1CRIU(8) CRIU Manual CRIU(8)
2
6 criu - checkpoint/restore in userspace
7
9 criu command [option ...]
10
12 criu is a tool for checkpointing and restoring running applications. It
13 does this by saving their state as a collection of files (see the dump
14 command) and creating equivalent processes from those files (see the
15 restore command). The restore operation can be performed at a later
16 time, on a different system, or both.
17
19 Most of the long flags can be prefixed with no- to negate the option
20 (example: --display-stats and --no-display-stats).
21 Common options
23 Common options are applicable to any command.
24 -v[v...], --verbosity
26 Increase verbosity up from the default level. In case of short
27 option, multiple v can be used, each increasing verbosity by one.
28 -vnum, --verbosity=num
30 Set verbosity level to num. The higher the level, the more
31 output is produced.
32 The following levels are available:
34 • -v0 no output;
36 • -v1 only errors;
38 • -v2 above plus warnings (this is the default level);
40 • -v3 above plus information messages and timestamps;
42 • -v4 above plus lots of debug.
44 --config file
46 Pass a specific configuration file to criu.
47 --no-default-config
49 Disable parsing of default configuration files.
50 --pidfile file
52 Write root task, service or page-server pid into a file.
53 -o, --log-file file
55 Write logging messages to a file.
56 --display-stats
58 During dump, as well as during restore, criu collects some
59 statistics, like the time required to dump or restore the process,
60 or the number of pages dumped or restored. This information is
61 always saved to the stats-dump and stats-restore files, and can be
62 shown using crit(1). The option --display-stats prints out this
63 information on the console at the end of a dump or restore
64 operation.
65 -D, --images-dir path
67 Use path as a base directory where to look for sets of image files.
68 --stream
70 dump/restore images using criu-image-streamer. See
71 https://github.com/checkpoint-restore/criu-image-streamer for
72 detailed usage.
73 --prev-images-dir path
75 Use path as a parent directory where to look for sets of image
76 files. This option makes sense in case of incremental dumps.
77 -W, --work-dir dir
79 Use directory dir for putting logs, pidfiles and statistics. If not
80 specified, path from -D option is taken.
81 --close fd
83 Close file descriptor fd before performing any actions.
84 -L, --libdir path
86 Path to plugins directory.
87 --enable-fs [fs[,fs...]]
89 Specify a comma-separated list of filesystem names that should be
90 auto-detected. The value all enables auto-detection for all
91 filesystems.
92 Note: This option is not safe, use at your own risk. Auto-detecting
94 a filesystem mount assumes that the mountpoint can be restored with
95 mount(src, mountpoint, flags, options). When used, dump is expected
96 to always succeed if a mountpoint is to be auto-detected, however
97 restore may fail (or do something wrong) if the assumption for
98 restore logic is incorrect. This option is not compatible with
99 --external dev.
100 --action-script script
102 Add an external action script to be executed at certain stages. The
103 environment variable CRTOOLS_SCRIPT_ACTION is available to the
104 script to find out which action is being executed, and its value
105 can be one of the following:
106 pre-dump
108 run prior to beginning a dump
109 post-dump
111 run upon dump completion
112 pre-restore
114 run prior to beginning a restore
115 post-restore
117 run upon restore completion
118 pre-resume
120 run when all processes and resources are restored but tasks are
121 stopped waiting for final kick to run. Must not fail.
122 post-resume
124 called at the very end, when everything is restored and
125 processes were resumed
126 network-lock
128 run to lock network in a target network namespace
129 network-unlock
131 run to unlock network in a target network namespace
132 setup-namespaces
134 run once root task has just been created with required
135 namespaces. Note it is an early stage of restore, when nothing
136 is restored yet, except for namespaces themselves
137 post-setup-namespaces
139 called after the namespaces are configured
140 orphan-pts-master
142 called after master pty is opened and unlocked. This hook can
143 be used only in the RPC mode, and the notification message
144 contains a file descriptor for the master pty
145 query-ext-files
147 called after the process tree is stopped and network is locked.
