cri-o · openshift-merge-robot · Aug 29, 2022 · Sep 15, 2020 · Dec 14, 2020 · Dec 14, 2020
@@ -11,6 +11,7 @@
 /bin/
 /test/bin2img/bin2img
 /test/checkseccomp/checkseccomp
+/test/checkcriu/checkcriu
 /test/copyimg/copyimg
 /build
 coverprofile

@@ -182,6 +182,9 @@ test/copyimg/copyimg: $(GO_FILES) .gopathok
 test/checkseccomp/checkseccomp: $(GO_FILES) .gopathok
 	$(GO_BUILD) $(GCFLAGS) $(GO_LDFLAGS) -tags "$(BUILDTAGS)" -o $@ $(PROJECT)/test/checkseccomp
 
+test/checkcriu/checkcriu: $(GO_FILES) .gopathok
+	$(GO_BUILD) $(GCFLAGS) $(GO_LDFLAGS) -tags "$(BUILDTAGS)" -o $@ $(PROJECT)/test/checkcriu
+
 bin/crio: $(GO_FILES) .gopathok
 	$(GO_BUILD) $(GCFLAGS) $(GO_LDFLAGS) -tags "$(BUILDTAGS)" -o $@ $(PROJECT)/cmd/crio
 
@@ -225,6 +228,7 @@ endif
 	$(MAKE) -C pinns clean
 	rm -f test/copyimg/copyimg
 	rm -f test/checkseccomp/checkseccomp
+	rm -f test/checkcriu/checkcriu
 	rm -rf ${BUILD_BIN_PATH}
 
 # the approach here, rather than this target depending on the build targets
@@ -382,7 +386,7 @@ localintegration: clean binaries test-binaries
 	./test/test_runner.sh ${TESTFLAGS}
 
 binaries: bin/crio bin/crio-status bin/pinns
-test-binaries: test/copyimg/copyimg test/checkseccomp/checkseccomp
+test-binaries: test/copyimg/copyimg test/checkseccomp/checkseccomp test/checkcriu/checkcriu
 
 MANPAGES_MD := $(wildcard docs/*.md)
 MANPAGES    := $(MANPAGES_MD:%.md=%)

@@ -44,6 +44,7 @@ h
 --default-ulimits
 --device-ownership-from-security-context
 --drop-infra-ctr
+--enable-criu-support
 --enable-metrics
 --enable-profile-unix-socket
 --enable-tracing

@@ -49,6 +49,7 @@ complete -c crio -n '__fish_crio_no_subcommand' -f -l default-transport -r -d 'A
 complete -c crio -n '__fish_crio_no_subcommand' -f -l default-ulimits -r -d 'Ulimits to apply to containers by default (name=soft:hard) (default: [])'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l device-ownership-from-security-context -d 'Set devices\' uid/gid ownership from runAsUser/runAsGroup'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l drop-infra-ctr -d 'Determines whether pods are created without an infra container, when the pod is not using a pod level PID namespace (default: true)'
+complete -c crio -n '__fish_crio_no_subcommand' -f -l enable-criu-support -d 'Enable CRIU integration, requires that the criu binary is available in $PATH. (default: \'\')'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l enable-metrics -d 'Enable metrics endpoint for the server on localhost:9090'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l enable-profile-unix-socket -d 'Enable pprof profiler on crio unix domain socket'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l enable-tracing -d 'Enable OpenTelemetry trace data exporting'

@@ -51,6 +51,7 @@ it later with **--config**. Global options will modify the output.'
         '--default-ulimits'
         '--device-ownership-from-security-context'
         '--drop-infra-ctr'
+        '--enable-criu-support'
         '--enable-metrics'
         '--enable-profile-unix-socket'
         '--enable-tracing'

@@ -20,7 +20,7 @@
     - name: clone build and install cri-tools
       include: "build/cri-tools.yml"
       vars:
-        cri_tools_git_version: "v1.24.2"
+        cri_tools_git_version: "v1.25.0"
 
     - name: clone build and install kubernetes
       include: "build/kubernetes.yml"

@@ -42,7 +42,7 @@ dependencies:
       match: conmon
 
   - name: cri-tools
-    version: v1.24.2
+    version: v1.25.0
     refPaths:
     - path: scripts/versions
       match: cri-tools

@@ -42,6 +42,7 @@ crio
 [--default-ulimits]=[value]
 [--device-ownership-from-security-context]
 [--drop-infra-ctr]
+[--enable-criu-support]
 [--enable-metrics]
 [--enable-profile-unix-socket]
 [--enable-tracing]
@@ -206,6 +207,8 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
 
 **--drop-infra-ctr**: Determines whether pods are created without an infra container, when the pod is not using a pod level PID namespace (default: true)
 
+**--enable-criu-support**: Enable CRIU integration, requires that the criu binary is available in $PATH. (default: '')
+
 **--enable-metrics**: Enable metrics endpoint for the server on localhost:9090
 
 **--enable-profile-unix-socket**: Enable pprof profiler on crio unix domain socket

@@ -283,6 +283,9 @@ the container runtime configuration.
 **device_ownership_from_security_context**=false
   Changes the default behavior of setting container devices uid/gid from CRI's SecurityContext (RunAsUser/RunAsGroup) instead of taking host's uid/gid.
 
