage of restore, when nothing
136 is restored yet, except for namespaces themselves
137 post-setup-namespaces
139 called after the namespaces are configured
140 orphan-pts-master
142 called after master pty is opened and unlocked. This hook can
143 be used only in the RPC mode, and the notification message
144 contains a file descriptor for the master pty
145 --unprivileged
147 This option tells criu to accept the limitations when running as
148 non-root. Running as non-root requires criu at least to have
149 CAP_SYS_ADMIN or CAP_CHECKPOINT_RESTORE. For details about running
150 criu as non-root please consult the NON-ROOT section.
151 -V, --version
153 Print program version and exit.
154 -h, --help
156 Print some help and exit.
157 pre-dump
159 Performs the pre-dump procedure, during which criu creates a snapshot
160 of memory changes since the previous pre-dump. Note that during this
161 criu also creates the fsnotify cache which speeds up the restore
162 procedure. pre-dump requires at least -t option (see dump below). In
163 addition, page-server options may be specified.
164 --track-mem
166 Turn on memory changes tracker in the kernel. If the option is not
167 passed the memory tracker get turned on implicitly.
168 --pre-dump-mode=mode
170 There are two mode to operate pre-dump algorithm. The splice mode
171 is parasite based, whereas read mode is based on process_vm_readv
172 syscall. The read mode incurs reduced frozen time and reduced
173 memory pressure as compared to splice mode. Default is splice mode.
174 dump
176 Performs a checkpoint procedure.
177 -t, --tree pid
179 Checkpoint the whole process tree starting from pid.
180 -R, --leave-running
182 Leave tasks in running state after checkpoint, instead of killing.
183 This option is pretty dangerous and should be used only if you
184 understand what you are doing.
185 Note if task is about to run after been checkpointed, it can modify
187 TCP connections, delete files and do other dangerous actions.
188 Therefore, criu can not guarantee that the next restore action will
189 succeed. Most likely if this option is used, at least the file
190 system snapshot must be made with the help of post-dump action
191 script.
192 In other words, do not use it unless really needed.
194 -s, --leave-stopped
196 Leave tasks in stopped state after checkpoint, instead of killing.
197 --external type[id]:value
199 Dump an instance of an external resource. The generic syntax is
200 type of resource, followed by resource id (enclosed in literal
201 square brackets), and optional value (prepended by a literal
202 colon). The following resource types are currently supported: mnt,
203 dev, file, tty, unix. Syntax depends on type. Note to restore
204 external resources, either --external or --inherit-fd is used,
205 depending on resource type.
206 --external mnt[mountpoint]:name
208 Dump an external bind mount referenced by mountpoint, saving it to
209 image under the identifier name.
210 --external mnt[]:flags
212 Dump all external bind mounts, autodetecting those. Optional flags
213 can contain m to also dump external master mounts, s to also dump
214 external shared mounts (default behavior is to abort dumping if
215 such mounts are found). If flags are not provided, colon is
216 optional.
217 --external dev[major/minor]:name
219 Allow to dump a mount namespace having a real block device mounted.
220 A block device is identified by its major and minor numbers, and
221 criu saves its information to image under the identifier name.
222 --external file[mnt_id:inode]
224 Dump an external file, i.e. an opened file that is can not be
225 resolved from the current mount namespace, which can not be dumped
226 without using this option. The file is identified by mnt_id (a
227 field obtained from /proc/pid/fdinfo/N) and inode (as returned by
228 stat(2)).
229 --external tty[rdev:dev]
231 Dump an external TTY, identified by st_rdev and st_dev fields
232 returned by stat(2).
233 --external unix[id]
235 Tell criu that one end of a pair of UNIX sockets (created by
236 socketpair(2)) with the given id is OK to be disconnected.
237 --external net[inode]:name
239 Mark a network namespace as external and do not include it in the
240 checkpoint. The label name can be used with --inherit-fd during
241 restore to specify a file descriptor to a preconfigured network
242 namespace.
