.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -58,5 +58,3 @@
 /criu-3.19.tar.gz
 /criu-4.0.tar.gz
 /criu-4.1.tar.gz
-/criu-4.1.1.tar.gz
-/criu-4.2.tar.gz

2653.patch

@@ -0,0 +1,134 @@
+From 22fdffbdde9476b27988b3ee0a4013a4453784c9 Mon Sep 17 00:00:00 2001
+From: Andrei Vagin <avagin@gmail.com>
+Date: Mon, 21 Apr 2025 06:33:41 +0000
+Subject: [PATCH] net: nftables: avoid restore failure if the CRIU nft table
+ already exist
+
+CRIU locks the network during restore in an "empty" network namespace.
+However, "empty" in this context means CRIU isn't restoring the
+namespace. This network namespace can be the same namespace where
+processes have been dumped and so the network is already locked in it.
+
+Fixes #2650
+
+Signed-off-by: Andrei Vagin <avagin@gmail.com>
+---
+ criu/cr-restore.c  |  2 +-
+ criu/include/net.h |  2 +-
+ criu/net.c         | 30 +++++++++++++++++-------------
+ 3 files changed, 19 insertions(+), 15 deletions(-)
+
+diff --git a/criu/cr-restore.c b/criu/cr-restore.c
+index 583b446e0b..30932f60a2 100644
+--- a/criu/cr-restore.c
++++ b/criu/cr-restore.c
+@@ -2119,7 +2119,7 @@ static int restore_root_task(struct pstree_item *init)
+ 		 * the '--empty-ns net' mode no iptables C/R is done and we
+ 		 * need to return these rules by hands.
+ 		 */
+-		ret = network_lock_internal();
++		ret = network_lock_internal(/* restore = */ true);
+ 		if (ret)
+ 			goto out_kill;
+ 	}
+diff --git a/criu/include/net.h b/criu/include/net.h
+index 5e8a848620..7c5ede21e1 100644
+--- a/criu/include/net.h
++++ b/criu/include/net.h
+@@ -31,7 +31,7 @@ extern int collect_net_namespaces(bool for_dump);
+ 
+ extern int network_lock(void);
+ extern void network_unlock(void);
+-extern int network_lock_internal(void);
++extern int network_lock_internal(bool restore);
+ 
+ extern struct ns_desc net_ns_desc;
+ 
+diff --git a/criu/net.c b/criu/net.c
+index ee46f1c495..300df480b0 100644
+--- a/criu/net.c
++++ b/criu/net.c
+@@ -3206,12 +3206,12 @@ static inline FILE *redirect_nftables_output(struct nft_ctx *nft)
+ }
+ #endif
+ 
+-static inline int nftables_lock_network_internal(void)
++static inline int nftables_lock_network_internal(bool restore)
+ {
+ #if defined(CONFIG_HAS_NFTABLES_LIB_API_0) || defined(CONFIG_HAS_NFTABLES_LIB_API_1)
+ 	cleanup_file FILE *fp = NULL;
+ 	struct nft_ctx *nft;
+-	int ret = 0;
++	int ret = 0, exit_code = -1;
+ 	char table[32];
+ 	char buf[128];
+ 
+@@ -3224,11 +3224,16 @@ static inline int nftables_lock_network_internal(void)
+ 
+ 	fp = redirect_nftables_output(nft);
+ 	if (!fp)
+-		goto out;
++		goto err2;
+ 
+ 	snprintf(buf, sizeof(buf), "create table %s", table);
+-	if (NFT_RUN_CMD(nft, buf))
++	ret = NFT_RUN_CMD(nft, buf);
++	if (ret) {
++		/* The network has been locked on dump. */
++		if (restore && errno == EEXIST)
++			return 0;
+ 		goto err2;
++	}
+ 
+ 	snprintf(buf, sizeof(buf), "add chain %s output { type filter hook output priority 0; policy drop; }", table);
+ 	if (NFT_RUN_CMD(nft, buf))
+@@ -3246,17 +3251,16 @@ static inline int nftables_lock_network_internal(void)
+ 	if (NFT_RUN_CMD(nft, buf))
+ 		goto err1;
+ 
+-	goto out;
+-
++	exit_code = 0;
++out:
++	nft_ctx_free(nft);
++	return exit_code;
+ err1:
+ 	snprintf(buf, sizeof(buf), "delete table %s", table);
+ 	NFT_RUN_CMD(nft, buf);
+ err2:
+-	ret = -1;
+ 	pr_err("Locking network failed using nftables\n");
+-out:
+-	nft_ctx_free(nft);
+-	return ret;
++	goto out;
+ #else
+ 	pr_err("CRIU was built without libnftables support\n");
+ 	return -1;
+@@ -3288,7 +3292,7 @@ static int iptables_network_lock_internal(void)
+ 	return ret;
+ }
+ 
+-int network_lock_internal(void)
++int network_lock_internal(bool restore)
+ {
+ 	int ret = 0, nsret;
+ 
+@@ -3301,7 +3305,7 @@ int network_lock_internal(void)
+ 	if (opts.network_lock_method == NETWORK_LOCK_IPTABLES)
+ 		ret = iptables_network_lock_internal();
+ 	else if (opts.network_lock_method == NETWORK_LOCK_NFTABLES)
+-		ret = nftables_lock_network_internal();
++		ret = nftables_lock_network_internal(restore);
+ 
+ 	if (restore_ns(nsret, &net_ns_desc))
+ 		ret = -1;
+@@ -3427,7 +3431,7 @@ int network_lock(void)
+ 	if (run_scripts(ACT_NET_LOCK))
+ 		return -1;
+ 
+-	return network_lock_internal();
++	return network_lock_internal(false);
+ }
+ 
+ void network_unlock(void)

