Skip to content

Commit

Permalink
Add container checkpoint support
Browse files Browse the repository at this point in the history
Signed-off-by: tu1h <[email protected]>
  • Loading branch information
0ekk committed Sep 25, 2023
1 parent c6ab640 commit 776dce3
Show file tree
Hide file tree
Showing 6 changed files with 22 additions and 2 deletions.
2 changes: 2 additions & 0 deletions docs/vars.md
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,8 @@ node_taints:
* `audit_webhook_batch_max_size`: 100
* `audit_webhook_batch_max_wait`: 1s

* *container_checkpoint_enabled* - When set to `true`, enables the Checkpoint API on kubelet and container runtime(only cri-o yet). It's required to install [CRIU](https://criu.org/Installation) on the host when dumping checkpoints. You can follow the [documentation](https://kubernetes.io/blog/2022/12/05/forensic-container-checkpointing-alpha/). **Note**: It's still in experimental stage, just for container analytics so far.

### Custom flags for Kube Components

For all kube components, custom flags can be passed in. This allows for edge cases where users need changes to the default deployment that may not be applicable to all deployments.
Expand Down
7 changes: 7 additions & 0 deletions roles/container-engine/cri-o/tasks/main.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,13 @@
notify: Restart crio
when: http_proxy is defined or https_proxy is defined

- name: Cri-o | write cri-o options drop-in
template:
src: options.conf.j2
dest: /etc/systemd/system/crio.service.d/options.conf
mode: 0644
notify: Restart crio

- name: Cri-o | configure the uid/gid space for user namespaces
lineinfile:
path: '{{ item.path }}'
Expand Down
2 changes: 2 additions & 0 deletions roles/container-engine/cri-o/templates/options.conf.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
[Service]
Environment=CRIO_CONFIG_OPTIONS={% if container_checkpoint_enabled is defined and container_checkpoint_enabled %}--enable-criu-support=true{% endif %}
Original file line number Diff line number Diff line change
Expand Up @@ -447,10 +447,13 @@ clusterDNS:
{% for dns_address in kubelet_cluster_dns %}
- {{ dns_address }}
{% endfor %}
{% if container_checkpoint_enabled is defined and container_checkpoint_enabled -%}
{% set kubelet_feature_gates = kubelet_feature_gates + ["ContainerCheckpoint=true"] -%}
{% endif -%}
{% if kubelet_feature_gates or kube_feature_gates %}
{% set feature_gates = ( kubelet_feature_gates | default(kube_feature_gates, true) ) %}
featureGates:
{% for feature in feature_gates %}
{% for feature in (feature_gates | unique) %}
{{ feature | replace("=", ": ") }}
{% endfor %}
{% endif %}
Original file line number Diff line number Diff line change
Expand Up @@ -120,9 +120,12 @@ resolvConf: "{{ kube_resolv_conf }}"
{% if inventory_hostname in groups['kube_node'] and kubelet_node_config_extra_args %}
{{ kubelet_node_config_extra_args | to_nice_yaml(indent=2) }}
{% endif %}
{% if container_checkpoint_enabled is defined and container_checkpoint_enabled -%}
{% set kubelet_feature_gates = kubelet_feature_gates + ["ContainerCheckpoint=true"] -%}
{% endif -%}
{% if kubelet_feature_gates or kube_feature_gates %}
featureGates:
{% for feature in (kubelet_feature_gates | default(kube_feature_gates, true)) %}
{% for feature in (kubelet_feature_gates | default(kube_feature_gates, true) | unique) %}
{{ feature | replace("=", ": ") }}
{% endfor %}
{% endif %}
Expand Down
3 changes: 3 additions & 0 deletions roles/kubespray-defaults/defaults/main.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -675,3 +675,6 @@ sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf"

system_upgrade: false
system_upgrade_reboot: on-upgrade # never, always

# Forensic container checkpointing in Kubernetes. It's experimental so far. See [Checkpoint API](https://kubernetes.io/docs/reference/node/kubelet-checkpoint-api/)
container_checkpoint_enabled: false

0 comments on commit 776dce3

Please sign in to comment.