Checkpoint failing due to ipv6 datagram socket

[dpoolensdq]

Description
Unable to checkpoint a container due to no ipv6 support. Is this required for a checkpoint? Here is the log:

CRIU logs and information:

CRIU full dump/restore logs:

sudo cat /var/lib/containers/storage/overlay-containers/e95255be64d97b06f500a931366ea87e50480625cfe6fce6983465bb0d2a5248/userdata/dump.log
(00.000000) Unable to get $HOME directory, local configuration file will not be used.
(00.000039) Version: 3.18 (gitid 0)
(00.000045) Running on ip-xxxxxxxx.ec2.internal Linux 4.18.0-553.27.1.el8_10.x86_64 #1 SMP Wed Nov 6 14:29:02 UTC 2024 x86_64
(00.000046) Would overwrite RPC settings with values from /etc/criu/runc.conf
(00.000057) File /run/criu/criu.kdat does not exist
(00.000292) sockets: Probing sock diag modules
(00.000322) sockets: Done probing
(00.005074) Pagemap is fully functional
(00.005314) Found anon-shmem device at 1
(00.005354) Hugetlb size 2 Mb is supported but cannot get dev's number
(00.005362) Hugetlb size 1024 Mb is supported but cannot get dev's number
(00.005365) Reset 34087's dirty tracking
(00.005403)  ... done
(00.005421) Dirty track supported on kernel
(00.005456) Found task size of 7ffffffff000
(00.005476) ipv6 is disabled
(00.006760) net: Restoring netdev veth idx 10
(00.007259) net: Dumping netns links
(00.007277) net: 	LD: Got link 1, type 772
(00.007279) net: 	LD: Got link 10, type 1
(00.007624) Warn  (criu/kerndat.c:1538): CRIU was built without libnftables support
(00.008842) No MOVE_MOUNT_SET_GROUP kernel feature
(00.029121) vdso: Parsing at 7fff6a539000 7fff6a53b000
(00.029131) vdso: PT_LOAD p_vaddr: 0
(00.029133) vdso: DT_HASH: 120
(00.029134) vdso: DT_STRTAB: 300
(00.029135) vdso: DT_SYMTAB: 1c8
(00.029137) vdso: DT_STRSZ: 8b
(00.029138) vdso: DT_SYMENT: 18
(00.029139) vdso: nbucket 3 nchain d bucket 7fff6a539128 chain 7fff6a539134
(00.029142) vdso: rt [vdso] 7fff6a539000-7fff6a53b000 [vvar] 7fff6a535000-7fff6a539000
(00.029477) vdso: Parsing at 7f21f721e000 7f21f7220000
(00.029483) vdso: PT_LOAD p_vaddr: 0
(00.029484) vdso: DT_HASH: b4
(00.029485) vdso: DT_STRTAB: 1f0
(00.029486) vdso: DT_SYMTAB: 140
(00.029487) vdso: DT_STRSZ: c0
(00.029489) vdso: DT_SYMENT: 10
(00.029490) vdso: nbucket 3 nchain b bucket 7f21f721e0bc chain 7f21f721e0c8
(00.029492) vdso: compat [vdso] 7fff6a53d000-7fff6a53f000 [vvar] 7fff6a539000-7fff6a53d000
(00.029812) cpu: x86_family 6 x86_vendor_id GenuineIntel x86_model_id Intel(R) Xeon(R) Platinum 8375C CPU @ 2.90GHz
(00.029823) cpu: fpu: xfeatures_mask 0x2e5 xsave_size 2696 xsave_size_max 2696 xsaves_size 2440
(00.029844) cpu: fpu: x87 floating point registers     xstate_offsets      0 / 0      xstate_sizes    160 / 160
(00.029847) cpu: fpu: AVX registers                    xstate_offsets    576 / 576    xstate_sizes    256 / 256
(00.029848) cpu: fpu: AVX-512 opmask                   xstate_offsets   1088 / 832    xstate_sizes     64 / 64
(00.029849) cpu: fpu: AVX-512 Hi256                    xstate_offsets   1152 / 896    xstate_sizes    512 / 512
(00.029851) cpu: fpu: AVX-512 ZMM_Hi256                xstate_offsets   1664 / 1408   xstate_sizes   1024 / 1024
(00.029852) cpu: fpu: Protection Keys User registers   xstate_offsets   2688 / 2432   xstate_sizes      8 / 8
(00.029975) Warn  (criu/kerndat.c:1421): Can't get pidfd
(00.032624) Error (criu/kerndat.c:1554): Unable to create a ipv6 dgram socket: Address family not supported by protocol
(00.032633) Error (criu/kerndat.c:1812): kerndat_has_ipv6_freebind failed when initializing kerndat.
(00.032726) Adjust mmap_min_addr 0x1000 -> 0x10000
(00.032728) Found mmap_min_addr 0x10000
(00.032781) files stat: fs/nr_open 1048576

Output of `criu --version`:

Version: 3.18

Output of `criu check --all`:

CRIU needs to have the CAP_SYS_ADMIN or the CAP_CHECKPOINT_RESTORE capability:
setcap cap_checkpoint_restore+eip criu

When I run that command, I get:

sudo setcap cap_checkpoint_restore+eip criu
Failed to set capabilities on file `criu' (No such file or directory)
usage: setcap [-h] [-q] [-v] [-n <rootid>] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]

 Note <filename> must be a regular (non-symlink) file.
 -r          remove capability from file
 -           read capability text from stdin
 <capsN>     cap_from_text(3) formatted file capability

 -h          this message and exit status 0
 -q          quietly
 -v          validate supplied capability matches file
 -n <rootid> write a user namespace limited capability
 --license   display the license info

Additional environment details:

[adrianreber]

I quickly tried to disable IPv6 locally with sysctl -w net.ipv6.conf.all.disable_ipv6=1 and container checkpointing in Podman still works.