243 --external pid[inode]:name
245 Mark a PID namespace as external. This can be later used to restore
246 a process into an existing PID namespace. The label name can be
247 used to assign another PID namespace during restore with the help
248 of --inherit-fd.
249 --freeze-cgroup
251 Use cgroup freezer to collect processes.
252 --manage-cgroups
254 Collect cgroups into the image thus they gonna be restored then.
255 Without this option, criu will not save cgroups configuration
256 associated with a task.
257 --cgroup-props spec
259 Specify controllers and their properties to be saved into the image
260 file. criu predefines specifications for common controllers, but
261 since the kernel can add new controllers and modify their
262 properties, there should be a way to specify ones matched the
263 kernel.
264 spec argument describes the controller and properties specification
266 in a simplified YAML form:
267 "c1":
269 - "strategy": "merge"
270 - "properties": ["a", "b"]
271 "c2":
272 - "strategy": "replace"
273 - "properties": ["c", "d"]
274 where c1 and c2 are controllers names, and a, b, c, d are their
276 properties.
277 Note the format: double quotes, spaces and new lines are required.
279 The strategy specifies what to do if a controller specified already
280 exists as a built-in one: criu can either merge or replace such.
281 For example, the command line for the above example should look
283 like this:
284 --cgroup-props "\"c1\":\n - \"strategy\": \"merge\"\n - \"properties\": [\"a\", \"b\"]\n \"c2\":\n - \"strategy\": \"replace\"\n - \"properties\": [\"c\", \"d\"]"
286 --cgroup-props-file file
288 Same as --cgroup-props, except the specification is read from the
289 file.
290 --cgroup-dump-controller name
292 Dump a controller with name only, skipping anything else that was
293 discovered automatically (usually via /proc). This option is useful
294 when one needs criu to skip some controllers.
295 --cgroup-yard path
297 Instead of trying to mount cgroups in CRIU, provide a path to a
298 directory with already created cgroup yard. Useful if you don’t
299 want to grant CAP_SYS_ADMIN to CRIU. For every cgroup mount there
300 should be exactly one directory. If there is only one controller in
301 this mount, the dir’s name should be just the name of the
302 controller. If there are multiple controllers comounted, the
303 directory name should have them be separated by a comma.
304 For example, if /proc/cgroups looks like this:
306 #subsys_name hierarchy num_cgroups enabled
308 cpu 1 1 1
309 devices 2 2 1
310 freezer 2 2 1
311 then you can create the cgroup yard by the following commands:
313 mkdir private_yard
315 cd private_yard
316 mkdir cpu
317 mount -t cgroup -o cpu none cpu
318 mkdir devices,freezer
319 mount -t cgroup -o devices,freezer none devices,freezer
320 --tcp-established
322 Checkpoint established TCP connections.
323 --tcp-close
325 Don’t dump the state of, or block, established tcp connections
326 (including the connection is once established but now closed). This
327 is useful when tcp connections are not going to be restored.
328 --skip-in-flight
330 This option skips in-flight TCP connections. If any TCP connections
331 that are not yet completely established are found, criu ignores
332 these connections, rather than errors out. The TCP stack on the
333 client side is expected to handle the re-connect gracefully.
334 --evasive-devices
336 Use any path to a device file if the original one is inaccessible.
337 --page-server
339 Send pages to a page server (see the page-server command).
340 --force-irmap
342 Force resolving names for inotify and fsnotify watches.
343 --auto-dedup
345 Deduplicate "old" data in pages images of previous dump. This
346 option implies incremental dump mode (see the pre-dump command).
347 -l, --file-locks
349 Dump file locks. It is necessary to make sure that all file lock
350 users are taken into dump, so it is only safe to use this for
351 enclosed containers where locks are not held by any processes
352 outside of dumped process tree.
353 --link-remap
355 Allows to link unlinked files back, if possible (modifies
356 filesystem during restore).
357 --timeout number
359 Set a time limit in seconds for collecting tasks during the dump
360 operation. The timeout is 10 seconds by default.
