Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Container Migration and CRIU Details

Red Hat Livestreaming
June 30, 2020
Technology
0
250

Container Migration and CRIU Details

Join Adrian Reber, Red Hat, to get a detailed technical background on how Checkpoint/Restore In Userspace (CRIU) works and how CRIU enables container migration.

Red Hat Livestreaming

June 30, 2020
Tweet

More Decks by Red Hat Livestreaming

See All by Red Hat Livestreaming
What's New in OpenShift 4.17
redhatlivestreaming
1
4.3k
Ask an OpenShift Admin | Ep 135 | Using OpenShift Dynamic Plugins to support GitOps
redhatlivestreaming
2
110
Ask an OpenShift Admin | Ep 132 | Multi-Cluster Observability
redhatlivestreaming
2
180
What's New in OpenShift 4.16
redhatlivestreaming
3
13k
What's Next In OpenShift (Q2 2024)
redhatlivestreaming
1
15k
What's New in OpenShift 4.15
redhatlivestreaming
2
23k
What's Next In OpenShift (Q4 2023)
redhatlivestreaming
3
24k
What's New in OpenShift 4.14
redhatlivestreaming
4
33k
APAC Hybrid Cloud KOPI Hour (E8) - Securing The Software Supply Chain
redhatlivestreaming
0
100

Other Decks in Technology

See All in Technology
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
180
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
2
330
Terraform Stacks入門 #HashiTalks
msato
0
360
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
220
飲食店データの分析事例とそれを支えるデータ基盤
kimujun
0
130
初心者向けAWS Securityの勉強会mini Security-JAWSを9ヶ月ぐらい実施してきての近況
cmusudakeisuke
0
130
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
870
OS 標準のデザインシステムを超えて - より柔軟な Flutter テーマ管理 | FlutterKaigi 2024
ronnnnn
0
180
SSMRunbook作成の勘所_20241120
koichiotomo
3
160
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110

Featured

See All Featured
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Code Reviewing Like a Champion
maltzj
520
39k
Agile that works and the tools we love
rasmusluckow
327
21k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
Music & Morning Musume
bryan
46
6.2k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
GraphQLとの向き合い方2022年版
quramy
43
13k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
Side Projects
sachag
452
42k
GitHub's CSS Performance
jonrohan
1030
460k
Statistics for Hackers
jakevdp
796
220k

Transcript

  1. Container Live Migration Adrian Reber 2020, June 30

  2. Red Hat Blog: Container migration with Podman on RHEL https://www.redhat.com/en/blog/container-migration-podman-rhel

    2

  3. Agenda Use cases Details Demos Future 3

  4. Definition: Container Live Migration 4

  5. Transfer Running Container 5

  6. Serialize on Source System 6

  7. Transfer to Destination System 7

  8. Checkpoint/Restore in Userspace CRIU 8

  9. Multiple Integrations Exist 9

  10. Use Cases 10

  11. Reboot and Save State 11

  12. Host Container 12

  13. Host Container 13

  14. Host Container 14

  15. Host Container 15

  16. Quick Startup 16

  17. Host Container 17

  18. Host Container Container 18

  19. Host Container Container Container Container 19

  20. Container Live Migration 20

  21. Source Container Destination 21

  22. Source Container Container Destination 22

  23. Source Container Container Destination Container Container 23

  24. CRIU 24

  25. First Step: Checkpointing 25

  26. Seize Process Using ptrace() 26

  27. Collect Details From /proc/<PID>/* 27

  28. Parasite Code 28

  29. Parasite Code Most favorite part 29

  30. Parasite Code And the craziest 30

  31. Parasite Code Injected into the process 31

  32. Parasite Code Daemon waiting for commands 32

  33. Parasite Code Removed after usage 33

  34. Checkpointed To Be Code Process Original 34

  35. Checkpointed To Be Code Process Original 35

  36. Checkpointed To Be Parasite Code Process Original 36

  37. Checkpointed To Be Code Process Original 37

  38. Checkpointing Finished 38

  39. Checkpointing Finished All relevant information written 39

  40. Checkpointing Finished Target process is killed 40

  41. Checkpointing Finished Or continues to run 41

  42. Container Live Migration SELinux Linux Security Summit EU 2019 https://sched.co/Tymj

    42

  43. 2015: CRIU LSM support 43

  44. During checkpointing Read /proc/PID/attr/current 44

  45. During restore Write /proc/PID/attr/current 45

  46. 1 if (!strstartswith(last, "unconfined_")) { 2 pr_err("Non unconfined selinux contexts

    not supported %s\n", last); 3 freecon(ctx); 4 return -1; 5 } 46

  47. • setsockcreatecon(3) for parasite daemon • Write to /proc/PID/attr/current •

    Allow dyntransition • Do not set context of threads • Allow writing to /proc/sys/kernel/ns_last_pid • Fix socket labels • Pre-create CRIU log files with appropriate labels • Fix file descriptor leaks 47