148 This hook is used only in the RPC mode. The notification reply
149 contains file ids to be added to external file list (may be
150 empty).
151 --unprivileged
153 This option tells criu to accept the limitations when running as
154 non-root. Running as non-root requires criu at least to have
155 CAP_SYS_ADMIN or CAP_CHECKPOINT_RESTORE. For details about running
156 criu as non-root please consult the NON-ROOT section.
157 -V, --version
159 Print program version and exit.
160 -h, --help
162 Print some help and exit.
163 pre-dump
165 Performs the pre-dump procedure, during which criu creates a snapshot
166 of memory changes since the previous pre-dump. Note that during this
167 criu also creates the fsnotify cache which speeds up the restore
168 procedure. pre-dump requires at least -t option (see dump below). In
169 addition, page-server options may be specified.
170 --track-mem
172 Turn on memory changes tracker in the kernel. If the option is not
173 passed the memory tracker get turned on implicitly.
174 --pre-dump-mode=mode
176 There are two mode to operate pre-dump algorithm. The splice mode
177 is parasite based, whereas read mode is based on process_vm_readv
178 syscall. The read mode incurs reduced frozen time and reduced
179 memory pressure as compared to splice mode. Default is splice mode.
180 dump
182 Performs a checkpoint procedure.
183 -t, --tree pid
185 Checkpoint the whole process tree starting from pid.
186 -R, --leave-running
188 Leave tasks in running state after checkpoint, instead of killing.
189 This option is pretty dangerous and should be used only if you
190 understand what you are doing.
191 Note if task is about to run after been checkpointed, it can modify
193 TCP connections, delete files and do other dangerous actions.
194 Therefore, criu can not guarantee that the next restore action will
195 succeed. Most likely if this option is used, at least the file
196 system snapshot must be made with the help of post-dump action
197 script.
198 In other words, do not use it unless really needed.
200 -s, --leave-stopped
202 Leave tasks in stopped state after checkpoint, instead of killing.
203 --external type[id]:value
205 Dump an instance of an external resource. The generic syntax is
206 type of resource, followed by resource id (enclosed in literal
207 square brackets), and optional value (prepended by a literal
208 colon). The following resource types are currently supported: mnt,
209 dev, file, tty, unix. Syntax depends on type. Note to restore
210 external resources, either --external or --inherit-fd is used,
211 depending on resource type.
212 --external mnt[mountpoint]:name
214 Dump an external bind mount referenced by mountpoint, saving it to
215 image under the identifier name.
216 --external mnt[]:flags
218 Dump all external bind mounts, autodetecting those. Optional flags
219 can contain m to also dump external master mounts, s to also dump
220 external shared mounts (default behavior is to abort dumping if
221 such mounts are found). If flags are not provided, colon is
222 optional.
223 --external dev[major/minor]:name
225 Allow to dump a mount namespace having a real block device mounted.
226 A block device is identified by its major and minor numbers, and
227 criu saves its information to image under the identifier name.
228 --external file[mnt_id:inode]
230 Dump an external file, i.e. an opened file that is can not be
231 resolved from the current mount namespace, which can not be dumped
232 without using this option. The file is identified by mnt_id (a
233 field obtained from /proc/pid/fdinfo/N) and inode (as returned by
234 stat(2)).
235 --external tty[rdev:dev]
237 Dump an external TTY, identified by st_rdev and st_dev fields
238 returned by stat(2).
239 --external unix[id]
241 Tell criu that one end of a pair of UNIX sockets (created by
242 socketpair(2)) with the given id is OK to be disconnected.
243 --external net[inode]:name
245 Mark a network namespace as external and do not include it in the
246 checkpoint. The label name can be used with --inherit-fd during
247 restore to specify a file descriptor to a preconfigured network
248 namespace.
249 --external pid[inode]:name
251 Mark a PID namespace as external. This can be later used to restore
252 a process into an existing PID namespace. The label name can be
253 used to assign another PID namespace during restore with the help
254 of --inherit-fd.