361 --ghost-limit size
363 Set the maximum size of deleted file to be carried inside image. By
364 default, up to 1M file is allowed. Using this option allows to not
365 put big deleted files inside images. Argument size may be postfixed
366 with a K, M or G, which stands for kilo-, mega, and gigabytes,
367 accordingly.
368 --ghost-fiemap
370 Enable an optimization based on fiemap ioctl that can reduce the
371 number of system calls used when checkpointing highly sparse ghost
372 files. This option is enabled by default, and it can be disabled
373 with --no-ghost-fiemap. An automatic fallback to
374 SEEK_HOLE/SEEK_DATA is used when fiemap is not supported.
375 -j, --shell-job
377 Allow one to dump shell jobs. This implies the restored task will
378 inherit session and process group ID from the criu itself. This
379 option also allows to migrate a single external tty connection, to
380 migrate applications like top. If used with dump command, it must
381 be specified with restore as well.
382 --cpu-cap [cap[,cap...]]
384 Specify CPU capabilities to write to an image file. The argument is
385 a comma-separated list of:
386 • none to ignore capabilities at all; the image will not be
388 produced on dump, neither any check performed on restore;
389 • fpu to check if FPU module is compatible;
391 • ins to check if CPU supports all instructions required;
393 • cpu to check if CPU capabilities are exactly matching;
395 • all for all above set.
397 By default the option is set to fpu and ins.
399 --cgroup-root [controller:]/newroot
401 Change the root for the controller that will be dumped. By default,
402 criu simply dumps everything below where any of the tasks live.
403 However, if a container moves all of its tasks into a cgroup
404 directory below the container engine’s default directory for tasks,
405 permissions will not be preserved on the upper directories with no
406 tasks in them, which may cause problems.
407 --lazy-pages
409 Perform the dump procedure without writing memory pages into the
410 image files and prepare to service page requests over the network.
411 When dump runs in this mode it presumes that lazy-pages daemon will
412 connect to it and fetch memory pages to lazily inject them into the
413 restored process address space. This option is intended for
414 post-copy (lazy) migration and should be used in conjunction with
415 restore with appropriate options.
416 --file-validation [mode]
418 Set the method to be used to validate open files. Validation is
419 done to ensure that the version of the file being restored is the
420 same version when it was dumped.
421 The mode may be one of the following:
423 filesize
425 To explicitly use only the file size check all the time. This
426 is the fastest and least intensive check.
427 buildid
429 To validate ELF files with their build-ID. If the build-ID
430 cannot be obtained, chksm-first method will be used. This is
431 the default if mode is unspecified.
432 --network-lock [mode]
434 Set the method to be used for network locking/unlocking. Locking is
435 done to ensure that tcp packets are dropped between dump and
436 restore. This is done to avoid the kernel sending RST when a packet
437 arrives destined for the dumped process.
438 The mode may be one of the following:
440 iptables
442 Use iptables rules to drop the packets. This is the default if
443 mode is not specified.
444 nftables
446 Use nftables rules to drop the packets.
447 restore
449 Restores previously checkpointed processes.
450 --inherit-fd fd[N]:resource
452 Inherit a file descriptor. This option lets criu use an already
453 opened file descriptor N for restoring a file identified by
454 resource. This option can be used to restore an external resource
455 dumped with the help of --external file, tty, pid and unix options.
456 The resource argument can be one of the following:
458 • tty[rdev:dev]
460 • pipe[inode]
462 • socket[inode*]*
464 • file[mnt_id:inode]
466 • path/to/file
468 Note that square brackets used in this option arguments are
470 literals and usually need to be escaped from shell.
471 -d, --restore-detached
473 Detach criu itself once restore is complete.
474 -s, --leave-stopped
476 Leave tasks in stopped state after restore (rather than resuming
477 their execution).
478 -S, --restore-sibling
480 Restore root task as a sibling (makes sense only with
481 --restore-detached).
482 --log-pid
484 Write separate logging files per each pid.
485 -r, --root path
487 Change the root filesystem to path (when run in a mount namespace).
488 This option is required to restore a mount namespace. The directory
489 path must be a mount point and its parent must not be overmounted.
