Support container restore through CRI/Kubernetes #10365

adrianreber · 2024-06-19T15:17:10Z

This implements container restore as described in:

https://kubernetes.io/blog/2022/12/05/forensic-container-checkpointing-alpha/#restore-checkpointed-container-standalone

For detailed step by step instruction also see contrib/checkpoint/checkpoint-restore-cri-test.sh

The code changes are based on changes I have done in Podman around 2018 and CRI-O around 2020.

The history behind restoring container via CRI/Kubernetes probably requires some explanation. The initial proposal to bring checkpoint/restore to Kubernetes was looking at pod checkpoint and restoring and the corresponding CRI changes.

kubernetes-sigs/cri-tools#662 kubernetes/kubernetes#97194

After discussing this topic for about two years another approach was implemented as described in KEP-2008:

kubernetes/enhancements#2008

"Forensic Container Checkpointing" allowed us to separate checkpointing from restoring. For the "Forensic Container Checkpointing" it is enough to create a checkpoint of the container. Restoring is not necessary as the analysis of the checkpoint archive can happen without restoring the container.

While thinking about a way to restore a container it was by coincidence that we started to look into restoring containers in Kubernetes via Create and Start. The way it was done in CRI-O is to figure out during Create if the container image is a checkpoint image and if that is true we are using another code path. The same was implemented now with this change in containerd.

With this change it is possible to restore the container from a checkpoint tar archive that is created during checkpointing via CRI.

To restore a container via Kubernetes we convert the tar archive to an OCI image as described in the kubernetes.io blog post from above. Using this OCI image it is possible to restore a container in Kubernetes.

At this point I think it should be doable to restore containers in CRI-O and containerd no matter if they have been created by containerd or CRI-O. The biggest difference is the container metadata and that can be adapted during restore.

Open items:

It is not clear to me why restoring a container in containerd goes through task/Create(). But as the restore code already exists this change extended the existing code path to restore a container in task/Create() to also restore a container through the CRI via Create and Start.
Automatic image pulling. containerd does not pull images automatically if created via the CRI. There is an option in crictl to pull images before starting, but that uses the CRI image pull interface. It is still a separate pull and create operation. Restoring containers from an OCI image is a bit different. The checkpoint OCI image does not include the base image, but just a reference to the image (NAME@DIGEST). Using crictl with pulling will enable the pulling of the checkpoint image, but not of the base image the checkpoint is based on. So during preparation of the checkpoint containerd will automatically pull the base image, but I was not able how to pull an image blockingly in containerd. So there is a for loop waiting for the container image to appear in the internal store. I think this probably can be implemented better.

Anyway, this is a first step towards container restored in Kubernetes when using containerd.

k8s-ci-robot · 2024-06-19T15:17:20Z

Hi @adrianreber. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

xhejtman · 2024-07-05T09:10:10Z

Hello, I tested in K8s with the following:

Setup Env

K8s: 1.30.2 (RKE2)
Distro: Ubuntu 24.04
Kernel: 6.8.0-36
CRIU: v3.18-266-g6f92787b7
containerd: 2.0.0-rc3 + this PR
kubelet featuregate: ContainerCheckpoint=true

Results

Checkpoint

curl -q -s -X POST "https://localhost:10250/checkpoint/$CONTAINER" \
        --insecure \
        --cert /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt \
        --key /var/lib/rancher/rke2/server/tls/client-kube-apiserver.key

creates a checkpoint, however, criu (/etc/criu/runc.conf) must NOT set custom log path (e.g. log-file=/tmp/criu.log), or checkpoint will fail (rpc error: code = Unknown desc = open /var/lib/rancher/rke2/agent/containerd/io.containerd.grpc.v1.cri/containers/161976044213c3871a13f8989c11933e240f0735da61bd5cf83694a94b1a1af6/dump.log: no such file or directory)

buildah needs to set different annotation to the one with crio:

for crio: --annotation=io.kubernetes.cri-o.annotations.checkpoint.name=
for containerd: --annotation=org.criu.checkpoint.container.name=

Restore

cgroupv1 support only. with cgroupv2, restored process is killed immediately
rootfs-diff.tar is not restored - restore actually fails in criu
container after restore does not log (i.e., log output is empty)
Restoring simple shell command works (/bin/bash -c i=0; while true; do sleep 1; echo $i; i=$[i+1]; done)

adrianreber · 2024-07-10T16:03:03Z

@xhejtman Thanks for testing. I rebased the PR to apply cleanly on the latest git checkout of containerd.