255 --freeze-cgroup
257 Use cgroup freezer to collect processes.
258 --manage-cgroups
260 Collect cgroups into the image thus they gonna be restored then.
261 Without this option, criu will not save cgroups configuration
262 associated with a task.
263 --cgroup-props spec
265 Specify controllers and their properties to be saved into the image
266 file. criu predefines specifications for common controllers, but
267 since the kernel can add new controllers and modify their
268 properties, there should be a way to specify ones matched the
269 kernel.
270 spec argument describes the controller and properties specification
272 in a simplified YAML form:
273 "c1":
275 - "strategy": "merge"
276 - "properties": ["a", "b"]
277 "c2":
278 - "strategy": "replace"
279 - "properties": ["c", "d"]
280 where c1 and c2 are controllers names, and a, b, c, d are their
282 properties.
283 Note the format: double quotes, spaces and new lines are required.
285 The strategy specifies what to do if a controller specified already
286 exists as a built-in one: criu can either merge or replace such.
287 For example, the command line for the above example should look
289 like this:
290 --cgroup-props "\"c1\":\n - \"strategy\": \"merge\"\n - \"properties\": [\"a\", \"b\"]\n \"c2\":\n - \"strategy\": \"replace\"\n - \"properties\": [\"c\", \"d\"]"
292 --cgroup-props-file file
294 Same as --cgroup-props, except the specification is read from the
295 file.
296 --cgroup-dump-controller name
298 Dump a controller with name only, skipping anything else that was
299 discovered automatically (usually via /proc). This option is useful
300 when one needs criu to skip some controllers.
301 --cgroup-yard path
303 Instead of trying to mount cgroups in CRIU, provide a path to a
304 directory with already created cgroup yard. Useful if you don’t
305 want to grant CAP_SYS_ADMIN to CRIU. For every cgroup mount there
306 should be exactly one directory. If there is only one controller in
307 this mount, the dir’s name should be just the name of the
308 controller. If there are multiple controllers comounted, the
309 directory name should have them be separated by a comma.
310 For example, if /proc/cgroups looks like this:
312 #subsys_name hierarchy num_cgroups enabled
314 cpu 1 1 1
315 devices 2 2 1
316 freezer 2 2 1
317 then you can create the cgroup yard by the following commands:
319 mkdir private_yard
321 cd private_yard
322 mkdir cpu
323 mount -t cgroup -o cpu none cpu
324 mkdir devices,freezer
325 mount -t cgroup -o devices,freezer none devices,freezer
326 --tcp-established
328 Checkpoint established TCP connections.
329 --tcp-close
331 Don’t dump the state of, or block, established tcp connections
332 (including the connection is once established but now closed). This
333 is useful when tcp connections are not going to be restored.
334 --skip-in-flight
336 This option skips in-flight TCP connections. If any TCP connections
337 that are not yet completely established are found, criu ignores
338 these connections, rather than errors out. The TCP stack on the
339 client side is expected to handle the re-connect gracefully.
340 --evasive-devices
342 Use any path to a device file if the original one is inaccessible.
343 --page-server
345 Send pages to a page server (see the page-server command).
346 --force-irmap
348 Force resolving names for inotify and fsnotify watches.
349 --auto-dedup
351 Deduplicate "old" data in pages images of previous dump. This
352 option implies incremental dump mode (see the pre-dump command).
353 -l, --file-locks
355 Dump file locks. It is necessary to make sure that all file lock
356 users are taken into dump, so it is only safe to use this for
357 enclosed containers where locks are not held by any processes
358 outside of dumped process tree.
359 --link-remap
361 Allows to link unlinked files back, if possible (modifies
362 filesystem during restore).
363 --timeout number
365 Set a time limit in seconds for collecting tasks during the dump
366 operation. The timeout is 10 seconds by default.
367 --ghost-limit size
369 Set the maximum size of deleted file to be carried inside image. By
370 default, up to 1M file is allowed. Using this option allows to not
371 put big deleted files inside images. Argument size may be postfixed
372 with a K, M or G, which stands for kilo-, mega, and gigabytes,
373 accordingly.
