Let's break down your issue and walk through the fixes—this is a common pain point when using CRIU with kernels that lack critical seccomp-related features.

Root Cause #

That PTRACE_O_SUSPEND_SECCOMP warning from criu check --all is directly causing your problems:

• This kernel flag lets CRIU safely pause a container's seccomp filters during checkpointing. Without it, CRIU can't properly halt the container's processes, which is why your container kept running even though the checkpoint command claimed success.
• The resulting checkpoint data is incomplete, so there's no valid state to restore from when you try to resume the container.

Solution 1: Patch and Recompile Your Kernel #

CRIU depends on a set of kernel patches to support full container checkpoint/restore, including the one for PTRACE_O_SUSPEND_SECCOMP. Here's how to resolve this properly:

1. First, check your current kernel version:

   uname -r
   

2. Locate the matching kernel patches from the CRIU project's maintained patch set (these are tailored for major kernel versions and cover seccomp handling, process checkpointing, and related functionality).
3. Apply the patches to your kernel source tree, then recompile and install the updated kernel.
4. Reboot your system, then re-run criu check --all—all checks should pass once the patched kernel is active.

Solution 2: Quick Test Workaround (Non-Production Only) #

If you need to validate the checkpoint/restore workflow without compiling a new kernel, you can disable seccomp for your test container:

• When launching your Hello World container, add this security option:

  docker run --security-opt seccomp=unconfined <your-image-tag>
  

• Now, when you create a checkpoint with docker checkpoint create <container-name> <checkpoint-name>, the container will stop as expected. You can then restore it successfully with:

  docker start --checkpoint <checkpoint-name> <container-name>
  

⚠️ Important: Disabling seccomp removes a key security layer, so only use this for testing or isolated environments.

Verifying the Fix #

After applying either solution:

1. Run criu check --all to confirm all kernel requirements are satisfied.
2. Create a checkpoint and verify the container stops immediately.
3. Restore the container and confirm it resumes normal operation.

内容的提问来源于stack exchange，提问作者DGardner42