The whole capability steps are unnecessary. You should run criu check also as root.

Please provide more context about what you are trying to do. Which OS, which command?

[dpoolensdq]

New output of 'sudo criu check --all':

sudo criu check --all
Warn  (criu/kerndat.c:1538): CRIU was built without libnftables support
Warn  (criu/kerndat.c:1421): Can't get pidfd
Error (criu/kerndat.c:1554): Unable to create a ipv6 dgram socket: Address family not supported by protocol
Error (criu/kerndat.c:1812): kerndat_has_ipv6_freebind failed when initializing kerndat.
Error (criu/crtools.c:263): Could not initialize kernel features detection.

I'm running on Rocky 8.

The command I'm trying to do:

sudo podman container checkpoint --leave-running cb24eac28a49
ERRO[0000] criu failed: type DUMP errno 0
log file: /var/lib/containers/storage/overlay-containers/cb24eac28a49011b072714033b1e42a101550684fe392e834c6f150298784d01/userdata/dump.log
Error: `/usr/bin/runc checkpoint --image-path /var/lib/containers/storage/overlay-containers/cb24eac28a49011b072714033b1e42a101550684fe392e834c6f150298784d01/userdata/checkpoint --work-path /var/lib/containers/storage/overlay-containers/cb24eac28a49011b072714033b1e42a101550684fe392e834c6f150298784d01/userdata --leave-running --leave-running cb24eac28a49011b072714033b1e42a101550684fe392e834c6f150298784d01` failed: exit status 1

sudo podman container list
CONTAINER ID  IMAGE                                                                                                  COMMAND               CREATED             STATUS             PORTS       NAMES
cb24eac28a49  registry.git.xxxxxx.  .......

[dpoolensdq]

And the log is pasted above in the original post.

I'm just trying to run a podman container as root and checkpoint it so that I can load it back to that state later.

Thanks for the help.

[adrianreber]

How do you disable IPv6?

[mihalicyn]

@dpoolensdq I guess you have a kernel compiled without IPV6 support?

Please can you show:

1. ls -la /proc/sys/net/ from your system
2. cat /boot/config-$(uname -r) | grep IPV6

[dpoolensdq]

@mihalicyn yes I believe that's right.

ls -la /proc/sys/net/
dr-xr-xr-x. 1 root root 0 Dec 17 09:50 .
dr-xr-xr-x. 1 root root 0 Dec 17 09:50 ..
dr-xr-xr-x. 1 root root 0 Dec 17 09:50 core
dr-xr-xr-x. 1 root root 0 Dec 17 09:50 ipv4
dr-xr-xr-x. 1 root root 0 Dec 17 09:50 mptcp
dr-xr-xr-x. 1 root root 0 Dec 17 09:51 netfilter
dr-xr-xr-x. 1 root root 0 Dec 17 09:50 unix

cat /boot/config-$(uname -r) | grep IPV6
CONFIG_IPV6=y
CONFIG_IPV6_ROUTER_PREF=y
CONFIG_IPV6_ROUTE_INFO=y
CONFIG_IPV6_OPTIMISTIC_DAD=y
CONFIG_IPV6_MIP6=m
# CONFIG_IPV6_ILA is not set
CONFIG_IPV6_VTI=m
CONFIG_IPV6_SIT=m
CONFIG_IPV6_SIT_6RD=y
CONFIG_IPV6_NDISC_NODETYPE=y
CONFIG_IPV6_TUNNEL=m
CONFIG_IPV6_GRE=m
CONFIG_IPV6_MULTIPLE_TABLES=y
# CONFIG_IPV6_SUBTREES is not set
CONFIG_IPV6_MROUTE=y
CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
CONFIG_IPV6_PIMSM_V2=y
# CONFIG_IPV6_SEG6_LWTUNNEL is not set
# CONFIG_IPV6_SEG6_HMAC is not set
CONFIG_MPTCP_IPV6=y
CONFIG_IP_VS_IPV6=y
CONFIG_NF_SOCKET_IPV6=m
CONFIG_NF_TPROXY_IPV6=m
CONFIG_NF_TABLES_IPV6=y
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NFT_DUP_IPV6=m
CONFIG_NFT_FIB_IPV6=m
CONFIG_NF_FLOW_TABLE_IPV6=m
CONFIG_NF_DUP_IPV6=m
CONFIG_NF_REJECT_IPV6=m
CONFIG_NF_LOG_IPV6=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_NF_DEFRAG_IPV6=m