Podman

Revision as of 12:55, 1 May 2022 by Radostin (talk | contribs)

This article describes the status of CRIU integration with Podman, and how to use it.

Container Checkpoint/Restore

Podman supports checkpointing and restoring since version 0.10.1 (October 2018). This initial support only supports checkpointing and restoring containers on the same host:

# podman run -d --name looper busybox /bin/sh -c \
         'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'

You can verify that the container is running by observing its logs:

# podman logs -l

Or by running podman ps.

If you do this a few times you will notice that the integers are increasing. Now the container can be checkpointed:

# podman container checkpoint -l

Once the container is checkpointed it will be no longer visible in podman ps.

The following command can be used to restore the container:

# podman container restore -l

Using podman logs -l or podman ps it can be verified that the container was restored and that it continued running from the point in time when it was checkpointed.

This requires at least CRIU 3.11.

There is one recording demonstrating Podman's checkpoint/restore support:

Container Live Migration

To be actually able to migrate a container from one system to another at least Podman version 1.4.0 (June 2019) is required. With version 1.4.0 Podman is now able to export a complete checkpoint which can then be transferred:

# podman run -d --name looper busybox /bin/sh -c \
         'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'
# podman container checkpoint -l --export=/tmp/chkpt.tar.gz
# scp /tmp/chkpt.tar.gz <destination-host>:/tmp

Once the checkpoint archive has been transferred to the destination system the container can there be restored from the checkpoint archive:

# podman container restore --import=/tmp/chkpt.tar.gz

Now the container continues to run from the same point where it was previously checkpointed on the source system.

From a checkpoint archive it is also possible to restore multiple copies of a container with different names:

# podman container restore --import=/tmp/chkpt.tar.gz -n looper1
# podman container restore --import=/tmp/chkpt.tar.gz -n looper2
# podman container restore --import=/tmp/chkpt.tar.gz -n looper3

Each of these restored containers will be running from the point in time the container was checkpointed.

This requires at least CRIU 3.12 (3.13 for full SELinux support).

There are two recordings demonstrating Podman's container migration feature:

Checkpoint Images

In addition to the standard checkpoint/restore functionality described above, Podman supports checkpoint images to enable container migration across multiple systems with standard image distribution infrastructure (container registry).

A checkpoint image can be created with the --create-image <image> option podman container checkpoint. This option instructs Podman to create a standard OCI container image with a single layer that contains all checkpoint files.

Example:

# podman run -d --name looper busybox /bin/sh -c 'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'
# podman container checkpoint --create-image checkpoint-image-1 looper

You can verify that the image has been created as follows:

# podman image ls

You can restore a container from checkpoint image as follows:

# podman container restore <image>

Example:

# podman container restore checkpoint-image-1

Note that creating a checkpoint would not remove the container and it is not possible to have two containers with the same name. Thus, it might be necessary to restore the container with a different name:

# podman container restore --name looper-2 checkpoint-image-1

Or to remove the existing container before restore:

# podman rm looper

A checkpoint image can be pushed to a container registry:

# podman login quay.io 
# podman container checkpoint --create-image quay.io/rst0git/checkpoint-image-test-1 looper
# podman push quay.io/rst0git/checkpoint-image-test-1

The content of the image layer is in the same format as a checkpoint archive created with the --export option. This allows to be exported locally with podman image save and restored with the --import option.

In addition, checkpoint images can be inspected with podman inspect. Inspecting a checkpoint image would display additional information, stored as annotations, about the host environment used to do the checkpoint.

And pulled and restored on a different system:

# podman pull quay.io/rst0git/checkpoint-image-test-1
# podman container restore quay.io/rst0git/checkpoint-image-test-1
# podman inspect quay.io/rst0git/checkpoint-image-test-1

Restoring multiple containers at the same time can be achieved as follows:

# podman run -d --name looper-1 busybox /bin/sh -c 'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'
# podman run -d --name looper-2 busybox /bin/sh -c 'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'
# podman container checkpoint --create-image checkpoint-1 looper-1
# podman container checkpoint --create-image checkpoint-2 looper-2
# podman rm looper-1 looper-2
# podman container restore checkpoint-1 checkpoint-2