CRIU 2.0 发布 功能得以完善

CRIU 2.0发布，我们重组了criu-2的所有代码，新功能得以完善，漏洞得到修复。

更新日志：

• New code layout for sub-projects (e.g. Compel)

• Unprivileged dump

• Dump/check cpuinfo support for PPC

• Explorers for CRIT

• Added "post-setup-namespaces" to action scripts

• Added timeout for dump procedure (5 sec by default)

• Ability to override LSM profile on restore with CLI/RPC option

• External bind mounts can be fs-root mounts too

• Skip netns' internals on dump and restore (for Docker integration)

• Advanced support for external files

• External TTYs

• C/R for

• Mode and uid/gid of cgroup files and dirs

• Freeze cgroup state (frozen/thawed)

• Task's loginuid and oom score

• Per-thread credentials

• Filter mode of seccomp

• Ghost file in removed directory

• Ghost files lutimes

• Binfmt-misc FS contents

• Netfilter conntracks and expectations

• Multi-headed cgroups

• CGroup namespaces (no nesting)

优化/提高：

• Align parasite stack on 16 bits for correctness

• Compilation with native libc syscall wrappers and helpers

• Parasite code injection done via memfd system call

• Make vaddr to pfn conversion with one less syscall

• CRIT shows device numbers in "maj:min" manner

• CRIT shows mmap's status in verbose

• Docker files for builds on all supported arches

修复：

• Absent readlink syscall on ARM (use readlinkat instead) could cause dump to fail

• Wrong argument to timer_create system call could cause restore to crash

• Extra tasks in freeze cgroup caused dump to fail/hand/crash

• Unaligned restore-time object allocations caused lock operations to fail

• Opened /proc/pid dir of dead task failed the dump

• Unaligned stacks caused criu to fail on aarch64

• Changed device numbers on restore side could cause random failures

• Fixes in mount points sharing/slavery/propagation restore

• Race between mntns creation and fds closing in different tasks could cause restore to fail

• Hard kernel limit on TCP repair recv queue restore could cause big queue restore to fail

• Unconnected dgram UNIX socket with data lost packets on restore

• CRIT didn't show IPC objects

• CRIT didn't convert IP addresses in images

• Logs from PIE code contained corrupted addresses and sizes

• Not loaded netfilter modules could cause dump/restore to stuck on dumping netlink socket

• Shared external mounts were restored with error

安全：

• User-mode

• When checking for namespaces' CRIU entered userns with host creds

弃用/移除：

• Completely removed 'show' action. Use CRIT instead.