490 --external type[id]:value
492 Restore an instance of an external resource. The generic syntax is
493 type of resource, followed by resource id (enclosed in literal
494 square brackets), and optional value (prepended by a literal
495 colon). The following resource types are currently supported: mnt,
496 dev, veth, macvlan. Syntax depends on type. Note to restore
497 external resources dealing with opened file descriptors (such as
498 dumped with the help of --external file, tty, and unix options),
499 option --inherit-fd should be used.
500 --external mnt[name]:mountpoint
502 Restore an external bind mount referenced in the image by name,
503 bind-mounting it from the host mountpoint to a proper mount point.
504 --external mnt[]
506 Restore all external bind mounts (dumped with the help of
507 --external mnt[] auto-detection).
508 --external dev[name]:/dev/path
510 Restore an external mount device, identified in the image by name,
511 using the existing block device /dev/path.
512 --external veth[inner_dev]:outer_dev@bridge
514 Set the outer VETH device name (corresponding to inner_dev being
515 restored) to outer_dev. If optional @bridge is specified, outer_dev
516 is added to that bridge. If the option is not used, outer_dev will
517 be autogenerated by the kernel.
518 --external macvlan[inner_dev]:outer_dev
520 When restoring an image that have a MacVLAN device in it, this
521 option must be used to specify to which outer_dev (an existing
522 network device in CRIU namespace) the restored inner_dev should be
523 bound to.
524 -J, --join-ns NS:{PID|NS_FILE}[,EXTRA_OPTS]
526 Restore process tree inside an existing namespace. The namespace
527 can be specified in PID or NS_FILE path format (example: --join-ns
528 net:12345 or --join-ns net:/foo/bar). Currently supported values
529 for NS are: ipc, net, time, user, and uts. This option doesn’t
530 support joining a PID namespace, however, this is possible using
531 --external and --inheritfd. EXTRA_OPTS is optional and can be used
532 to specify UID and GID for user namespace (e.g., --join-ns
533 user:PID,UID,GID).
534 --manage-cgroups [mode]
536 Restore cgroups configuration associated with a task from the
537 image. Controllers are always restored in an optimistic way — if
538 already present in system, criu reuses it, otherwise it will be
539 created.
540 The mode may be one of the following:
542 none
544 Do not restore cgroup properties but require cgroup to
545 pre-exist at the moment of restore procedure.
546 props
548 Restore cgroup properties and require cgroup to pre-exist.
549 soft
551 Restore cgroup properties if only cgroup has been created by
552 criu, otherwise do not restore properties. This is the default
553 if mode is unspecified.
554 full
556 Always restore all cgroups and their properties.
557 strict
559 Restore all cgroups and their properties from the scratch,
560 requiring them to not present in the system.
561 ignore
563 Don’t deal with cgroups and pretend that they don’t exist.
564 --cgroup-yard path
566 Instead of trying to mount cgroups in CRIU, provide a path to a
567 directory with already created cgroup yard. For more information
568 look in the dump section.
569 --cgroup-root [controller:]/newroot
571 Change the root cgroup the controller will be installed into. No
572 controller means that root is the default for all controllers not
573 specified.
574 --tcp-established
576 Restore previously dumped established TCP connections. This implies
577 that the network has been locked between dump and restore phases so
578 other side of a connection simply notice a kind of lag.
579 --tcp-close
581 Restore connected TCP sockets in closed state.
582 --veth-pair IN=OUT
584 Correspondence between outside and inside names of veth devices.
585 -l, --file-locks
587 Restore file locks from the image.
588 --lsm-profile type:name
590 Specify an LSM profile to be used during restore. The type can be
591 either apparmor or selinux.
592 --lsm-mount-context context
594 Specify a new mount context to be used during restore.
595 This option will only replace existing mount context information
597 with the one specified with this option. Mounts without the
598 context= option will not be changed.
