Podman

Revision as of 16:36, 19 November 2024 by Radostin (talk | contribs) (Add note about root containers)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This article provides an overview of CRIU integration with Podman and explains how to use it. For more detailed information on the available Podman options, please refer to the documentation and man pages.

Note.svg Note: Podman checkpoint/restore currently supports only root containers. Therefore, you have to run the example container as root.

Container Checkpoint/RestoreEdit

Podman supports checkpointing and restoring since version 0.10.1 (October 2018). This initial support only supports checkpointing and restoring containers on the same host:

$ sudo podman run -d --name looper busybox /bin/sh -c \
         'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'

You can verify that the container is running by observing its logs:

$ sudo podman logs -l

Or by running podman ps.

If you do this a few times you will notice that the integers are increasing. Now the container can be checkpointed:

$ sudo podman container checkpoint -l

Once the container is checkpointed it will be no longer visible in podman ps.

The following command can be used to restore the container:

$ sudo podman container restore -l

Using podman logs -l or podman ps it can be verified that the container was restored and that it continued running from the point in time when it was checkpointed.

This requires at least CRIU 3.11.

There is one recording demonstrating Podman's checkpoint/restore support:

Container Live MigrationEdit

To be actually able to migrate a container from one system to another at least Podman version 1.4.0 (June 2019) is required. With version 1.4.0 Podman is now able to export a complete checkpoint which can then be transferred:

$ sudo podman run -d --name looper busybox /bin/sh -c \
         'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'
$ sudo podman container checkpoint -l --export=/tmp/chkpt.tar.gz
$ sudo scp /tmp/chkpt.tar.gz <destination-host>:/tmp

Once the checkpoint archive has been transferred to the destination system the container can there be restored from the checkpoint archive:

$ sudo podman container restore --import=/tmp/chkpt.tar.gz

Now the container continues to run from the same point where it was previously checkpointed on the source system.

From a checkpoint archive it is also possible to restore multiple copies of a container with different names:

$ sudo podman container restore --import=/tmp/chkpt.tar.gz -n looper1
$ sudo podman container restore --import=/tmp/chkpt.tar.gz -n looper2
$ sudo podman container restore --import=/tmp/chkpt.tar.gz -n looper3

Each of these restored containers will be running from the point in time the container was checkpointed.

This requires at least CRIU 3.12 (3.13 for full SELinux support).

There are two recordings demonstrating Podman's container migration feature:

Checkpoint ImagesEdit

In addition to the standard checkpoint/restore functionality described above, Podman supports checkpoint images to enable container migration across multiple systems with standard image distribution infrastructure (container registry).

A checkpoint image can be created with the --create-image <image> option podman container checkpoint. This option instructs Podman to create a standard OCI container image with a single layer that contains all checkpoint files.

Example:

$ sudo podman run -d --name looper busybox /bin/sh -c 'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'
$ sudo podman container checkpoint --create-image checkpoint-image-1 looper

You can verify that the image has been created as follows:

$ sudo podman image ls

You can restore a container from checkpoint image as follows:

$ sudo podman container restore <image>

Example:

$ sudo podman container restore checkpoint-image-1

Note that creating a checkpoint would not remove the container and it is not possible to have two containers with the same name. Thus, it might be necessary to restore the container with a different name:

$ sudo podman container restore --name looper-2 checkpoint-image-1

Or to remove the existing container before restore:

$ sudo podman rm looper

A checkpoint image can be pushed to a container registry:

$ sudo podman login quay.io 
$ sudo podman container checkpoint --create-image quay.io/<username>/<reponame> looper
$ sudo podman push quay.io/<username>/<reponame>

The content of the image layer is in the same format as a checkpoint archive created with the --export option. This allows to be exported locally with podman image save and restored with the --import option.

In addition, checkpoint images can be inspected with podman inspect. Inspecting a checkpoint image would display additional information, stored as annotations, about the host environment used to do the checkpoint.

And pulled and restored on a different system:

$ sudo podman pull quay.io/<username>/<reponame>
$ sudo podman container restore quay.io/<username>/<reponame>

Restoring multiple containers at the same time can be achieved as follows:

$ sudo podman run -d --name looper-1 busybox /bin/sh -c 'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'
$ sudo podman run -d --name looper-2 busybox /bin/sh -c 'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'
$ sudo podman container checkpoint --create-image checkpoint-1 looper-1
$ sudo podman container checkpoint --create-image checkpoint-2 looper-2
$ sudo podman rm looper-1 looper-2
$ sudo podman container restore checkpoint-1 checkpoint-2