Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Container Migration and CRIU Details

Red Hat Livestreaming
June 30, 2020
Technology
0
220

Container Migration and CRIU Details

Join Adrian Reber, Red Hat, to get a detailed technical background on how Checkpoint/Restore In Userspace (CRIU) works and how CRIU enables container migration.

Red Hat Livestreaming

June 30, 2020
Tweet

More Decks by Red Hat Livestreaming

See All by Red Hat Livestreaming
What's New in OpenShift 4.15
redhatlivestreaming
1
5.4k
What's Next In OpenShift (Q4 2023)
redhatlivestreaming
2
7.8k
What's New in OpenShift 4.14
redhatlivestreaming
3
15k
APAC Hybrid Cloud KOPI Hour (E8) - Securing The Software Supply Chain
redhatlivestreaming
0
67
APAC Hybrid Cloud KOPI Hour (E6) - AI
redhatlivestreaming
0
63
APAC Hybrid Cloud Kopi Hours (E7) - Automation!
redhatlivestreaming
0
63
Instant multi-cloud: The art of the possible
redhatlivestreaming
0
65
Ask an OpenShift Admin (Ep 107) Red Hat OpenShift Data Science
redhatlivestreaming
2
130
Ask an OpenShift Admin (Ep 103) OpenShift Multi-Arch Support
redhatlivestreaming
2
150

Other Decks in Technology

See All in Technology
疲弊しない!AWSセキュリティ統制の考え方 #devio_osakaday1
masahirokawahara
6
5.9k
「共通基盤」を超えよ! 今、Platform Engineeringに取り組むべき理由
jacopen
25
5.9k
開発生産性向上サービスを作るFindyが自分たちで開発生産性を爆上げした組織づくりの歩み / Findy's path to boosting its own development productivity 2024-04-17
ma3tk
3
350
Janus
bkuhlmann
1
490
Oracle Cloud Infrastructure:2024年4月度サービス・アップデート
oracle4engineer
PRO
1
120
Tableau事例紹介 / Tableau Case Study of Eureka
kazuya_araki_tokyo
1
170
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
14
35k
Aurora MySQL v3(MySQL8.0互換)の オンラインDDLの罠挙動を全バージョンで検証した
yutakikai
1
150
SREとその組織類型
tatsuo48
8
1.5k
DevOpsDays History and my DevOps story
kawaguti
PRO
8
1.6k
Reducing Cross-Zone Egress at Spotify with Custom gRPC Load Balancing Recap
koh_naga
0
150
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
3
840

Featured

See All Featured
Embracing the Ebb and Flow
colly
79
4.1k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
The Mythical Team-Month
searls
215
42k
Art, The Web, and Tiny UX
lynnandtonic
288
19k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k
Testing 201, or: Great Expectations
jmmastey
27
6.3k
Six Lessons from altMBA
skipperchong
20
3k
Infographics Made Easy
chrislema
237
18k
Done Done
chrislema
178
15k

Transcript

  1. Container Live Migration Adrian Reber 2020, June 30

  2. Red Hat Blog: Container migration with Podman on RHEL https://www.redhat.com/en/blog/container-migration-podman-rhel

    2

  3. Agenda Use cases Details Demos Future 3

  4. Definition: Container Live Migration 4

  5. Transfer Running Container 5

  6. Serialize on Source System 6

  7. Transfer to Destination System 7

  8. Checkpoint/Restore in Userspace CRIU 8

  9. Multiple Integrations Exist 9

  10. Use Cases 10

  11. Reboot and Save State 11

  12. Host Container 12

  13. Host Container 13

  14. Host Container 14

  15. Host Container 15

  16. Quick Startup 16

  17. Host Container 17

  18. Host Container Container 18

  19. Host Container Container Container Container 19

  20. Container Live Migration 20

  21. Source Container Destination 21

  22. Source Container Container Destination 22

  23. Source Container Container Destination Container Container 23

  24. CRIU 24

  25. First Step: Checkpointing 25

  26. Seize Process Using ptrace() 26

  27. Collect Details From /proc/<PID>/* 27

  28. Parasite Code 28

  29. Parasite Code Most favorite part 29

  30. Parasite Code And the craziest 30

  31. Parasite Code Injected into the process 31

  32. Parasite Code Daemon waiting for commands 32

  33. Parasite Code Removed after usage 33

  34. Checkpointed To Be Code Process Original 34

  35. Checkpointed To Be Code Process Original 35

  36. Checkpointed To Be Parasite Code Process Original 36

  37. Checkpointed To Be Code Process Original 37

  38. Checkpointing Finished 38

  39. Checkpointing Finished All relevant information written 39

  40. Checkpointing Finished Target process is killed 40

  41. Checkpointing Finished Or continues to run 41

  42. Container Live Migration SELinux Linux Security Summit EU 2019 https://sched.co/Tymj

    42

  43. 2015: CRIU LSM support 43

  44. During checkpointing Read /proc/PID/attr/current 44

  45. During restore Write /proc/PID/attr/current 45

  46. 1 if (!strstartswith(last, "unconfined_")) { 2 pr_err("Non unconfined selinux contexts

    not supported %s\n", last); 3 freecon(ctx); 4 return -1; 5 } 46

  47. • setsockcreatecon(3) for parasite daemon • Write to /proc/PID/attr/current •