599 If a mountpoint has been checkpointed with an option like
601 context="system_u:object_r:container_file_t:s0:c82,c137"
603 it is possible to change this option using
605 --lsm-mount-context "system_u:object_r:container_file_t:s0:c204,c495"
607 which will result that the mountpoint will be restored with the new
609 context=.
610 This option is useful if using selinux and if the selinux labels
612 need to be changed on restore like if a container is restored into
613 an existing Pod.
614 --auto-dedup
616 As soon as a page is restored it get punched out from image.
617 -j, --shell-job
619 Restore shell jobs, in other words inherit session and process
620 group ID from the criu itself.
621 --cpu-cap [cap[,cap...]]
623 Specify CPU capabilities to be present on the CPU the process is
624 restoring. To inverse a capability, prefix it with ^. This option
625 implies that --cpu-cap has been passed on dump as well, except fpu
626 option case. The cap argument can be the following (or a set of
627 comma-separated values):
628 all
630 Require all capabilities. This is default mode if --cpu-cap is
631 passed without arguments. Most safe mode.
632 cpu
634 Require the CPU to have all capabilities in image to match
635 runtime CPU.
636 fpu
638 Require the CPU to have compatible FPU. For example the process
639 might be dumped with xsave capability but attempted to restore
640 without it present on target CPU. In such case we refuse to
641 proceed. This is default mode if --cpu-cap is not present in
642 command line. Note this argument might be passed even if on the
643 dump no --cpu-cap have been specified because FPU frames are
644 always encoded into images.
645 ins
647 Require CPU compatibility on instructions level.
648 none
650 Ignore capabilities. Most dangerous mode. The behaviour is
651 implementation dependent. Try to not use it until really
652 required.
653 For example, this option can be used in case --cpu-cap=cpu was
655 used during dump, and images are migrated to a less capable CPU
656 and are to be restored. By default, criu shows an error that
657 CPU capabilities are not adequate, but this can be suppressed
658 by using --cpu-cap=none.
659 --weak-sysctls
661 Silently skip restoring sysctls that are not available. This allows
662 to restore on an older kernel, or a kernel configured without some
663 options.
664 --lazy-pages
666 Restore the processes without filling out the entire memory
667 contents. When this option is used, restore sets up the
668 infrastructure required to fill memory pages either on demand when
669 the process accesses them or in the background without stopping the
670 restored process. This option requires running lazy-pages daemon.
671 --file-validation [mode]
673 Set the method to be used to validate open files. Validation is
674 done to ensure that the version of the file being restored is the
675 same version when it was dumped.
676 The mode may be one of the following:
678 filesize
680 To explicitly use only the file size check all the time. This
681 is the fastest and least intensive check.
682 buildid
684 To validate ELF files with their build-ID. If the build-ID
685 cannot be obtained, chksm-first method will be used. This is
686 the default if mode is unspecified.
687 --skip-file-rwx-check
689 Skip checking file permissions (r/w/x for u/g/o) on restore.
690 check
692 Checks whether the kernel supports the features needed by criu to dump
693 and restore a process tree.
694 There are three categories of kernel support, as described below. criu
696 check always checks Category 1 features unless --feature is specified
697 which only checks a specified feature.
698 Category 1
700 Absolutely required. These are features like support for
701 /proc/PID/map_files, NETLINK_SOCK_DIAG socket monitoring,
702 /proc/sys/kernel/ns_last_pid etc.
703 Category 2
705 Required only for specific cases. These are features like AIO
706 remap, /dev/net/tun and others that are only required if a process
707 being dumped or restored is using those.
708 Category 3
710 Experimental. These are features like task-diag that are used for
711 experimental purposes (mostly during development).
712 If there are no errors or warnings, criu prints "Looks good." and its
714 exit code is 0.
715 A missing Category 1 feature causes criu to print "Does not look good."
717 and its exit code is non-zero.
718 Missing Category 2 and 3 features cause criu to print "Looks good but
720 ..." and its exit code is be non-zero.