The CRIU log file error you mentioned should be gone now. I do not think you need to explicitly set the feature gate for container checkpointing since it defaults to on since going Beta in 1.30.

xhejtman · 2024-07-14T22:26:06Z

The CRIU log file error you mentioned should be gone now. I do not think you need to explicitly set the feature gate for container checkpointing since it defaults to on since going Beta in 1.30.

Yes, tested again, the CRIU log issue is gone.

I just noticed one more thing: if checkpointed container did not specify command/entrypoint in the docker file, Pod manifest for restore needs to specify at least dummy command, or error will be raised: no command specified in restore process.

adrianreber · 2024-07-15T15:51:12Z

@xhejtman I added my Kubernetes test script in contrib/checkpoint and container logging should now also work.

adrianreber · 2024-07-16T17:12:52Z

CI looks finally happy. One more feature is missing before this is ready. The rootfs changes are not yet applied to the restored container, so a container which changes files in the container will probably fail restoring. This should be an easy change as it is not much more than applying the existing tar file to the container rootfs.

estesp · 2025-01-16T21:10:30Z

@estesp I renamed the variable you pointed out. Was there more in your review than renaming. Not sure I understood it completely correct.

That was all; thanks!

jakubsolecki · 2025-02-12T15:51:59Z

Hello @adrianreber, what's the status of this PR? Feedback seems to be addressed

adrianreber · 2025-02-12T15:53:56Z

Hello @adrianreber, what's the status of this PR? Feedback seems to be addressed

I don't know what the status is. I am happy to apply any code review suggestions.

adrianreber · 2025-03-10T16:20:14Z

Rebased

djdongjin · 2025-03-10T16:24:55Z

make vendor should fix CI / Project Checks (pull_request) failure

adrianreber · 2025-03-10T16:26:02Z

make vendor should fix CI / Project Checks (pull_request) failure

Thank you.

.github/workflows/ci.yml

contrib/checkpoint/checkpoint-restore-cri-test.sh

contrib/checkpoint/checkcriu.go

AkihiroSuda

LGTM but a few nits.

Sorry for taking too long to review this

adrianreber · 2025-03-11T08:59:17Z

LGTM but a few nits.

Sorry for taking too long to review this

Thanks. I tried to address are your review comments.