+**enable_criu_support**=false
+  Enable CRIU integration, requires that the criu binary is available in $PATH. (default: false)
+
 ### CRIO.RUNTIME.RUNTIMES TABLE
 The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.  The runtime to use is picked based on the runtime handler provided by the CRI.  If no runtime handler is provided, the runtime will be picked based on the level of trust of the workload.
 

@@ -6,6 +6,8 @@ require (
 	github.com/BurntSushi/toml v1.2.0
 	github.com/Microsoft/go-winio v0.5.2
 	github.com/blang/semver/v4 v4.0.0
+	github.com/checkpoint-restore/checkpointctl v0.0.0-20220321135231-33f4a66335f0
+	github.com/checkpoint-restore/go-criu/v5 v5.3.0
 	github.com/container-orchestrated-devices/container-device-interface v0.5.0
 	github.com/containerd/cgroups v1.0.4
 	github.com/containerd/containerd v1.6.8
@@ -111,7 +113,6 @@ require (
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
 	github.com/acomagu/bufpipe v1.0.3 // indirect
-	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
 	github.com/aws/aws-sdk-go v1.44.55 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.16.5 // indirect
@@ -136,8 +137,6 @@ require (
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
 	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
-	github.com/checkpoint-restore/checkpointctl v0.0.0-20220321135231-33f4a66335f0 // indirect
-	github.com/checkpoint-restore/go-criu/v5 v5.3.0 // indirect
 	github.com/cheggaaa/pb/v3 v3.0.8 // indirect
 	github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21 // indirect
 	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e // indirect

@@ -283,9 +283,8 @@ github.com/alexflint/go-filemutex v1.1.0/go.mod h1:7P4iRhttt/nUvUOrYIhcpMzv2G6CY
 github.com/alexkohler/prealloc v1.0.0/go.mod h1:VetnK3dIgFBBKmg0YnD9F9x6Icjd+9cvfHR56wJVlKE=
 github.com/andybalholm/brotli v1.0.2/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
 github.com/andybalholm/brotli v1.0.3/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
-github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
-github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20220418222510-f25a4f6275ed/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY=

@@ -278,6 +278,9 @@ func mergeConfig(config *libconfig.Config, ctx *cli.Context) error {
 	if ctx.IsSet("container-exits-dir") {
 		config.ContainerExitsDir = ctx.String("container-exits-dir")
 	}
+	if ctx.IsSet("enable-criu-support") {
+		config.EnableCriuSupport = ctx.Bool("enable-criu-support")
+	}
 	if ctx.IsSet("ctr-stop-timeout") {
 		config.CtrStopTimeout = ctx.Int64("ctr-stop-timeout")
 	}
@@ -1012,6 +1015,12 @@ func getCrioFlags(defConf *libconfig.Config) []cli.Flag {
 			Usage:   "The number of seconds between collecting pod and container stats. If set to 0, the stats are collected on-demand instead.",
 			EnvVars: []string{"CONTAINER_STATS_COLLECTION_PERIOD"},
 		},
+		&cli.BoolFlag{
+			Name:    "enable-criu-support",
+			Usage:   "Enable CRIU integration, requires that the criu binary is available in $PATH. (default: '')",
+			EnvVars: []string{"CONTAINER_ENABLE_CRIU_SUPPORT"},
+			Value:   false,
+		},
 	}
 }
 

@@ -43,7 +43,9 @@ type Container interface {
 	SetConfig(*types.ContainerConfig, *types.PodSandboxConfig) error
 
 	// SetNameAndID sets a container name and ID
-	SetNameAndID() error
+	// It can either generate a new ID or use an existing ID
+	// if specified as parameter (for container restore)
+	SetNameAndID(string) error
 
 	// Config returns the container CRI configuration
 	Config() *types.ContainerConfig
@@ -84,6 +86,13 @@ type Container interface {
 	// it takes the sandbox's label, which it falls back upon
 	SelinuxLabel(string) ([]string, error)
 
+	// SetRestore marks the container as being restored from a checkpoint
+	SetRestore(bool)
+
+	// Restore returns if the container is marked as being
+	// restored from a checkpoint
+	Restore() bool
+
 	// spec functions
 
