feat: implement migrating upper container layer

this is a very basic implementation of migrating the containers
ephemeral storage during migration. It only supports the overlay
snapshotter. It simply finds the upper layer by looking at
/proc/*/mounts and then renames all paths in the upper layer into
the snapshot directory before evac. On restore we do the reverse.
This works okay for a first iteration but there may be many
edge-cases and potential performance improvements. Especially the
image pulling over TTRPC could be improved.

Author: ctrox

README.md

@@ -354,6 +354,17 @@ to be enabled in the host kernel (`CONFIG_USERFAULTFD`).
 zeropod.ctrox.dev/live-migrate: "nginx"
 ```
 
+### `zeropod.ctrox.dev/disbale-migrate-data`
+
+When migrating a pod (regardless of live or scaled down), data that has been
+written to the containers file system will be copied over. This is done by
+copying the upper layer of the container overlayfs. Enabled by default but can
+be disabled with this annotation.
+
+```yaml
+zeropod.ctrox.dev/disbale-migrate-data: "true"
+```
+
 ### `io.containerd.runc.v2.group`
 
 It's possible to reduce the resource usage further by grouping multiple pods

api/node/v1/meta.go

@@ -8,6 +8,7 @@ const (
 	SocketPath               = runPath + "node.sock"
 	imagesPath               = varPath + "i/"
 	SnapshotSuffix           = "snapshot"
+	UpperSuffix              = "upper"
 	WorkDirSuffix            = "work"
 	MigrateAnnotationKey     = "zeropod.ctrox.dev/migrate"
 	LiveMigrateAnnotationKey = "zeropod.ctrox.dev/live-migrate"
@@ -28,6 +29,10 @@ func SnapshotPath(id string) string {
 	return filepath.Join(ImagePath(id), SnapshotSuffix)
 }
 
+func UpperPath(id string) string {
+	return filepath.Join(ImagePath(id), SnapshotSuffix, UpperSuffix)
+}
+
 func LazyPagesSocket(id string) string {
 	return filepath.Join(runPath, id+".sock")
 }

cmd/freezer/Dockerfile

@@ -10,6 +10,6 @@ COPY cmd/freezer cmd/freezer
 ARG TARGETARCH
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on go build -ldflags "-s -w" -a -o freezer cmd/freezer/main.go
 
-FROM gcr.io/distroless/static-debian12
+FROM gcr.io/distroless/static-debian12:debug
 COPY --from=builder /workspace/freezer /
 ENTRYPOINT ["/freezer"]

cmd/freezer/main.go

@@ -1,13 +1,16 @@
 package main
 
 import (
+	"context"
 	"encoding/json"
 	"flag"
 	"fmt"
 	"io"
 	"log/slog"
 	"math/rand/v2"
+	"net"
 	"net/http"
+	"os"
 	"time"
 )
 
@@ -68,7 +71,16 @@ func main() {
 		fmt.Fprintf(w, "%s", freezeJSON)
 	})
 
-	go http.ListenAndServe(":8080", nil)
+	lc := net.ListenConfig{}
+	// disable multipath TCP for now since it's not supported by CRIU
+	lc.SetMultipathTCP(false)
+
+	ln, err := lc.Listen(context.Background(), "tcp", ":8080")
+	if err != nil {
+		slog.Error("tcp listen", "err", err)
+		os.Exit(1)
+	}
+	go http.Serve(ln, nil)
 	for {
 		since := time.Since(f.LastObservation)
 		if since > time.Millisecond*50 {

cmd/installer/main.go

@@ -86,6 +86,7 @@ network-lock skip
     "zeropod.ctrox.dev/live-migrate",
     "zeropod.ctrox.dev/disable-probe-detection",
     "zeropod.ctrox.dev/probe-buffer-size",
+    "zeropod.ctrox.dev/disable-migrate-data",
     "io.containerd.runc.v2.group"
   ]
 
@@ -108,6 +109,7 @@ network-lock skip
     "zeropod.ctrox.dev/live-migrate",
     "zeropod.ctrox.dev/disable-probe-detection",
     "zeropod.ctrox.dev/probe-buffer-size",
+    "zeropod.ctrox.dev/disable-migrate-data",
     "io.containerd.runc.v2.group"
   ]
 

e2e/migration_test.go

@@ -2,6 +2,7 @@ package e2e
 
 import (
 	"context"
+	"fmt"
 	"path"
 	"testing"
 	"time"
@@ -23,13 +24,14 @@ func TestMigration(t *testing.T) {
 	ctx := context.Background()
 
 	type testCase struct {
-		deploy          *appsv1.Deployment
-		svc             *corev1.Service
-		sameNode        bool
-		migrationCount  int
-		liveMigration   bool
