feat: upgrade CRIU and remove nftables

we don't need net-lock anymore, so we can stop building with nftables
and have a single CRIU version for all supported platforms.

.github/workflows/build_push_criu.yml

@@ -8,7 +8,7 @@ on:
 env:
   REGISTRY: ghcr.io
   CRIU_IMAGE_NAME: ${{ github.repository }}-criu
-  CRIU_VERSION: a2c4dd2
+  CRIU_VERSION: v3.19
 
 jobs:
   push_to_registry:

Makefile

@@ -3,8 +3,7 @@ NAMESPACE := ctrox
 INSTALLER_IMAGE := $(REGISTRY)/$(NAMESPACE)/zeropod-installer:dev
 MANAGER_IMAGE := $(REGISTRY)/$(NAMESPACE)/zeropod-manager:dev
 TEST_IMAGE := $(REGISTRY)/$(NAMESPACE)/zeropod-test:dev
-# a2c4dd2 allows skipping iptables/nftables
-CRIU_VERSION := a2c4dd2
+CRIU_VERSION := v3.19
 CRIU_IMAGE := $(REGISTRY)/$(NAMESPACE)/zeropod-criu:$(CRIU_VERSION)
 DOCKER_SOCK := /var/run/docker.sock
 EBPF_IMAGE := $(REGISTRY)/$(NAMESPACE)/zeropod-ebpf:dev

cmd/installer/main.go

@@ -25,8 +25,7 @@ import (
 )
 
 var (
-	criuImage      = flag.String("criu-image", "ghcr.io/ctrox/zeropod-criu:a2c4dd2", "criu image to use.")
-	criuNFTables   = flag.Bool("criu-nftables", true, "use criu with nftables")
+	criuImage      = flag.String("criu-image", "ghcr.io/ctrox/zeropod-criu:v3.19", "criu image to use.")
 	runtime        = flag.String("runtime", "containerd", "specifies which runtime to configure. containerd/k3s/rke2")
 	hostOptPath    = flag.String("host-opt-path", "/opt/zeropod", "path where zeropod binaries are stored on the host")
 	uninstall      = flag.Bool("uninstall", false, "uninstalls zeropod by cleaning up all the files the installer created")
@@ -147,16 +146,6 @@ func installCriu(ctx context.Context) error {
 		return err
 	}
 
-	if !*criuNFTables {
-		log.Println("nftables disabled, installing criu with iptables")
-		// if we don't have nftables support, we need to use the criu binary
-		// without nftables support compiled in as the config alone does not seem
-		// to do the trick :/
-		if err := os.Rename(filepath.Join(optPath, "bin", criuIPTablesBin), filepath.Join(optPath, "bin", defaultCriuBin)); err != nil {
-			return err
-		}
-	}
-
 	// write the criu config
 	if err := os.MkdirAll(path.Dir(criuConfigFile), os.ModePerm); err != nil {
 		return err

config/gke/kustomization.yaml

@@ -4,10 +4,6 @@ patchesStrategicMerge:
   - daemonset.yaml
 patches:
   - patch: |-
-      # gke does not have nftables support (yet, dev kernel supports it)
-      - op: add
-        path: /spec/template/spec/containers/1/args/-
-        value: -criu-nftables=false
       - op: add
         path: /spec/template/spec/containers/1/args/-
         value: -host-opt-path=/var/lib/toolbox/zeropod

criu/Dockerfile

@@ -5,31 +5,22 @@
 FROM ubuntu:20.04 as build
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
   git build-essential libprotobuf-dev libprotobuf-c-dev \
-  protobuf-c-compiler protobuf-compiler python-protobuf \
+  protobuf-c-compiler protobuf-compiler python3-protobuf \
   libcap-dev libnl-3-dev libnet-dev pkg-config curl ca-certificates
 
 WORKDIR /workspace
 
 RUN git clone https://github.com/checkpoint-restore/criu.git
 WORKDIR /workspace/criu
-ARG CRIU_VERSION=v3.18
+ARG CRIU_VERSION=v3.19
 RUN git checkout $CRIU_VERSION
-
 RUN make -j $(nproc)
-RUN mv ./criu/criu ./criu/criu-iptables
-
-# build with nftables support
-RUN DEBIAN_FRONTEND=noninteractive apt-get install -y libnftables-dev
-RUN make clean && make -j $(nproc)
 
 # we just add libs and binaries from scratch so this image can be used with
 # containerd's client.Install.
 FROM scratch AS export-stage
 COPY --from=build /workspace/criu/criu/criu /bin/
-COPY --from=build /workspace/criu/criu/criu-iptables /bin/
 COPY --from=build /usr/lib/*-linux-gnu/libprotobuf-c.so.1 /lib/
 COPY --from=build /lib/*-linux-gnu/libnl-3.so.200 /lib/
 COPY --from=build /usr/lib/*-linux-gnu/libnet.so.1 /lib/
-COPY --from=build /lib/*-linux-gnu/libnftables.so.1 /lib/
-COPY --from=build /lib/*-linux-gnu/libnftnl.so.11 /lib/
 COPY --from=build /lib/*-linux-gnu/libjansson.so.4 /lib/