374 --ghost-fiemap
376 Enable an optimization based on fiemap ioctl that can reduce the
377 number of system calls used when checkpointing highly sparse ghost
378 files. This option is enabled by default, and it can be disabled
379 with --no-ghost-fiemap. An automatic fallback to
380 SEEK_HOLE/SEEK_DATA is used when fiemap is not supported.
381 -j, --shell-job
383 Allow one to dump shell jobs. This implies the restored task will
384 inherit session and process group ID from the criu itself. This
385 option also allows to migrate a single external tty connection, to
386 migrate applications like top. If used with dump command, it must
387 be specified with restore as well.
388 --cpu-cap [cap[,cap...]]
390 Specify CPU capabilities to write to an image file. The argument is
391 a comma-separated list of:
392 • none to ignore capabilities at all; the image will not be
394 produced on dump, neither any check performed on restore;
395 • fpu to check if FPU module is compatible;
397 • ins to check if CPU supports all instructions required;
399 • cpu to check if CPU capabilities are exactly matching;
401 • all for all above set.
403 By default the option is set to fpu and ins.
405 --cgroup-root [controller:]/newroot
407 Change the root for the controller that will be dumped. By default,
408 criu simply dumps everything below where any of the tasks live.
409 However, if a container moves all of its tasks into a cgroup
410 directory below the container engine’s default directory for tasks,
411 permissions will not be preserved on the upper directories with no
412 tasks in them, which may cause problems.
413 --lazy-pages
415 Perform the dump procedure without writing memory pages into the
416 image files and prepare to service page requests over the network.
417 When dump runs in this mode it presumes that lazy-pages daemon will
418 connect to it and fetch memory pages to lazily inject them into the
419 restored process address space. This option is intended for
420 post-copy (lazy) migration and should be used in conjunction with
421 restore with appropriate options.
422 --file-validation [mode]
424 Set the method to be used to validate open files. Validation is
425 done to ensure that the version of the file being restored is the
426 same version when it was dumped.
427 The mode may be one of the following:
429 filesize
431 To explicitly use only the file size check all the time. This
432 is the fastest and least intensive check.
433 buildid
435 To validate ELF files with their build-ID. If the build-ID
436 cannot be obtained, chksm-first method will be used. This is
437 the default if mode is unspecified.
438 --network-lock [mode]
440 Set the method to be used for network locking/unlocking. Locking is
441 done to ensure that tcp packets are dropped between dump and
442 restore. This is done to avoid the kernel sending RST when a packet
443 arrives destined for the dumped process.
444 The mode may be one of the following:
446 iptables
448 Use iptables rules to drop the packets. This is the default if
449 mode is not specified.
450 nftables
452 Use nftables rules to drop the packets.
453 skip
455 Don’t lock the network. If --tcp-close is not used, the network
456 must be locked externally to allow CRIU to dump TCP
457 connections.
458 restore
460 Restores previously checkpointed processes.
461 --inherit-fd fd[N]:resource
463 Inherit a file descriptor. This option lets criu use an already
464 opened file descriptor N for restoring a file identified by
465 resource. This option can be used to restore an external resource
466 dumped with the help of --external file, tty, pid and unix options.
467 The resource argument can be one of the following:
469 • tty[rdev:dev]
471 • pipe[inode]
473 • socket[inode*]*
475 • file[mnt_id:inode]
477 • path/to/file
479 Note that square brackets used in this option arguments are
481 literals and usually need to be escaped from shell.
482 -d, --restore-detached
484 Detach criu itself once restore is complete.
485 -s, --leave-stopped
487 Leave tasks in stopped state after restore (rather than resuming
488 their execution).
489 -S, --restore-sibling
491 Restore root task as a sibling (makes sense only with
492 --restore-detached).
493 --log-pid
495 Write separate logging files per each pid.
496 -r, --root path
498 Change the root filesystem to path (when run in a mount namespace).
499 This option is required to restore a mount namespace. The directory
500 path must be a mount point and its parent must not be overmounted.