    Allow dyntransition • Do not set context of threads • Allow writing to /proc/sys/kernel/ns_last_pid • Fix socket labels • Pre-create CRIU log files with appropriate labels • Fix file descriptor leaks 47

  48. Second/Last Step: Restoring 48

  49. Read Checkpoint Images 49

  50. clone() For Each PID/TID LPC: CRIU and the PID dance

    clone3() with Linux 5.5 https://linuxplumbersconf.org/event/4/contributions/472/ 50

  51. PID dance open() /proc/sys/kernel/ns_last_pid write() (PID - 1) to ns_last_pid

    close() ns_last_pid clone() getpid() 51

  52. Avoiding the PID dance (2010): eclone() https://lore.kernel.org/patchwork/patch/198220/ 52

  53. Avoiding the PID dance (2019): clone3() 53

  54. ”In general, clone3() is extensible and allows for the implementation

    of new features.” https://git.kernel.org/pub/scm/linux/kernel/git/ torvalds/linux.git/commit/?id=7f192e3cd316ba58c 54

  55. clone3() with set_tid 55

  56. 1 struct clone_args args = {0}; 2 pid_t *set_tid; 3

    set_tid[0] = 2020; 4 args.set_tid = set_tid; 5 args.set_tid_size = 1; 6 syscall(__NR_clone3 , args, sizeof(struct clone_args)); 56

  57. CRIU Morphs Itself Open and position file descriptors 57

  58. CRIU Morphs Itself Map memory pages 58

  59. CRIU Morphs Itself Load security settings 59

  60. CRIU Morphs Itself Jump into restored process 60

  61. Container Live Migration 61

  62. Container Live Migration OpenVZ 62

  63. Container Live Migration Borg 63

  64. Container Live Migration LXC/LXD 64

  65. Container Live Migration Docker 65

  66. Container Live Migration Podman 66

  67. Podman: daemonless 67

  68. Podman: rootless 68

  69. Podman: Checkpoint/Restore October 2018 69

  70. Podman: Checkpoint/Restore Required runc and CRIU changes 70

  71. Podman: Container Live Migration June 2019 71

  72. Podman: Container Live Migration Required runc, CRIU, SELinux changes 72

  73. Checkpoint includes File System Changes 73

  74. 1 # podman run --rm -d adrianreber/wildfly -hello 2 699f33eb7fecbc5bbb00400be0aa79c888dbc63a54cac7bd2eed836a57d8a68a

    3 # podman inspect -l --format "{{.NetworkSettings.IPAddress}}" 4 10.88.0.247 5 # curl 10.88.0.247:8080/helloworld/ 6 0 7 # curl 10.88.0.247:8080/helloworld/ 8 1 9 # podman container checkpoint -l --export=/tmp/chkpt.tar.gz 10 699f33eb7fecbc5bbb00400be0aa79c888dbc63a54cac7bd2eed836a57d8a68a 11 # scp /tmp/chkpt.tar.gz rhel08:/tmp 74

  75. 1 # podman container restore --import=/tmp/chkpt.tar.gz 2 699f33eb7fecbc5bbb00400be0aa79c888dbc63a54cac7bd2eed836a57d8a68a 3 #

    podman inspect -l --format "{{.NetworkSettings.IPAddress}}" 4 10.88.0.247 5 # curl 10.88.0.247:8080/helloworld/ 6 2 7 # curl 10.88.0.247:8080/helloworld/ 8 3 75

  76. 1 # podman container restore --import=/tmp/chkpt.tar.gz -n hello1 2 d02feeec894d77f66cc82484fe77ae369396a85f6d05594dc156c21e685942dd

    3 # podman container restore --import=/tmp/chkpt.tar.gz -n hello2 4 735efb4fee6961d3eee069beb28dde5cbc6fc46c1a32a43ecc993d04c02015b2 5 # podman inspect --format "{{.NetworkSettings.IPAddress}}" hello1 6 10.88.0.248 7 # podman inspect --format "{{.NetworkSettings.IPAddress}}" hello2 8 10.88.0.249 9 # curl 10.88.0.248:8080/helloworld/ 10 2 11 # curl 10.88.0.249:8080/helloworld/ 12 2 76

  77. Future: kubectl migrate 77

  78. Future: Non-root checkpoint/restore 78

  79. Summary • CRIU can checkpoint and restore containers • Integrated

    in different containers engines • Used in production • Reboot into new kernel without losing container state • Start multiple copies • Migrate running containers 79

  80. https://lisas.de/~adrian/container-live-migration-article.pdf https://asciinema.org/a/249922 https://asciinema.org/a/249918 https://lisas.de/~adrian/posts/2019-Apr-10-criu-and-selinux.html https://criu.org/Podman https://twitter.com/adrian__reber https://www.redhat.com/en/blog/container-migration-podman-rhel https://cfp.all-systems-go.io/ASG2019/talk/E88Z7V/ https://sched.co/Tymj https://linuxplumbersconf.org/event/4/contributions/472/

    80

  81. Thank you