checkpoint of contianer with userns is not working

[Luap99]

$ sudo bin/podman run -d --name test --uidmap 0:0:1000 quay.io/libpod/testimage:20221018 top
fcfc957177dec9a4ae308ad79713bb2a1b5598af76f1d128b24b576ad0a90021
$ sudo bin/podman container checkpoint test
2023-05-08T12:49:06.173711Z: CRIU checkpointing failed -52.  Please check CRIU logfile /var/lib/containers/storage/overlay-containers/fcfc957177dec9a4ae308ad79713bb2a1b5598af76f1d128b24b576ad0a90021/userdata/dump.log
Error: `/usr/bin/crun checkpoint --image-path /var/lib/containers/storage/overlay-containers/fcfc957177dec9a4ae308ad79713bb2a1b5598af76f1d128b24b576ad0a90021/userdata/checkpoint --work-path /var/lib/containers/storage/overlay-containers/fcfc957177dec9a4ae308ad79713bb2a1b5598af76f1d128b24b576ad0a90021/userdata fcfc957177dec9a4ae308ad79713bb2a1b5598af76f1d128b24b576ad0a90021` failed: exit status 1

Relevant line from the log:
(00.120964) Error (criu/mount.c:753): mnt: 2049:./dev/urandom doesn't have a proper root mount
Full log: dump.log

When the --uidmap argument is not used it works correctly, it works with runc but there is still a podman bug: containers/podman#18502

$ crun --version
crun version 1.8.4
commit: 5a8fa99a5e41facba2eda4af12fa26313918805b
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL

[saschagrunert]

@Luap99 is this still an issue? Do you think we could fix that in the near future somehow? cc @adrianreber

[Luap99]

I would assume so, nothing has changed and my reproducer still fails with the same error message

In general restoring the network namespace for a userns is currently broken anyways with the runtime restore API as the process is started right away so podman has no chance to configure the netns after oci runtime created the namespaces as the process is started right away (unlike the normal container startup sequence with uses two steps for create then start so we can configure the netns in between there without issues).

But I guess crun first should be able to checkpoint before we can work on the restore side.

[kannon92]

@adrianreber @rst0git could you take a look?

[adrianreber]

@adrianreber @rst0git could you take a look?

When we brought checkpoint/restore from runc to crun we did not implement this because nobody seems to be using it. checkpoint/restore works only on containers which are started by root because CRIU needs root (there is a new capability to run as non-root but the development has kind of stalled). I am not aware of people complaining about containers running as root and user namespaces not working with CRIU. At this point if feels like really low priority. For testing runc can be used to see if it works.

For restore we take the information about the network namespace and add it to config.json and CRIU then restores the processes into the existing network namespace but the way Podman works today this does not seem to work with user namespaces. This is a feature nobody is using and if it exists it would not work, not sure it makes sense to implement it right now.