501 --external type[id]:value
503 Restore an instance of an external resource. The generic syntax is
504 type of resource, followed by resource id (enclosed in literal
505 square brackets), and optional value (prepended by a literal
506 colon). The following resource types are currently supported: mnt,
507 dev, veth, macvlan. Syntax depends on type. Note to restore
508 external resources dealing with opened file descriptors (such as
509 dumped with the help of --external file, tty, and unix options),
510 option --inherit-fd should be used.
511 --external mnt[name]:mountpoint
513 Restore an external bind mount referenced in the image by name,
514 bind-mounting it from the host mountpoint to a proper mount point.
515 --external mnt[]
517 Restore all external bind mounts (dumped with the help of
518 --external mnt[] auto-detection).
519 --external dev[name]:/dev/path
521 Restore an external mount device, identified in the image by name,
522 using the existing block device /dev/path.
523 --external veth[inner_dev]:outer_dev@bridge
525 Set the outer VETH device name (corresponding to inner_dev being
526 restored) to outer_dev. If optional @bridge is specified, outer_dev
527 is added to that bridge. If the option is not used, outer_dev will
528 be autogenerated by the kernel.
529 --external macvlan[inner_dev]:outer_dev
531 When restoring an image that have a MacVLAN device in it, this
532 option must be used to specify to which outer_dev (an existing
533 network device in CRIU namespace) the restored inner_dev should be
534 bound to.
535 -J, --join-ns NS:{PID|NS_FILE}[,EXTRA_OPTS]
537 Restore process tree inside an existing namespace. The namespace
538 can be specified in PID or NS_FILE path format (example: --join-ns
539 net:12345 or --join-ns net:/foo/bar). Currently supported values
540 for NS are: ipc, net, time, user, and uts. This option doesn’t
541 support joining a PID namespace, however, this is possible using
542 --external and --inheritfd. EXTRA_OPTS is optional and can be used
543 to specify UID and GID for user namespace (e.g., --join-ns
544 user:PID,UID,GID).
545 --manage-cgroups [mode]
547 Restore cgroups configuration associated with a task from the
548 image. Controllers are always restored in an optimistic way — if
549 already present in system, criu reuses it, otherwise it will be
550 created.
551 The mode may be one of the following:
553 none
555 Do not restore cgroup properties but require cgroup to
556 pre-exist at the moment of restore procedure.
557 props
559 Restore cgroup properties and require cgroup to pre-exist.
560 soft
562 Restore cgroup properties if only cgroup has been created by
563 criu, otherwise do not restore properties. This is the default
564 if mode is unspecified.
565 full
567 Always restore all cgroups and their properties.
568 strict
570 Restore all cgroups and their properties from the scratch,
571 requiring them to not present in the system.
572 ignore
574 Don’t deal with cgroups and pretend that they don’t exist.
575 --cgroup-yard path
577 Instead of trying to mount cgroups in CRIU, provide a path to a
578 directory with already created cgroup yard. For more information
579 look in the dump section.
580 --cgroup-root [controller:]/newroot
582 Change the root cgroup the controller will be installed into. No
583 controller means that root is the default for all controllers not
584 specified.
585 --tcp-established
587 Restore previously dumped established TCP connections. This implies
588 that the network has been locked between dump and restore phases so
589 other side of a connection simply notice a kind of lag.
590 --tcp-close
592 Restore connected TCP sockets in closed state.
593 --veth-pair IN=OUT
595 Correspondence between outside and inside names of veth devices.
596 -l, --file-locks
598 Restore file locks from the image.
599 --lsm-profile type:name
601 Specify an LSM profile to be used during restore. The type can be
602 either apparmor or selinux.
603 --lsm-mount-context context
605 Specify a new mount context to be used during restore.
606 This option will only replace existing mount context information
608 with the one specified with this option. Mounts without the
609 context= option will not be changed.
610 If a mountpoint has been checkpointed with an option like
612 context="system_u:object_r:container_file_t:s0:c82,c137"
614 it is possible to change this option using
616 --lsm-mount-context "system_u:object_r:container_file_t:s0:c204,c495"
618 which will result that the mountpoint will be restored with the new
620 context=.
621 This option is useful if using selinux and if the selinux labels
623 need to be changed on restore like if a container is restored into
624 an existing Pod.
625 --auto-dedup
627 As soon as a page is restored it get punched out from image.
628 -j, --shell-job
630 Restore shell jobs, in other words inherit session and process
631 group ID from the criu itself.
632 --cpu-cap [cap[,cap...]]
634 Specify CPU capabilities to be present on the CPU the process is
635 restoring. To inverse a capability, prefix it with ^. This option
636 implies that --cpu-cap has been passed on dump as well, except fpu
637 option case. The cap argument can be the following (or a set of
638 comma-separated values):
639 all
641 Require all capabilities. This is default mode if --cpu-cap is
642 passed without arguments. Most safe mode.
643 cpu
645 Require the CPU to have all capabilities in image to match
646 runtime CPU.
647 fpu
649 Require the CPU to have compatible FPU. For example the process
650 might be dumped with xsave capability but attempted to restore
651 without it present on target CPU. In such case we refuse to
652 proceed. This is default mode if --cpu-cap is not present in
653 command line. Note this argument might be passed even if on the
654 dump no --cpu-cap have been specified because FPU frames are
655 always encoded into images.
656 ins
658 Require CPU compatibility on instructions level.
659 none
661 Ignore capabilities. Most dangerous mode. The behaviour is
662 implementation dependent. Try to not use it until really
663 required.
664 For example, this option can be used in case --cpu-cap=cpu was
666 used during dump, and images are migrated to a less capable CPU
667 and are to be restored. By default, criu shows an error that
668 CPU capabilities are not adequate, but this can be suppressed
669 by using --cpu-cap=none.
670 --weak-sysctls
672 Silently skip restoring sysctls that are not available. This allows
673 to restore on an older kernel, or a kernel configured without some
674 options.
675 --lazy-pages
677 Restore the processes without filling out the entire memory
678 contents. When this option is used, restore sets up the
679 infrastructure required to fill memory pages either on demand when
680 the process accesses them or in the background without stopping the
681 restored process. This option requires running lazy-pages daemon.
682 --file-validation [mode]
684 Set the method to be used to validate open files. Validation is
685 done to ensure that the version of the file being restored is the
686 same version when it was dumped.
687 The mode may be one of the following:
689 filesize
691 To explicitly use only the file size check all the time. This
692 is the fastest and least intensive check.
693 buildid
695 To validate ELF files with their build-ID. If the build-ID
696 cannot be obtained, chksm-first method will be used. This is
697 the default if mode is unspecified.
698 --skip-file-rwx-check
700 Skip checking file permissions (r/w/x for u/g/o) on restore.
701 check
703 Checks whether the kernel supports the features needed by criu to dump
704 and restore a process tree.
705 There are three categories of kernel support, as described below. criu
707 check always checks Category 1 features unless --feature is specified
708 which only checks a specified feature.
709 Category 1
711 Absolutely required. These are features like support for
712 /proc/PID/map_files, NETLINK_SOCK_DIAG socket monitoring,
713 /proc/sys/kernel/ns_last_pid etc.
714 Category 2
716 Required only for specific cases. These are features like AIO
717 remap, /dev/net/tun and others that are only required if a process
718 being dumped or restored is using those.
719 Category 3
721 Experimental. These are features like task-diag that are used for
722 experimental purposes (mostly during development).
723 If there are no errors or warnings, criu prints "Looks good." and its
725 exit code is 0.
726 A missing Category 1 feature causes criu to print "Does not look good."
728 and its exit code is non-zero.
729 Missing Category 2 and 3 features cause criu to print "Looks good but
731 ..." and its exit code is be non-zero.