 	// returns the spec
@@ -128,6 +137,7 @@ type container struct {
 	id         string
 	name       string
 	privileged bool
+	restore    bool
 	spec       generate.Generator
 	pidns      nsmgr.Namespace
 }
@@ -306,7 +316,7 @@ func (c *container) SetConfig(cfg *types.ContainerConfig, sboxConfig *types.PodS
 }
 
 // SetNameAndID sets a container name and ID
-func (c *container) SetNameAndID() error {
+func (c *container) SetNameAndID(oldID string) error {
 	if c.config == nil {
 		return errors.New("config is not set")
 	}
@@ -319,7 +329,12 @@ func (c *container) SetNameAndID() error {
 		return errors.New("sandbox metadata is nil")
 	}
 
-	id := stringid.GenerateNonCryptoID()
+	var id string
+	if oldID == "" {
+		id = stringid.GenerateNonCryptoID()
+	} else {
+		id = oldID
+	}
 	name := strings.Join([]string{
 		"k8s",
 		c.config.Metadata.Name,
@@ -354,6 +369,17 @@ func (c *container) Name() string {
 	return c.name
 }
 
+// Restore returns if the container is marked as being
+// restored from a checkpoint
+func (c *container) Restore() bool {
+	return c.restore
+}
+
+// SetRestore marks the container as being restored from a checkpoint
+func (c *container) SetRestore(restore bool) {
+	c.restore = restore
+}
+
 // SetPrivileged sets the privileged bool for the container
 func (c *container) SetPrivileged() error {
 	if c.config == nil {

@@ -66,7 +66,7 @@ var _ = t.Describe("Container:LogPath", func() {
 
 		// When
 		Expect(sut.SetConfig(config, sboxConfig)).To(BeNil())
-		Expect(sut.SetNameAndID()).To(BeNil())
+		Expect(sut.SetNameAndID("")).To(BeNil())
 
 		// Then
 		logPath, err := sut.LogPath(providedLogDir)

@@ -27,7 +27,7 @@ var _ = t.Describe("Container:SetNameAndID", func() {
 		setupContainerWithMetadata(metadata)
 
 		// When
-		err := sut.SetNameAndID()
+		err := sut.SetNameAndID("")
 
 		// Then
 		Expect(err).To(BeNil())
@@ -37,13 +37,36 @@ var _ = t.Describe("Container:SetNameAndID", func() {
 		Expect(sut.Name()).To(ContainSubstring(uid))
 	})
 
+	It("should succeed with ID as paramater", func() {
+		// Given
+		const (
+			name      = "name"
+			namespace = "namespace"
+			uid       = "uid"
+		)
+		metadata := &types.PodSandboxMetadata{
+			Name: name, Uid: uid, Namespace: namespace,
+		}
+		setupContainerWithMetadata(metadata)
+
+		// When
+		err := sut.SetNameAndID("use-this-ID")
+
+		// Then
+		Expect(err).To(BeNil())
+		Expect(sut.ID()).To(Equal("use-this-ID"))
+		Expect(sut.Name()).To(ContainSubstring(name))
+		Expect(sut.Name()).To(ContainSubstring(namespace))
+		Expect(sut.Name()).To(ContainSubstring(uid))
+	})
+
 	It("should succeed with empty sandbox metadata", func() {
 		// Given
 		metadata := &types.PodSandboxMetadata{}
 		setupContainerWithMetadata(metadata)
 
 		// When
-		err := sut.SetNameAndID()
+		err := sut.SetNameAndID("")
 
 		// Then
 		Expect(err).To(BeNil())
@@ -55,7 +78,7 @@ var _ = t.Describe("Container:SetNameAndID", func() {
 		container, err := container.New()
 		Expect(err).To(BeNil())
 
-		err = container.SetNameAndID()
+		err = container.SetNameAndID("")
 
 		// Then
 		Expect(container).ToNot(BeNil())

@@ -253,6 +253,24 @@ var _ = t.Describe("Container", func() {
 			Expect(sut.ReadOnly(true)).To(Equal(true))
 		})
 	})
+	t.Describe("Restore", func() {
+		It("should not be restore by default", func() {
+			// Given
+			// When
+			// Then
+			Expect(sut.Restore()).To(BeFalse())
+		})
+		It("should be restore when specified", func() {
+			// Given
+			Expect(sut.Restore()).To(BeFalse())
+
+			// When
+			sut.SetRestore(true)
+
+			// Then
+			Expect(sut.Restore()).To(BeTrue())
+		})
+	})
 	t.Describe("SelinuxLabel", func() {
 		BeforeEach(func() {
 			config.Linux = &types.LinuxContainerConfig{