#10 Add criu-unprivileged package
Opened 4 months ago by rstoyanov. Modified 4 months ago
rpms/ rstoyanov/criu criu-unprivileged  into  rawhide

file modified
+28 -1
@@ -12,11 +12,12 @@ 

  

  Name: criu

  Version: 3.19

- Release: 2%{?dist}

+ Release: 3%{?dist}

  Summary: Tool for Checkpoint/Restore in User-space

  License: GPL-2.0-only AND LGPL-2.1-only AND MIT

  URL: http://criu.org/

  Source0: https://github.com/checkpoint-restore/criu/archive/v%{version}/criu-%{version}.tar.gz

+ Obsoletes: %{name}-unprivileged <= %{version}-%{release}

  

  # Add protobuf-c as a dependency.

  # We use this patch because the protobuf-c package name
@@ -55,6 +56,15 @@ 

  (CRIU), a project to implement checkpoint/restore functionality for

  Linux in user-space.

  

+ %package unprivileged

+ Summary: CRIU with capabilities for unprivileged checkpoint/restore

+ Obsoletes: %{name} <= %{version}-%{release}

+ Provides: %{name} = %{version}-%{release}

+ 

+ %description unprivileged

+ This package provides %{name} binary with Linux capabilities

+ for checkpoint/restore as non-root.

+ 

  %package devel

  Summary: Header files and libraries for %{name}

  Requires: %{name} = %{version}-%{release}
@@ -134,6 +144,20 @@ 

  %{_tmpfilesdir}/%{name}.conf

  %doc README.md COPYING

  

+ %files unprivileged

+ # Required capabilities for unprivileged checkpoint/restore:

+ # - CAP_CHECKPOINT_RESTORE is the minimum capability required for unprivileged checkpoint/restore

+ # - CAP_NET_ADMIN is required to restore established TCP connections

+ # - CAP_SYS_CHROOT is required for chroot() during restore

+ # - CAP_SETUID / CAP_SETGID are required to enable restore of real and effective user/group IDs

+ # - CAP_SYS_RESOURCE is required to enable restore of resource limits (e.g., max number of open files descrptors)

+ %attr(0755,root,root) %caps(cap_checkpoint_restore=eip cap_net_admin=eip cap_sys_chroot=eip cap_setuid=eip cap_setgid=eip cap_sys_resource=eip) %{_sbindir}/%{name}

+ %doc %{_mandir}/man8/criu.8*

+ %{_libexecdir}/%{name}

+ %dir /run/%{name}

+ %{_tmpfilesdir}/%{name}.conf

+ %doc README.md COPYING

+ 

  %files devel

  %{_includedir}/criu

  %{_libdir}/*.so
@@ -156,6 +180,9 @@ 

  %doc %{_mandir}/man1/criu-ns.1*

  

  %changelog

+ * Tue Dec 12 2023 Radostin Stoyanov <radostin@redhat.com> - 3.19-3

+ - Add criu-unprivileged package

+ 

  * Tue Nov 28 2023 Adrian Reber <adrian@lisas.de> - 3.19-2

  - Fix test setup

  

This patch adds a new sub-package criu-unprivileged that installs the criu binary with Linux capabilities for checkpoint/restore as non-root.

Metadata Update from @rstoyanov:
- Request assigned

4 months ago

I think you need the same logic in the main package. I can easily install criu-unprivileged without additional flags using dnf. But going back to criu does not work without --allowerasing.

Also, a comment would be nice why each of the capabilities is needed. Or put it into the summary, so that the user sees why the capabilities are set and for what they are needed.

rebased onto 270938f

4 months ago

@adrian Thank you for the code review! I've updated the pull request.

Metadata