732 Without any options, criu check checks Category 1 features. This
734 behavior can be changed by using the following options:
735 --extra
737 Check kernel support for Category 2 features.
738 --experimental
740 Check kernel support for Category 3 features.
741 --all
743 Check kernel support for Category 1, 2, and 3 features.
744 --feature name
746 Check a specific feature. If name is list, a list of valid kernel
747 feature names that can be checked will be printed.
748 page-server
750 Launches criu in page server mode.
751 --daemon
753 Runs page server as a daemon (background process).
754 --status-fd
756 Write \0 to the FD and close it once page-server is ready to handle
757 requests. The status-fd allows to not daemonize a process and get
758 its exit code at the end. It isn’t supposed to use --daemon and
759 --status-fd together.
760 --address address
762 Page server IP address or hostname.
763 --port number
765 Page server port number.
766 --ps-socket fd
768 Use provided file descriptor as socket for incoming connection. In
769 this case --address and --port are ignored. Useful for intercepting
770 page-server traffic e.g. to add encryption or authentication.
771 --lazy-pages
773 Serve local memory dump to a remote lazy-pages daemon. In this mode
774 the page-server reads local memory dump and allows the remote
775 lazy-pages daemon to request memory pages in random order.
776 --tls-cacert file
778 Specifies the path to a trusted Certificate Authority (CA)
779 certificate file to be used for verification of a client or server
780 certificate. The file must be in PEM format. When this option is
781 used only the specified CA is used for verification. Otherwise, the
782 system’s trusted CAs and, if present, /etc/pki/CA/cacert.pem will
783 be used.
784 --tls-cacrl file
786 Specifies a path to a Certificate Revocation List (CRL) file which
787 contains a list of revoked certificates that should no longer be
788 trusted. The file must be in PEM format. When this option is not
789 specified, the file, if present, /etc/pki/CA/cacrl.pem will be
790 used.
791 --tls-cert file
793 Specifies a path to a file that contains a X.509 certificate to
794 present to the remote entity. The file must be in PEM format. When
795 this option is not specified, the default location
796 (/etc/pki/criu/cert.pem) will be used.
797 --tls-key file
799 Specifies a path to a file that contains TLS private key. The file
800 must be in PEM format. When this option is not the default location
801 (/etc/pki/criu/private/key.pem) will be used.
802 --tls
804 Use TLS to secure remote connections.
805 lazy-pages
807 Launches criu in lazy-pages daemon mode.
808 The lazy-pages daemon is responsible for managing user-level demand
810 paging for the restored processes. It gets information required to fill
811 the process memory pages from the restore and from the checkpoint
812 directory. When a restored process access certain memory page for the
813 first time, the lazy-pages daemon injects its contents into the process
814 address space. The memory pages that are not yet requested by the
815 restored processes are injected in the background.
816 exec
818 Executes a system call inside a destination task's context. This
819 functionality is deprecated; please use Compel instead.
820 service
822 Launches criu in RPC daemon mode, where criu is listening for RPC
823 commands over socket to perform. This is convenient for a case where
824 daemon itself is running in a privileged (superuser) mode but clients
825 are not.
826 dedup
828 Starts pagemap data deduplication procedure, where criu scans over all
829 pagemap files and tries to minimize the number of pagemap entries by
830 obtaining the references from a parent pagemap image.
831 cpuinfo dump
833 Fetches current CPU features and write them into an image file.
834 cpuinfo check
836 Fetches current CPU features (i.e. CPU the criu is running on) and test
837 if they are compatible with the ones present in an image file.
838
840 Criu supports usage of configuration files to avoid the need of writing
841 every option on command line, which is useful especially with repeated
842 usage of same options. A specific configuration file can be passed with
843 the "--config file" option. If no file is passed, the default
844 configuration files /etc/criu/default.conf and $HOME/.criu/default.conf
845 are parsed (if present on the system). If the environment variable
846 CRIU_CONFIG_FILE is set, it will also be parsed.
847 The options passed to CRIU via CLI, RPC or configuration file are
849 evaluated in the following order:
850 • apply_config(/etc/criu/default.conf)
852 • apply_config($HOME/.criu/default.conf)
854 • apply_config(CRIU_CONFIG_FILE)
856 • apply_config(--config file)
858 • apply_config(CLI) or apply_config(RPC)
860 • apply_config(RPC configuration file) (only for RPC mode)
862 Default configuration file parsing can be deactivated with
864 "--no-default-config" if needed. Parsed configuration files are merged
865 with command line options, which allows overriding boolean options.