  48. Second/Last Step: Restoring 48

  49. Read Checkpoint Images 49

  50. clone() For Each PID/TID LPC: CRIU and the PID dance

    clone3() with Linux 5.5 https://linuxplumbersconf.org/event/4/contributions/472/ 50

  51. PID dance open() /proc/sys/kernel/ns_last_pid write() (PID - 1) to ns_last_pid

    close() ns_last_pid clone() getpid() 51

  52. Avoiding the PID dance (2010): eclone() https://lore.kernel.org/patchwork/patch/198220/ 52

  53. Avoiding the PID dance (2019): clone3() 53

  54. ”In general, clone3() is extensible and allows for the implementation

    of new features.” https://git.kernel.org/pub/scm/linux/kernel/git/ torvalds/linux.git/commit/?id=7f192e3cd316ba58c 54

  55. clone3() with set_tid 55

  56. 1 struct clone_args args = {0}; 2 pid_t *set_tid; 3

    set_tid[0] = 2020; 4 args.set_tid = set_tid; 5 args.set_tid_size = 1; 6 syscall(__NR_clone3 , args, sizeof(struct clone_args)); 56

  57. CRIU Morphs Itself Open and position file descriptors 57

  58. CRIU Morphs Itself Map memory pages 58

  59. CRIU Morphs Itself Load security settings 59

  60. CRIU Morphs Itself Jump into restored process 60

  61. Container Live Migration 61

  62. Container Live Migration OpenVZ 62

  63. Container Live Migration Borg 63

  64. Container Live Migration LXC/LXD 64

  65. Container Live Migration Docker 65

  66. Container Live Migration Podman 66

  67. Podman: daemonless 67

  68. Podman: rootless 68

  69. Podman: Checkpoint/Restore October 2018 69

  70. Podman: Checkpoint/Restore Required runc and CRIU changes 70

  71. Podman: Container Live Migration June 2019 71

  72. Podman: Container Live Migration Required runc, CRIU, SELinux changes 72

  73. Checkpoint includes File System Changes 73

  74. 1 # podman run --rm -d adrianreber/wildfly -hello 2 699f33eb7fecbc5bbb00400be0aa79c888dbc63a54cac7bd2eed836a57d8a68a

    3 # podman inspect -l --format "{{.NetworkSettings.IPAddress}}" 4 10.88.0.247 5 # curl 10.88.0.247:8080/helloworld/ 6 0 7 # curl 10.88.0.247:8080/helloworld/ 8 1 9 # podman container checkpoint -l --export=/tmp/chkpt.tar.gz 10 699f33eb7fecbc5bbb00400be0aa79c888dbc63a54cac7bd2eed836a57d8a68a 11 # scp /tmp/chkpt.tar.gz rhel08:/tmp 74

  75. 1 # podman container restore --import=/tmp/chkpt.tar.gz 2 699f33eb7fecbc5bbb00400be0aa79c888dbc63a54cac7bd2eed836a57d8a68a 3 #

    podman inspect -l --format "{{.NetworkSettings.IPAddress}}" 4 10.88.0.247 5 # curl 10.88.0.247:8080/helloworld/ 6 2 7 # curl 10.88.0.247:8080/helloworld/ 8 3 75

  76. 1 # podman container restore --import=/tmp/chkpt.tar.gz -n hello1 2 d02feeec894d77f66cc82484fe77ae369396a85f6d05594dc156c21e685942dd

    3 # podman container restore --import=/tmp/chkpt.tar.gz -n hello2 4 735efb4fee6961d3eee069beb28dde5cbc6fc46c1a32a43ecc993d04c02015b2 5 # podman inspect --format "{{.NetworkSettings.IPAddress}}" hello1 6 10.88.0.248 7 # podman inspect --format "{{.NetworkSettings.IPAddress}}" hello2 8 10.88.0.249 9 # curl 10.88.0.248:8080/helloworld/ 10 2 11 # curl 10.88.0.249:8080/helloworld/ 12 2 76

  77. Future: kubectl migrate 77

  78. Future: Non-root checkpoint/restore 78

  79. Summary • CRIU can checkpoint and restore containers • Integrated

    in different containers engines • Used in production • Reboot into new kernel without losing container state • Start multiple copies • Migrate running containers 79

  80. https://lisas.de/~adrian/container-live-migration-article.pdf https://asciinema.org/a/249922 https://asciinema.org/a/249918 https://lisas.de/~adrian/posts/2019-Apr-10-criu-and-selinux.html https://criu.org/Podman https://twitter.com/adrian__reber https://www.redhat.com/en/blog/container-migration-podman-rhel https://cfp.all-systems-go.io/ASG2019/talk/E88Z7V/ https://sched.co/Tymj https://linuxplumbersconf.org/event/4/contributions/472/

    80

  81. Thank you