721 Without any options, criu check checks Category 1 features. This
723 behavior can be changed by using the following options:
724 --extra
726 Check kernel support for Category 2 features.
727 --experimental
729 Check kernel support for Category 3 features.
730 --all
732 Check kernel support for Category 1, 2, and 3 features.
733 --feature name
735 Check a specific feature. If name is list, a list of valid kernel
736 feature names that can be checked will be printed.
737 page-server
739 Launches criu in page server mode.
740 --daemon
742 Runs page server as a daemon (background process).
743 --status-fd
745 Write \0 to the FD and close it once page-server is ready to handle
746 requests. The status-fd allows to not daemonize a process and get
747 its exit code at the end. It isn’t supposed to use --daemon and
748 --status-fd together.
749 --address address
751 Page server IP address or hostname.
752 --port number
754 Page server port number.
755 --ps-socket fd
757 Use provided file descriptor as socket for incoming connection. In
758 this case --address and --port are ignored. Useful for intercepting
759 page-server traffic e.g. to add encryption or authentication.
760 --lazy-pages
762 Serve local memory dump to a remote lazy-pages daemon. In this mode
763 the page-server reads local memory dump and allows the remote
764 lazy-pages daemon to request memory pages in random order.
765 --tls-cacert file
767 Specifies the path to a trusted Certificate Authority (CA)
768 certificate file to be used for verification of a client or server
769 certificate. The file must be in PEM format. When this option is
770 used only the specified CA is used for verification. Otherwise, the
771 system’s trusted CAs and, if present, /etc/pki/CA/cacert.pem will
772 be used.
773 --tls-cacrl file
775 Specifies a path to a Certificate Revocation List (CRL) file which
776 contains a list of revoked certificates that should no longer be
777 trusted. The file must be in PEM format. When this option is not
778 specified, the file, if present, /etc/pki/CA/cacrl.pem will be
779 used.
780 --tls-cert file
782 Specifies a path to a file that contains a X.509 certificate to
783 present to the remote entity. The file must be in PEM format. When
784 this option is not specified, the default location
785 (/etc/pki/criu/cert.pem) will be used.
786 --tls-key file
788 Specifies a path to a file that contains TLS private key. The file
789 must be in PEM format. When this option is not the default location
790 (/etc/pki/criu/private/key.pem) will be used.
791 --tls
793 Use TLS to secure remote connections.
794 lazy-pages
796 Launches criu in lazy-pages daemon mode.
797 The lazy-pages daemon is responsible for managing user-level demand
799 paging for the restored processes. It gets information required to fill
800 the process memory pages from the restore and from the checkpoint
801 directory. When a restored process access certain memory page for the
802 first time, the lazy-pages daemon injects its contents into the process
803 address space. The memory pages that are not yet requested by the
804 restored processes are injected in the background.
805 exec
807 Executes a system call inside a destination task's context. This
808 functionality is deprecated; please use Compel instead.
809 service
811 Launches criu in RPC daemon mode, where criu is listening for RPC
812 commands over socket to perform. This is convenient for a case where
813 daemon itself is running in a privileged (superuser) mode but clients
814 are not.
815 dedup
817 Starts pagemap data deduplication procedure, where criu scans over all
818 pagemap files and tries to minimize the number of pagemap entries by
819 obtaining the references from a parent pagemap image.
820 cpuinfo dump
822 Fetches current CPU features and write them into an image file.
823 cpuinfo check
825 Fetches current CPU features (i.e. CPU the criu is running on) and test
826 if they are compatible with the ones present in an image file.
827
829 Criu supports usage of configuration files to avoid the need of writing
830 every option on command line, which is useful especially with repeated
831 usage of same options. A specific configuration file can be passed with
832 the "--config file" option. If no file is passed, the default
833 configuration files /etc/criu/default.conf and $HOME/.criu/default.conf
834 are parsed (if present on the system). If the environment variable
835 CRIU_CONFIG_FILE is set, it will also be parsed.
836 The options passed to CRIU via CLI, RPC or configuration file are
838 evaluated in the following order:
839 • apply_config(/etc/criu/default.conf)
841 • apply_config($HOME/.criu/default.conf)
843 • apply_config(CRIU_CONFIG_FILE)
845 • apply_config(--config file)
847 • apply_config(CLI) or apply_config(RPC)
849 • apply_config(RPC configuration file) (only for RPC mode)
851 Default configuration file parsing can be deactivated with
853 "--no-default-config" if needed. Parsed configuration files are merged
854 with command line options, which allows overriding boolean options.