-		beforeMigration func(t *testing.T)
-		afterMigration  func(t *testing.T)
+		deploy                *appsv1.Deployment
+		svc                   *corev1.Service
+		sameNode              bool
+		migrationCount        int
+		liveMigration         bool
+		expectDataNotMigrated bool
+		beforeMigration       func(t *testing.T)
+		afterMigration        func(t *testing.T)
 	}
 	cases := map[string]testCase{
 		"same-node live migration": {
@@ -74,7 +76,7 @@ func TestMigration(t *testing.T) {
 	}
 
 	migrate := func(t *testing.T, ctx context.Context, e2e *e2eConfig, tc testCase) {
-		pods := podsOfDeployment(t, ctx, e2e.client, tc.deploy)
+		pods := podsOfDeployment(t, e2e.client, tc.deploy)
 		if len(pods) < 1 {
 			t.Fatal("expected at least one pod in the deployment")
 		}
@@ -90,7 +92,7 @@ func TestMigration(t *testing.T) {
 
 		assert.NoError(t, e2e.client.Delete(ctx, &pod))
 		assert.Eventually(t, func() bool {
-			pods := podsOfDeployment(t, ctx, e2e.client, tc.deploy)
+			pods := podsOfDeployment(t, e2e.client, tc.deploy)
 			if len(pods) != 1 {
 				return false
 			}
@@ -132,6 +134,8 @@ func TestMigration(t *testing.T) {
 
 			for range tc.migrationCount {
 				tc.beforeMigration(t)
+				_, _, err := podExec(e2e.cfg, migrationPod(t, tc.deploy), fmt.Sprintf("echo %s > /containerdata", t.Name()))
+				assert.NoError(t, err)
 				checkCtx, cancel := context.WithCancel(ctx)
 				defer cancel()
 				if tc.liveMigration {
@@ -143,11 +147,26 @@ func TestMigration(t *testing.T) {
 				migrate(t, ctx, e2e, tc)
 				cancel()
 				tc.afterMigration(t)
+				data, _, err := podExec(e2e.cfg, migrationPod(t, tc.deploy), "cat /containerdata")
+				if tc.expectDataNotMigrated {
+					assert.Error(t, err)
+				} else {
+					assert.NoError(t, err)
+					assert.Equal(t, t.Name(), data)
+				}
 			}
 		})
 	}
 }
 
+func migrationPod(t testing.TB, deploy *appsv1.Deployment) *corev1.Pod {
+	pods := podsOfDeployment(t, e2e.client, deploy)
+	if len(pods) != 1 {
+		t.Errorf("pod of deployment %s not found", deploy.Name)
+	}
+	return &pods[0]
+}
+
 func defaultBeforeMigration(t *testing.T) {
 	assert.Eventually(t, func() bool {
 		if err := freezerWrite(t.Name(), e2e.port); err != nil {
@@ -172,7 +191,7 @@ func defaultAfterMigration(t *testing.T) {
 func nonLiveBeforeMigration(t *testing.T) {
 	defaultBeforeMigration(t)
 	require.Eventually(t, func() bool {
-		pods := podsOfDeployment(t, context.Background(), e2e.client, freezerDeployment("same-node-migration", "default", 1))
+		pods := podsOfDeployment(t, e2e.client, freezerDeployment("same-node-migration", "default", 1))
 		if len(pods) == 0 {
 			return false
 		}
@@ -182,7 +201,7 @@ func nonLiveBeforeMigration(t *testing.T) {
 
 func nonLiveAfterMigration(t *testing.T) {
 	require.Never(t, func() bool {
-		pods := podsOfDeployment(t, context.Background(), e2e.client, freezerDeployment("same-node-migration", "default", 1))
+		pods := podsOfDeployment(t, e2e.client, freezerDeployment("same-node-migration", "default", 1))
 		if len(pods) == 0 {
 			return true
 		}

e2e/setup_test.go

@@ -605,9 +605,9 @@ func createDeployAndWait(t testing.TB, ctx context.Context, c client.Client, dep
 	}
 }
 
-func podsOfDeployment(t testing.TB, ctx context.Context, c client.Client, deploy *appsv1.Deployment) []corev1.Pod {
+func podsOfDeployment(t testing.TB, c client.Client, deploy *appsv1.Deployment) []corev1.Pod {
 	podList := &corev1.PodList{}
-	if err := c.List(ctx, podList, client.MatchingLabels(deploy.Spec.Selector.MatchLabels)); err != nil {
+	if err := c.List(t.Context(), podList, client.MatchingLabels(deploy.Spec.Selector.MatchLabels)); err != nil {
 		t.Error(err)
 	}
 
@@ -719,7 +719,7 @@ func podExec(cfg *rest.Config, pod *corev1.Pod, command string) (string, string,
 		Name(pod.Name).
 		SubResource("exec").
