lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 17 Nov 2010 16:40:35 +0100
From:	Tejun Heo <>
To:	Dan Smith <>
CC:	Gene Cooperman <>,
	Oren Laadan <>,
	Kapil Arya <>,,,
Subject: Re: [Ksummit-2010-discuss] checkpoint-restart: naked patch


On 11/17/2010 04:33 PM, Dan Smith wrote:
> TH> If it ever becomes a general enough problem (which I extremely
> TH> strongly doubt),
> Migration of a container?  Yeah, it's one of the primary reasons for
> doing what we're doing :)

Well, then push for the feature.  If the rationale is strong enough,
it'll get in.

> TH> we can think about allowing processes in a netns to change
> TH> sequence number but that would be a single setsockopt option
> Yeah, well there's more than that, of course, if you want to be able
> to checkpoint a socket in any state.  Buffers, time-wait, etc.

I haven't really thought about it too deeply but for all other misc
states, you should be able to emulate it by talking to a netfilter
module.  The reason why I suggested sequence number changing setsocket
option is because that is the only performance sensitive part and with
that you should be able to resume live sockets without conntracking.
For cold paths, using netfilter module during resume should do, right?

> TH> instead of the horror show of dumping in-kernel data structures in
> TH> binary blob.
> Well, as should be evident from a review of the code, we don't dump
> binary kernel data structures as a general rule.  We canonicalize them
> into checkpoint headers on the way out and build the new data
> structures (or use existing kernel interfaces to do so) on the way in.
> You know, just like netlink does.

netlink interaction is defined by ABI.

> It has even been suggested that we do this with netlink instead, to
> mirror the other "horror show" tools that we all use on a daily basis.
> We're not opposed to this, but we do have some concerns about
> performance.

The horror show part is dumping internal data structure without due
scrutinization in a way which can only ever be useful for CR when most
of the same states are already exported via ABI defined ways.


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists