ci: install criu dependency

ChengyuZhu6 · ChengyuZhu6 · commit 968e261452ae · 2025-09-25T20:06:59.000+08:00
install criu in ci to test checkpoint.

Signed-off-by: ChengyuZhu6 &lt;hudson@cyzhu.com&gt;
diff --git a/.github/workflows/job-test-in-container.yml b/.github/workflows/job-test-in-container.yml
@@ -149,7 +149,17 @@ jobs:
           sudo sysctl -w net.ipv4.ip_forward=1
           # Enable IPv6 for Docker, and configure docker to use containerd for gha
           sudo mkdir -p /etc/docker
-          echo '{"ipv6": true, "fixed-cidr-v6": "2001:db8:1::/64", "experimental": true, "ip6tables": true}' | sudo tee /etc/docker/daemon.json
+          echo '{"ipv6": true, "fixed-cidr-v6": "2001:db8:1::/64", "ip6tables": true}' | sudo tee /etc/docker/daemon.json
+      - name: "Init: enable Docker experimental features"
+        run: |
+          sudo mkdir -p /etc/docker
+          if [ -f /etc/docker/daemon.json ]; then
+            tmpfile="$(mktemp)"
+            sudo jq '.experimental = true' /etc/docker/daemon.json | sudo tee "$tmpfile" >/dev/null
+            sudo mv "$tmpfile" /etc/docker/daemon.json
+          else
+            echo '{"experimental": true}' | sudo tee /etc/docker/daemon.json >/dev/null
+          fi
           sudo systemctl restart docker
       - name: "Run: integration tests"
         run: |
diff --git a/.github/workflows/job-test-in-host.yml b/.github/workflows/job-test-in-host.yml
@@ -107,9 +107,9 @@ jobs:
         name: "Init (linux): prepare host"
         run: |
           if [ "${{ contains(inputs.binary, 'docker') }}" == true ]; then
-            echo "::group:: configure cdi for docker"
+            echo "::group:: configure cdi and experimentalfor docker"
             sudo mkdir -p /etc/docker
-            sudo jq '.features.cdi = true' /etc/docker/daemon.json | sudo tee /etc/docker/daemon.json.tmp && sudo mv /etc/docker/daemon.json.tmp /etc/docker/daemon.json
+            sudo jq -n '.features.cdi = true | .experimental = true' | sudo tee /etc/docker/daemon.json
             echo "::endgroup::"
             echo "::group:: downgrade docker to the specific version we want to test (${{ inputs.docker-version }})"
             sudo apt-get update -qq
@@ -122,6 +122,7 @@ jobs:
               | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
             sudo apt-get update -qq
             sudo apt-get install -qq --allow-downgrades docker-ce=${{ inputs.docker-version }} docker-ce-cli=${{ inputs.docker-version }}
+            sudo systemctl restart docker
             echo "::endgroup::"
           else
             # FIXME: this is missing runc (see top level workflow note about the state of this)
@@ -153,7 +154,8 @@ jobs:
 
           # FIXME: remove expect when we are done removing unbuffer from tests
           echo "::group:: installing test dependencies"
-          sudo apt-get install -qq expect
+          sudo add-apt-repository ppa:criu/ppa -y
+          sudo apt-get install -qq expect criu
           echo "::endgroup::"
 
           # This ensures that bridged traffic goes through netfilter
diff --git a/.github/workflows/job-test-unit.yml b/.github/workflows/job-test-unit.yml
@@ -68,14 +68,17 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           check-latest: true
 
-      # Install CNI
+      # Install CNI and CRIU
       - if: ${{ env.GO_VERSION != '' }}
-        name: "Init: set up CNI"
+        name: "Init: set up CNI and CRIU"
         run: |
           if [ "$RUNNER_OS" == "Windows" ]; then
             GOPATH=$(go env GOPATH) WINCNI_VERSION=${{ inputs.windows-cni-version }} ./hack/provisioning/windows/cni.sh
           elif [ "$RUNNER_OS" == "Linux" ]; then
             ./hack/provisioning/linux/cni.sh install "${{ inputs.linux-cni-version }}" "amd64" "${{ inputs.linux-cni-sha }}"
+            sudo apt-get update -qq
+            sudo add-apt-repository ppa:criu/ppa -y
+            sudo apt-get install -qq criu
           fi
 