criu.spec

@@ -11,13 +11,15 @@
 %undefine _auto_set_build_flags
 
 Name: criu
-Version: 4.2
-Release: 11%{?dist}
+Version: 4.1
+Release: 2%{?dist}
 Summary: Tool for Checkpoint/Restore in User-space
 License: GPL-2.0-only AND LGPL-2.1-only AND MIT
 URL: http://criu.org/
 Source0: https://github.com/checkpoint-restore/criu/archive/v%{version}/criu-%{version}.tar.gz
 
+Patch0: https://github.com/checkpoint-restore/criu/pull/2653.patch
+
 # Add protobuf-c as a dependency.
 # We use this patch because the protobuf-c package name
 # in RPM and DEB is different.
@@ -31,7 +33,7 @@ BuildRequires: libnet-devel
 BuildRequires: protobuf-devel protobuf-c-devel %{py_prefix}-devel libnl3-devel libcap-devel
 BuildRequires: %{py_prefix}-pip
 BuildRequires: %{py_prefix}-setuptools
-BuildRequires: (%{py_prefix}-wheel if %{py_prefix}-setuptools < 71)
+BuildRequires: %{py_prefix}-wheel
 BuildRequires: %{py_prefix}-protobuf
 BuildRequires: asciidoctor
 BuildRequires: perl-interpreter
@@ -50,7 +52,7 @@ BuildRequires: make
 # user-space and kernel changes are only available for x86_64, arm,
 # ppc64le, aarch64 and s390x
 # https://bugzilla.redhat.com/show_bug.cgi?id=902875
-ExclusiveArch: x86_64 %{arm} ppc64le aarch64 s390x riscv64
+ExclusiveArch: x86_64 %{arm} ppc64le aarch64 s390x
 
 %description
 criu is the user-space part of Checkpoint/Restore in User-space
@@ -113,6 +115,7 @@ This script can help to workaround the so called "PID mismatch" problem.
 
 %prep
 %setup -q
+%patch -P 0 -p1
 %patch -P 99 -p1
 
 %build
@@ -185,33 +188,6 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libcriu.a
 %tmpfiles_create %{name}.conf
 
 %changelog
-* Mon Nov 17 2025 Cristian Le <git@lecris.dev> - 4.2-11
-- Convert STI tests to TMT (rhbz#2382879)
-
-* Mon Nov 17 2025 Adrian Reber <adrian@lisas.de> - 4.2-5
-- Update to 4.2
-
-* Fri Sep 19 2025 Python Maint <python-maint@redhat.com> - 4.1.1-4
-- Rebuilt for Python 3.14.0rc3 bytecode
-
-* Wed Aug 27 2025 Miro Hrončok <mhroncok@redhat.com> - 4.1.1-3
-- Drop unused BuildRequires on python3-wheel
-
-* Fri Aug 15 2025 Python Maint <python-maint@redhat.com> - 4.1.1-2
-- Rebuilt for Python 3.14.0rc2 bytecode
-
-* Wed Jul 30 2025 Adrian Reber <adrian@lisas.de> - 4.1.1-1
-- Update to 4.1.1
-
-* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 4.1-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Tue Jun 17 2025 Python Maint <python-maint@redhat.com> - 4.1-4
-- Rebuilt for Python 3.14
-
-* Wed Apr 23 2025 David Abdurachmanov <davidlt@rivosinc.com> - 4.1-3
-- Enable for riscv64
-
 * Mon Apr 21 2025 Adrian Reber <adrian@lisas.de> - 4.1-2
 - Apply upstream patch to fix a runc regression
 