855 Configuration file syntax
857 Comments are supported using '#' sign. The rest of the line is ignored.
858 Options are the same as command line options without the '--' prefix,
859 use one option per line (with corresponding argument if applicable,
860 divided by whitespaces). If needed, the argument can be provided in
861 double quotes (this should be needed only if the argument contains
862 whitespaces). In case this type of argument contains a literal double
863 quote as well, it can be escaped using the '\' sign. Usage of commands
864 is disallowed and all other escape sequences are interpreted literally.
865 Example of configuration file to illustrate syntax:
867 $ cat ~/.criu/default.conf
869 tcp-established
870 work-dir "/home/USERNAME/criu/my \"work\" directory"
871 #this is a comment
872 no-restore-sibling # this is another comment
873 Configuration files in RPC mode
875 Not only does criu evaluate configuration files in CLI mode, it also
876 evaluates configuration files in RPC mode. Just as in CLI mode the
877 configuration file values are evaluated first. This means that any
878 option set via RPC will overwrite the configuration file setting. The
879 user can thus change criu's default behavior but it is not possible to
880 change settings which are explicitly set by the RPC client.
881 The RPC client can, however, specify an additional configuration file
883 which will be evaluated after the RPC options (see above for option
884 evaluation order). The RPC client can specify this additional
885 configuration file via "req.opts.config_file = /path/to/file". The
886 values from this configuration file will overwrite all other
887 configuration file settings or RPC options. This can lead to undesired
888 behavior of criu and should only be used carefully.
889
891 criu can be used as non-root with either the CAP_SYS_ADMIN capability
892 or with the CAP_CHECKPOINT_RESTORE capability introduces in Linux
893 kernel 5.9. CAP_CHECKPOINT_RESTORE is the minimum that is required.
894 criu also needs either CAP_SYS_PTRACE or a value of 0 in
896 /proc/sys/kernel/yama/ptrace_scope (see ptrace(2)) to be able to
897 interrupt the process for dumping.
898 Running criu as non-root has many limitations and depending on the
900 process to checkpoint and restore it may not be possible.
901 In addition to CAP_CHECKPOINT_RESTORE it is possible to give criu
903 additional capabilities to enable additional features in non-root mode.
904 Currently criu can benefit from the following additional capabilities:
906 • CAP_NET_ADMIN
908 • CAP_SYS_CHROOT
910 • CAP_SETUID
912 • CAP_SYS_RESOURCE
914 Note that for some operations, having a capability in a namespace other
916 than the init namespace (i.e. the default/root namespace) is not
917 sufficient. For example, in order to read symlinks in
918 proc/[pid]/map_files CRIU requires CAP_CHECKPOINT_RESTORE in the init
919 namespace; having CAP_CHECKPOINT_RESTORE while running in another user
920 namespace (e.g. in a container) does not allow CRIU to read symlinks in
921 /proc/[pid]/map_files.
922 Without access to /proc/[pid]/map_files checkpointing/restoring
924 processes that have mapped deleted files may not be possible.
925 Independent of the capabilities it is always necessary to use
927 "--unprivileged" to accept criu's limitation in non-root mode.
928
930 To checkpoint a program with pid of 1234 and write all image files into
931 directory checkpoint:
932 criu dump -D checkpoint -t 1234
934 To restore this program detaching criu itself:
936 criu restore -d -D checkpoint
938
940 The CRIU team.
941
943 Copyright (C) 2011-2016, Parallels Holdings, Inc.
944criu 2034-04-25 CRIU(8)