866 Configuration file syntax
868 Comments are supported using '#' sign. The rest of the line is ignored.
869 Options are the same as command line options without the '--' prefix,
870 use one option per line (with corresponding argument if applicable,
871 divided by whitespaces). If needed, the argument can be provided in
872 double quotes (this should be needed only if the argument contains
873 whitespaces). In case this type of argument contains a literal double
874 quote as well, it can be escaped using the '\' sign. Usage of commands
875 is disallowed and all other escape sequences are interpreted literally.
876 Example of configuration file to illustrate syntax:
878 $ cat ~/.criu/default.conf
880 tcp-established
881 work-dir "/home/USERNAME/criu/my \"work\" directory"
882 #this is a comment
883 no-restore-sibling # this is another comment
884 Configuration files in RPC mode
886 Not only does criu evaluate configuration files in CLI mode, it also
887 evaluates configuration files in RPC mode. Just as in CLI mode the
888 configuration file values are evaluated first. This means that any
889 option set via RPC will overwrite the configuration file setting. The
890 user can thus change criu's default behavior but it is not possible to
891 change settings which are explicitly set by the RPC client.
892 The RPC client can, however, specify an additional configuration file
894 which will be evaluated after the RPC options (see above for option
895 evaluation order). The RPC client can specify this additional
896 configuration file via "req.opts.config_file = /path/to/file". The
897 values from this configuration file will overwrite all other
898 configuration file settings or RPC options. This can lead to undesired
899 behavior of criu and should only be used carefully.
900
902 criu can be used as non-root with either the CAP_SYS_ADMIN capability
903 or with the CAP_CHECKPOINT_RESTORE capability introduces in Linux
904 kernel 5.9. CAP_CHECKPOINT_RESTORE is the minimum that is required.
905 criu also needs either CAP_SYS_PTRACE or a value of 0 in
907 /proc/sys/kernel/yama/ptrace_scope (see ptrace(2)) to be able to
908 interrupt the process for dumping.
909 Running criu as non-root has many limitations and depending on the
911 process to checkpoint and restore it may not be possible.
912 In addition to CAP_CHECKPOINT_RESTORE it is possible to give criu
914 additional capabilities to enable additional features in non-root mode.
915 Currently criu can benefit from the following additional capabilities:
917 • CAP_NET_ADMIN
919 • CAP_SYS_CHROOT
921 • CAP_SETUID
923 • CAP_SYS_RESOURCE
925 Note that for some operations, having a capability in a namespace other
927 than the init namespace (i.e. the default/root namespace) is not
928 sufficient. For example, in order to read symlinks in
929 proc/[pid]/map_files CRIU requires CAP_CHECKPOINT_RESTORE in the init
930 namespace; having CAP_CHECKPOINT_RESTORE while running in another user
931 namespace (e.g. in a container) does not allow CRIU to read symlinks in
932 /proc/[pid]/map_files.
933 Without access to /proc/[pid]/map_files checkpointing/restoring
935 processes that have mapped deleted files may not be possible.
936 Independent of the capabilities it is always necessary to use
938 "--unprivileged" to accept criu's limitation in non-root mode.
939
941 To checkpoint a program with pid of 1234 and write all image files into
942 directory checkpoint:
943 criu dump -D checkpoint -t 1234
945 To restore this program detaching criu itself:
947 criu restore -d -D checkpoint
949
951 The CRIU team.
952
954 Copyright (C) 2011-2016, Parallels Holdings, Inc.
955criu 2023-11-28 CRIU(8)