       - if: ${{ env.GO_VERSION != '' }}
diff --git a/Dockerfile b/Dockerfile
@@ -294,7 +294,7 @@ RUN perl -pi -e 's/multi-user.target/docker-entrypoint.target/g' /usr/local/lib/
   systemctl enable containerd buildkit stargz-snapshotter && \
   mkdir -p /etc/bash_completion.d && \
   nerdctl completion bash >/etc/bash_completion.d/nerdctl && \
-  mkdir -p -m 0755 /etc/cni
+  mkdir -p -m 0755 /etc/cni /etc/cdi /var/run/cdi /etc/buildkit/cdi
 COPY ./Dockerfile.d/etc_containerd_config.toml /etc/containerd/config.toml
 COPY ./Dockerfile.d/etc_buildkit_buildkitd.toml /etc/buildkit/buildkitd.toml
 VOLUME /var/lib/containerd
@@ -309,10 +309,17 @@ ARG DEBIAN_FRONTEND=noninteractive
 # `expect` package contains `unbuffer(1)`, which is used for emulating TTY for testing
 # `jq` is required to generate test summaries
 RUN apt-get update -qq && apt-get install -qq --no-install-recommends \
-  expect \
-  jq \
-  git \
-  make
+    software-properties-common \
+    gnupg \
+    gpg-agent \
+    ca-certificates && \
+    add-apt-repository ppa:criu/ppa && \
+    apt-get update -qq && apt-get install -qq --no-install-recommends \
+    expect \
+    jq \
+    git \
+    make \
+    criu
 # We wouldn't need this if Docker Hub could have "golang:${GO_VERSION}-ubuntu"
 COPY --from=build-base /usr/local/go /usr/local/go
 ARG TARGETARCH
diff --git a/extras/rootless/containerd-rootless.sh b/extras/rootless/containerd-rootless.sh
@@ -161,7 +161,7 @@ else
 	# so that we can create our own files in our mount namespace.
 	# The actual files in the parent namespace are *not removed* by this rm command.
 	rm -f /run/containerd /run/xtables.lock \
-		/var/lib/containerd /var/lib/cni /etc/containerd
+		/var/lib/containerd /var/lib/cni /etc/containerd /etc/cni/net.d /etc/cdi /var/run/cdi /etc/buildkit/cdi
 
 	# Bind-mount /etc/ssl.
 	# Workaround for "x509: certificate signed by unknown authority" on openSUSE Tumbleweed.
@@ -187,6 +187,18 @@ else
 	mkdir -p "${XDG_CONFIG_HOME}/containerd" "/etc/containerd"
 	mount --bind "${XDG_CONFIG_HOME}/containerd" "/etc/containerd"
 
+	# Bind-mount /etc/cni/net.d
+	mkdir -p "${XDG_CONFIG_HOME}/cni/net.d" "/etc/cni/net.d"
+	mount --bind "${XDG_CONFIG_HOME}/cni/net.d" "/etc/cni/net.d"
+
+	# Bind-mount CDI directories
+	mkdir -p "${XDG_CONFIG_HOME}/cdi" "/etc/cdi"
+	mount --bind "${XDG_CONFIG_HOME}/cdi" "/etc/cdi"
+	mkdir -p "${XDG_DATA_HOME}/cdi" "/var/run/cdi"
+	mount --bind "${XDG_DATA_HOME}/cdi" "/var/run/cdi"
+	mkdir -p "${XDG_CONFIG_HOME}/buildkit/cdi" "/etc/buildkit/cdi"
+	mount --bind "${XDG_CONFIG_HOME}/buildkit/cdi" "/etc/buildkit/cdi"
+
 	if [ -n "$_CONTAINERD_ROOTLESS_SELINUX" ]; then
 		# iptables requires /run in the child to be relabeled. The actual /run in the parent is unaffected.
 		# https://github.com/containers/podman/blob/e6fc34b71aa9d876b1218efe90e14f8b912b0603/libpod/networking_linux.go#L396-L401
