mirror of
https://github.com/containerd/containerd.git
synced 2026-07-02 12:49:54 +00:00
This implements container restore as described in: https://kubernetes.io/blog/2022/12/05/forensic-container-checkpointing-alpha/#restore-checkpointed-container-standalone For detailed step by step instruction also see contrib/checkpoint/checkpoint-restore-cri-test.sh The code changes are based on changes I have done in Podman around 2018 and CRI-O around 2020. The history behind restoring container via CRI/Kubernetes probably requires some explanation. The initial proposal to bring checkpoint/restore to Kubernetes was looking at pod checkpoint and restoring and the corresponding CRI changes. https://github.com/kubernetes-sigs/cri-tools/pull/662 https://github.com/kubernetes/kubernetes/pull/97194 After discussing this topic for about two years another approach was implemented as described in KEP-2008: https://github.com/kubernetes/enhancements/issues/2008 "Forensic Container Checkpointing" allowed us to separate checkpointing from restoring. For the "Forensic Container Checkpointing" it is enough to create a checkpoint of the container. Restoring is not necessary as the analysis of the checkpoint archive can happen without restoring the container. While thinking about a way to restore a container it was by coincidence that we started to look into restoring containers in Kubernetes via Create and Start. The way it was done in CRI-O is to figure out during Create if the container image is a checkpoint image and if that is true we are using another code path. The same was implemented now with this change in containerd. With this change it is possible to restore the container from a checkpoint tar archive that is created during checkpointing via CRI. To restore a container via Kubernetes we convert the tar archive to an OCI image as described in the kubernetes.io blog post from above. Using this OCI image it is possible to restore a container in Kubernetes. At this point I think it should be doable to restore containers in CRI-O and containerd no matter if they have been created by containerd or CRI-O. The biggest difference is the container metadata and that can be adapted during restore. Open items: * It is not clear to me why restoring a container in containerd goes through task/Create(). But as the restore code already exists this change extended the existing code path to restore a container in task/Create() to also restore a container through the CRI via Create and Start. * Automatic image pulling. containerd does not pull images automatically if created via the CRI. There is an option in crictl to pull images before starting, but that uses the CRI image pull interface. It is still a separate pull and create operation. Restoring containers from an OCI image is a bit different. The checkpoint OCI image does not include the base image, but just a reference to the image (NAME@DIGEST). Using crictl with pulling will enable the pulling of the checkpoint image, but not of the base image the checkpoint is based on. So during preparation of the checkpoint containerd will automatically pull the base image, but I was not able how to pull an image blockingly in containerd. So there is a for loop waiting for the container image to appear in the internal store. I think this probably can be implemented better. Anyway, this is a first step towards container restored in Kubernetes when using containerd. Signed-off-by: Adrian Reber <areber@redhat.com>
84 lines
2.5 KiB
Go
84 lines
2.5 KiB
Go
/*
|
|
Copyright The containerd Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package runtime
|
|
|
|
import (
|
|
"context"
|
|
"time"
|
|
|
|
"github.com/containerd/containerd/v2/core/mount"
|
|
"github.com/containerd/typeurl/v2"
|
|
)
|
|
|
|
// IO holds process IO information
|
|
type IO struct {
|
|
Stdin string
|
|
Stdout string
|
|
Stderr string
|
|
Terminal bool
|
|
}
|
|
|
|
// CreateOpts contains task creation data
|
|
type CreateOpts struct {
|
|
// Spec is the OCI runtime spec
|
|
Spec typeurl.Any
|
|
// Rootfs mounts to perform to gain access to the container's filesystem
|
|
Rootfs []mount.Mount
|
|
// IO for the container's main process
|
|
IO IO
|
|
// Checkpoint digest to restore container state
|
|
Checkpoint string
|
|
// Mark this as a restore via a local checkpoint archive (most likely via CRI)
|
|
RestoreFromPath bool
|
|
// RuntimeOptions for the runtime
|
|
RuntimeOptions typeurl.Any
|
|
// TaskOptions received for the task
|
|
TaskOptions typeurl.Any
|
|
// Runtime name to use (e.g. `io.containerd.NAME.VERSION`).
|
|
// As an alternative full abs path to binary may be specified instead.
|
|
Runtime string
|
|
// SandboxID is an optional ID of sandbox this container belongs to
|
|
SandboxID string
|
|
// Address is an optional Address for Task API server
|
|
Address string
|
|
// Version is an optional Version of the Task API
|
|
Version uint32
|
|
}
|
|
|
|
// Exit information for a process
|
|
type Exit struct {
|
|
Pid uint32
|
|
Status uint32
|
|
Timestamp time.Time
|
|
}
|
|
|
|
// PlatformRuntime is responsible for the creation and management of
|
|
// tasks and processes for a platform.
|
|
type PlatformRuntime interface {
|
|
// ID of the runtime
|
|
ID() string
|
|
// Create creates a task with the provided id and options.
|
|
Create(ctx context.Context, taskID string, opts CreateOpts) (Task, error)
|
|
// Get returns a task.
|
|
Get(ctx context.Context, taskID string) (Task, error)
|
|
// Tasks returns all the current tasks for the runtime.
|
|
// Any container runs at most one task at a time.
|
|
Tasks(ctx context.Context, all bool) ([]Task, error)
|
|
// Delete remove a task.
|
|
Delete(ctx context.Context, taskID string) (*Exit, error)
|
|
}
|