Description
During CRIU restore, runc executes prestart/createRuntime hooks in response to the setup-namespaces notification (criu_linux.go L1131-1145, criu_cli_linux.go L284-305). At this point, the container's mount tree has not yet been restored by CRIU, causing hooks that depend on the container's filesystem layout to fail.This affects any hook that enters the container's mount namespace and expects the restored mount tree to be present — most notably nvidia-container-runtime-hook, which needs to bind-mount GPU driver files into the container.
Steps to reproduce the issue
- Create a container with GPU support (nvidia-container-runtime-hook as prestart hook)
- Checkpoint the container via runc checkpoint
- Restore via runc restore
- The hook fails because /proc/driver/nvidia does not exist
Describe the results you received and expected
What I expected to happen
During runc restore, the prestart/createRuntime hooks should execute successfully, just as they do during runc create + runc start. The hooks should be able to enter the container's mount namespace and find the container's filesystem fully set up (including procfs at /proc/), allowing operations like bind-mounting GPU driver files into the container.
What actually happened
The nvidia-container-runtime-hook (prestart hook) fails during runc restore with an error indicating that the mount target path does not exist. Specifically, nvidia-container-cli enters the container's mount namespace via setns() and attempts to mount a tmpfs at /proc/driver/nvidia, but the path does not exist because:
The container's mount namespace at setup-namespaces time contains only a copy of CRIU's mount table, not the container's restored mount tree
/proc/ is an empty directory — procfs has not been mounted there yet
CRIU restores the full mount tree (including procfs) after the setup-namespaces notification, during CR_STATE_PREPARE_NAMESPACES
Error from nvidia-container-cli:
nvidia-container-cli: mount operation failed: /proc/driver/nvidia
What version of runc are you using?
runc version: main branch
CRIU version: 4.x
Both RPC (swrk) mode and CLI mode are affected
Specific hook: nvidia-container-runtime-hook (libnvidia-container)
Host OS information
No response
Host kernel information
No response
Description
During CRIU restore, runc executes prestart/createRuntime hooks in response to the setup-namespaces notification (criu_linux.go L1131-1145, criu_cli_linux.go L284-305). At this point, the container's mount tree has not yet been restored by CRIU, causing hooks that depend on the container's filesystem layout to fail.This affects any hook that enters the container's mount namespace and expects the restored mount tree to be present — most notably nvidia-container-runtime-hook, which needs to bind-mount GPU driver files into the container.
Steps to reproduce the issue
Describe the results you received and expected
What I expected to happen
During runc restore, the prestart/createRuntime hooks should execute successfully, just as they do during runc create + runc start. The hooks should be able to enter the container's mount namespace and find the container's filesystem fully set up (including procfs at /proc/), allowing operations like bind-mounting GPU driver files into the container.
What actually happened
The nvidia-container-runtime-hook (prestart hook) fails during runc restore with an error indicating that the mount target path does not exist. Specifically, nvidia-container-cli enters the container's mount namespace via setns() and attempts to mount a tmpfs at /proc/driver/nvidia, but the path does not exist because:
The container's mount namespace at setup-namespaces time contains only a copy of CRIU's mount table, not the container's restored mount tree
/proc/ is an empty directory — procfs has not been mounted there yet
CRIU restores the full mount tree (including procfs) after the setup-namespaces notification, during CR_STATE_PREPARE_NAMESPACES
Error from nvidia-container-cli:
nvidia-container-cli: mount operation failed: /proc/driver/nvidia
What version of runc are you using?
runc version: main branch
CRIU version: 4.x
Both RPC (swrk) mode and CLI mode are affected
Specific hook: nvidia-container-runtime-hook (libnvidia-container)
Host OS information
No response
Host kernel information
No response