This implements container restore as described in: https://kubernetes.io/blog/2022/12/05/forensic-container-checkpointing-alpha/#restore-checkpointed-container-standalone For detailed step by step instruction also see contrib/checkpoint/checkpoint-restore-cri-test.sh The code changes are based on changes I have done in Podman around 2018 and CRI-O around 2020. The history behind restoring container via CRI/Kubernetes probably requires some explanation. The initial proposal to bring checkpoint/restore to Kubernetes was looking at pod checkpoint and restoring and the corresponding CRI changes. kubernetes-sigs/cri-tools#662 kubernetes/kubernetes#97194 After discussing this topic for about two years another approach was implemented as described in KEP-2008: kubernetes/enhancements#2008 "Forensic Container Checkpointing" allowed us to separate checkpointing from restoring. For the "Forensic Container Checkpointing" it is enough to create a checkpoint of the container. Restoring is not necessary as the analysis of the checkpoint archive can happen without restoring the container. While thinking about a way to restore a container it was by coincidence that we started to look into restoring containers in Kubernetes via Create and Start. The way it was done in CRI-O is to figure out during Create if the container image is a checkpoint image and if that is true we are using another code path. The same was implemented now with this change in containerd. With this change it is possible to restore the container from a checkpoint tar archive that is created during checkpointing via CRI. To restore a container via Kubernetes we convert the tar archive to an OCI image as described in the kubernetes.io blog post from above. Using this OCI image it is possible to restore a container in Kubernetes. At this point I think it should be doable to restore containers in CRI-O and containerd no matter if they have been created by containerd or CRI-O. The biggest difference is the container metadata and that can be adapted during restore. Open items: * It is not clear to me why restoring a container in containerd goes through task/Create(). But as the restore code already exists this change extended the existing code path to restore a container in task/Create() to also restore a container through the CRI via Create and Start. * Automatic image pulling. containerd does not pull images automatically if created via the CRI. There is an option in crictl to pull images before starting, but that uses the CRI image pull interface. It is still a separate pull and create operation. Restoring containers from an OCI image is a bit different. The checkpoint OCI image does not include the base image, but just a reference to the image (NAME@DIGEST). Using crictl with pulling will enable the pulling of the checkpoint image, but not of the base image the checkpoint is based on. So during preparation of the checkpoint containerd will automatically pull the base image, but I was not able how to pull an image blockingly in containerd. So there is a for loop waiting for the container image to appear in the internal store. I think this probably can be implemented better. Anyway, this is a first step towards container restored in Kubernetes when using containerd. Signed-off-by: Adrian Reber <[email protected]>

k8s-ci-robot added do-not-merge/work-in-progress needs-rebase needs-ok-to-test labels Jun 19, 2024

k8s-ci-robot added the size/XXL label Jun 19, 2024

adrianreber force-pushed the 2024-06-19-restore-create-start branch from 6d9aaed to f602c12 Compare June 19, 2024 15:27

k8s-ci-robot removed the needs-rebase label Jun 19, 2024

rst0git mentioned this pull request Jun 20, 2024

Add support for container restore from a checkpoint in Kubernetes #10093

Closed

k8s-ci-robot added the needs-rebase label Jun 22, 2024

adrianreber force-pushed the 2024-06-19-restore-create-start branch from f602c12 to 25da2f2 Compare July 10, 2024 16:00

k8s-ci-robot removed the needs-rebase label Jul 10, 2024

adrianreber force-pushed the 2024-06-19-restore-create-start branch from 25da2f2 to 29ec7b2 Compare July 15, 2024 15:50

adrianreber force-pushed the 2024-06-19-restore-create-start branch 5 times, most recently from 6fef265 to 1d3793e Compare July 16, 2024 16:43

adrianreber force-pushed the 2024-06-19-restore-create-start branch from 1d3793e to 23e2f4b Compare July 18, 2024 07:40

adrianreber closed this Jul 18, 2024

adrianreber reopened this Jul 18, 2024

adrianreber marked this pull request as ready for review July 18, 2024 09:21

k8s-ci-robot removed the do-not-merge/work-in-progress label Jul 18, 2024

adrianreber closed this Jul 18, 2024

adrianreber reopened this Jul 18, 2024

dosubot bot added the area/cri Container Runtime Interface (CRI) label Jul 18, 2024

k8s-ci-robot added the needs-rebase label Feb 18, 2025

adrianreber force-pushed the 2024-06-19-restore-create-start branch from fc3a663 to e7af745 Compare March 10, 2025 16:19

k8s-ci-robot removed the needs-rebase label Mar 10, 2025

adrianreber force-pushed the 2024-06-19-restore-create-start branch 2 times, most recently from bc7f710 to 171f413 Compare March 10, 2025 16:59

djdongjin reviewed Mar 10, 2025

View reviewed changes

.github/workflows/ci.yml Outdated Show resolved Hide resolved

adrianreber force-pushed the 2024-06-19-restore-create-start branch from 171f413 to f5eee87 Compare March 10, 2025 17:10