plans.fmf

@@ -1,21 +0,0 @@
-summary: Run all tests
-discover:
-  how: fmf
-prepare:
-  - name: Install the main package
-    how: install
-    package:
-      - criu
-execute:
-  how: tmt
-
-/zdtm:
-  # Use the srpm sources
-  discover+:
-    dist-git-source: true
-    dist-git-merge: true
-    test: /tests/zdtm
-
-/podman:
-  discover+:
-    test: /tests/podman

rpminspect.yaml

@@ -1,4 +0,0 @@
----
-annocheck:
-  jobs:
-    - hardened: --verbose --skip-dynamic-tags --skip-property-note --skip-bind-now --skip-pie --skip-cf-protection --skip-notes --skip-gaps --skip-optimization --skip-stack-clash --skip-stack-prot

sources

@@ -1 +1 @@
-SHA512 (criu-4.2.tar.gz) = f7e0ac17d46dd560bb2439f617a0a3b3933eb86f4b8b9b16852d300e4ffc6a4851d72be9342dfd40792a53fca8b65d26fde4e1b1f02bcd04923a8b6f0e5c8a62
+SHA512 (criu-4.1.tar.gz) = 769001a7e527c129fe73509fd0c7d3fc3b9b1080dc69929032cb84f60f95256f5d145ed4b7ea11f090a7f468f2bb2a0ecf56475eb292966cad26d643f0e46816

tests/run-podman-checkpoint-restore.sh

@@ -3,9 +3,6 @@
 set -eux
 
 ls -la
-uname -a
-rpm -qi criu || true
-criu --version
 
 echo "Start container"
 podman --log-level debug run -d quay.io/adrianreber/counter

tests/run-zdtm.sh

@@ -3,8 +3,6 @@
 set -xe
 
 uname -a
-rpm -qi criu || true
-criu --version
 
 # These zdtm tests are skipped because they fail only in CI system
 EXCLUDES=" \
@@ -15,19 +13,6 @@ EXCLUDES=" \
 	-x zdtm/static/socket-tcp4v6-closed \
 	-x zdtm/static/maps01 \
 	-x zdtm/static/maps04 \
-	-x zdtm/static/del_standalone_un \
-	-x zdtm/static/del_standalone_un_seqpacket \
-	-x zdtm/static/deleted_unix_sock \
-	-x zdtm/static/fifo_upon_unix_socket00 \
-	-x zdtm/static/sk-unix-dgram-ghost \
-	-x zdtm/static/sk-unix01 \
-	-x zdtm/static/sk-unix01-seqpacket \
-	-x zdtm/static/socket-tcpbuf \
-	-x zdtm/static/socket-tcpbuf6 \
-	-x zdtm/static/sockets00 \
-	-x zdtm/static/sockets00-seqpacket \
-	-x zdtm/static/sockets03 \
-	-x zdtm/static/sockets03-seqpacket \
 	-x zdtm/static/cgroup04 \
 	-x zdtm/static/cgroup_ifpriomap \
 	-x zdtm/static/netns_sub \
@@ -48,10 +33,10 @@ run_test() {
 
 RESULT=42
 
-# this socket breaks CRIU's test cases
+# this socket brakes CRIU's test cases
 rm -f /var/lib/sss/pipes/nss
 
-cd ../criu-$(crit --version)
+cd "source/criu-$(crit --version)/"
 
 echo "Build CRIU"
 make -j"$(nproc)"

tests/tests.yml

@@ -1,8 +1,16 @@
-/zdtm:
-  summary: Test zdtm
-  test: ./run-zdtm.sh
-  duration: 30m
-  require:
+---
+- hosts: localhost
+  roles:
+  - role: standard-test-source
+    tags:
+    - classic
+  - role: standard-test-basic
+    tags:
+    - classic
+    required_packages:
+    - podman
+    - curl
+    - jq
     - checkpolicy
     - policycoreutils
     - make
@@ -16,17 +24,14 @@
     - libnl3-devel
     - libcap-devel
     - libaio-devel
-    - libuuid-devel
     - nftables-devel
     - python3-pyyaml
     - python3-protobuf
     - python-unversioned-command
-    - crit
-    - python3-criu
-/podman:
-  summary: Test podman
-  test: ./run-podman-checkpoint-restore.sh
-  require:
-    - podman
-    - curl
-    - jq
+    tests:
+    - zdtm:
+        dir: .
+        run: ./run-zdtm.sh
+    - podman:
+        dir: .
+        run: ./run-podman-checkpoint-restore.sh