Add support to migrate containers#2272
Add support to migrate containers#2272openshift-merge-robot merged 9 commits intocontainers:masterfrom
Conversation
331cae2 to
4d3fa26
Compare
|
The restore of a looper example fails for me. Still investigating why... |
|
/retest |
Are you using |
Yes, I installed
I followed these steps to create, checkpoint, and restore a container: Even though the restore has failed in the last step, a looper container is still created (with status |
|
@rst0git This is the same bug as in my runc pull request except that it is also true for non-bind mount mountpoints. It seems runc just creates all missing mountpoints even for read-only root filesystems. If you use a container image which includes all required mountpoints (in this case /run /proc /sys are missing) it should work. I will update my runc PR to handle also missing non-bind mount mountpoints. |
|
@mheon Thanks for the review. At first I was unsure if I can do all the necessary changes, but now, after I have thought about it, I think I can actually do everything you suggested and the result will be better. I hope. So thanks for pointing it out. |
|
/retest |
|
The checkpoint directory and the container definition (spec, config, network). No filesystem (yet). I was thinking about doing an automatic commit of the highest layer and including it also. But right now it is only the output of CRIU and some json files. |
74ab7b8 to
0ba0da7
Compare
|
@mheon I tried to rework my changes to the newContainer() function. There is now a RestoreContainer() function. Please have a look if this is now a better approach. |
|
All CI errors are the expected errors as long as the necessary runc patches have not been merged. |
|
I'll do a more thorough review tomorrow, but I'm generally in favor of the way NewContainer was split up. Still a little iffy on copying over the OCI config... I need to check, but there shouldn't be much in there that isn't deterministically generated, so it might not be necessary. We do need to make sure that the ContainerConfig we copied over makes sense before we use it - if the container is in a pod, we need a pod with the same ID present on the remote host, and the same holds for named volumes. We might want to make a generic sanity checker for ContainerConfig that we can use for both NewContainer and this. |
|
☔ The latest upstream changes (presumably #2252) made this pull request unmergeable. Please resolve the merge conflicts. |
0ba0da7 to
af784d5
Compare
|
Nothing here and tests seem happy 😄 |
|
@mheon PTAL |
|
@mheon any more comments on this PR? |
|
Sorry, been distracted by other things. Let me do a final review. |
|
Few things, but overall looks solid. |
|
@mheon , thanks a lot. I will add the checks for named volumes and dependencies and re-push. |
Signed-off-by: Adrian Reber <areber@redhat.com>
This adds a couple of function in structure members needed in the next commit to make container migration actually work. This just splits of the function which are not modifying existing code. Signed-off-by: Adrian Reber <areber@redhat.com>
This commit adds an option to the checkpoint command to export a checkpoint into a tar.gz file as well as importing a checkpoint tar.gz file during restore. With all checkpoint artifacts in one file it is possible to easily transfer a checkpoint and thus enabling container migration in Podman. With the following steps it is possible to migrate a running container from one system (source) to another (destination). Source system: * podman container checkpoint -l -e /tmp/checkpoint.tar.gz * scp /tmp/checkpoint.tar.gz destination:/tmp Destination system: * podman pull 'container-image-as-on-source-system' * podman container restore -i /tmp/checkpoint.tar.gz The exported tar.gz file contains the checkpoint image as created by CRIU and a few additional JSON files describing the state of the checkpointed container. Now the container is running on the destination system with the same state just as during checkpointing. If the container is kept running on the source system with the checkpoint flag '-R', the result will be that the same container is running on two different hosts. Signed-off-by: Adrian Reber <areber@redhat.com>
The difference between container checkpoint/restore and container
migration is that for migration the container which was checkpointed
must not exist during restore. To simulate migration the container
is remove ('podman rm -fa') before being restored. The migration test
does following steps:
* podman run
* podman container checkpoint -l -e /tmp/checkpoint.tar.gz
* podman rm -fa
* podman container restore -i /tmp/checkpoint.tar.gz
Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Adrian Reber <areber@redhat.com>
Signed-off-by: Adrian Reber <areber@redhat.com>
If restoring a container from a checkpoint it was necessary that the image the container is based was already available (podman pull). This commit adds the image download to podman container restore if it does not exist. Signed-off-by: Adrian Reber <areber@redhat.com>
|
I think I was able to implememt all the changes from the latest review, let's see if the tests still pass. |
The option to restore a container from an external checkpoint archive (podman container restore -i /tmp/checkpoint.tar.gz) restores a container with the same name and same ID as id had before checkpointing. This commit adds the option '--name,-n' to 'podman container restore'. With this option the restored container gets the name specified after '--name,-n' and a new ID. This way it is possible to restore one container multiple times. If a container is restored with a new name Podman will not try to request the same IP address for the container as it had during checkpointing. This implicitly assumes that if a container is restored from a checkpoint archive with a different name, that it will be restored multiple times and restoring a container multiple times with the same IP address will fail as each IP address can only be used once. Signed-off-by: Adrian Reber <areber@redhat.com>
|
All tests green again (after a few retries). |
|
Any further comments regarding this PR? |
|
Sorry, we've been in a bit of a rush trying to get the recent CVE patched. I'm good to merge with one more LGTM |
|
/lgtm |
|
Thanks everyone for the reviews and the patience getting this merged. |
| // a container from one host to another | ||
| It("podman checkpoint container with export (migration)", func() { | ||
| // CRIU does not work with seccomp correctly on RHEL7 | ||
| session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "seccomp=unconfined", "-d", ALPINE, "top"}) |
There was a problem hiding this comment.
Hi @adrianreber, I was wondering what is the reason for seccomp=unconfined, is there a GitHub issue for it?
There was a problem hiding this comment.
@rst0git : This is a RHEL7 - CRIU limitation. CRIU cannot handle seccomp with the RHEL7 kernel. I never really tried to understand why it does not work, but is does not work on the RHEL7 kernel. I was using RHEL7 as a development platform initially, that is why I worked around the seccomp limitations there. Not sure it is necessary to fix it.
There was a problem hiding this comment.
Thank you for the explanation Adrian! I was curious because the seccomp support seems to work on Fedora.
This series adds container migration support to Podman.
The basic steps to migrate containers are:
For the newly added test to work an updated runc is required, which is still under review: opencontainers/runc#1968
Tries to solve: #1618
This PR includes the actual code, man-pages, bash-completion, tests, tutorial update.
Once this is merged I would also like to publish a related article on podman.io.