 		VersionedParams(&corev1.PodExecOptions{
-			Command: []string{"/bin/sh", "-c", command},
+			Command: []string{"sh", "-c", command},
 			Stdin:   false,
 			Stdout:  true,
 			Stderr:  true,

go.mod

@@ -1,6 +1,6 @@
 module github.com/ctrox/zeropod
 
-go 1.23.0
+go 1.24.0
 
 require (
 	github.com/checkpoint-restore/go-criu/v7 v7.2.0

shim/config.go

@@ -25,6 +25,7 @@ const (
 	LiveMigrateAnnotationKey         = "zeropod.ctrox.dev/live-migrate"
 	DisableProbeDetectAnnotationKey  = "zeropod.ctrox.dev/disable-probe-detection"
 	ProbeBufferSizeAnnotationKey     = "zeropod.ctrox.dev/probe-buffer-size"
+	DisableMigrateDataAnnotationKey  = "zeropod.ctrox.dev/disable-migrate-data"
 	CRIContainerNameAnnotation       = "io.kubernetes.cri.container-name"
 	CRIContainerTypeAnnotation       = "io.kubernetes.cri.container-type"
 	CRIPodNameAnnotation             = "io.kubernetes.cri.sandbox-name"
@@ -55,6 +56,7 @@ type Config struct {
 	ContainerdNamespace   string
 	DisableProbeDetection bool
 	ProbeBufferSize       int
+	DisableMigrateData    bool
 	spec                  *specs.Spec
 }
 
@@ -157,6 +159,15 @@ func NewConfig(ctx context.Context, spec *specs.Spec) (*Config, error) {
 		}
 	}
 
+	disableMigrateDataValue := spec.Annotations[DisableMigrateDataAnnotationKey]
+	disableMigrateData := false
+	if disableMigrateDataValue != "" {
+		disableMigrateData, err = strconv.ParseBool(disableMigrateDataValue)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	return &Config{
 		Ports:                 containerPorts,
 		ScaleDownDuration:     dur,
@@ -173,6 +184,7 @@ func NewConfig(ctx context.Context, spec *specs.Spec) (*Config, error) {
 		ContainerdNamespace:   ns,
 		DisableProbeDetection: disableProbeDetection,
 		ProbeBufferSize:       probeBufferSize,
+		DisableMigrateData:    disableMigrateData,
 		spec:                  spec,
 	}, nil
 }

shim/evac.go

@@ -2,18 +2,21 @@ package shim
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"net"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"
 
 	"github.com/containerd/containerd/v2/cmd/containerd-shim-runc-v2/process"
 	runcC "github.com/containerd/go-runc"
 	"github.com/containerd/log"
 	"github.com/containerd/ttrpc"
 	nodev1 "github.com/ctrox/zeropod/api/node/v1"
+	"github.com/prometheus/procfs"
 	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
@@ -139,6 +142,8 @@ func (c *Container) evac(ctx context.Context) error {
 			return fmt.Errorf("failed checkpointing: %w", err)
 		case <-lazyStarted:
 			log.G(ctx).Info("successful started lazy checkpointing")
+			c.prepareMigrateData(ctx)
+
 			log.G(ctx).Infof("making evac request with image ID: %s", c.ID())
 			evacReq.MigrationInfo.PausedAt = timestamppb.New(pausedAt)
 			if _, err := nodeClient.Evac(ctx, evacReq); err != nil {
@@ -204,9 +209,89 @@ func (c *Container) evacScaledDown(ctx context.Context) error {
 	if _, err := nodeClient.PrepareEvac(ctx, evacReq); err != nil {
 		return fmt.Errorf("requesting evac: %w", err)
 	}
+	c.prepareMigrateData(ctx)
 
 	if _, err := nodeClient.Evac(ctx, evacReq); err != nil {
 		return fmt.Errorf("requesting evac: %w", err)
 	}
 	return nil
 }
+
+func (c *Container) prepareMigrateData(ctx context.Context) {
+	if c.cfg.DisableMigrateData {
+		return
+	}
+	// for now we allow this to fail and continue with the migration since
+	// it could be unreliable and is not strictly required to migrate
+	// (although this depends on the application).
+	if err := moveUpperDirToImage(c.ID()); err != nil {
+		log.G(ctx).Errorf("adding container data to image: %s", err)
+	}
+}
+
+// moveUpperDirToImage finds the overlayfs upper directory of the container and
+// moves it to the snapshot upper dir to be transferred by the evac. Only call
+// this once the container is either stopped or frozen.
+func moveUpperDirToImage(containerID string) error {
+	upper, err := findUpperDir(containerID)
+	if err != nil {
+		return fmt.Errorf("finding upper storage dir: %w", err)
+	}
+	to := nodev1.UpperPath(containerID)
+	if err := os.MkdirAll(to, 0644); err != nil {
+		return err
+	}
+
+	return renameAllSubDirs(upper, to)
+}
+
+// MoveImageToUpperDir does the same as moveUpperDirToImage but in reverse
+func MoveImageToUpperDir(containerID, imageDir string) error {
+	upper, err := findUpperDir(containerID)
+	if err != nil {
+		return fmt.Errorf("finding upper storage dir: %w", err)
+	}
+
+	return renameAllSubDirs(filepath.Join(imageDir, nodev1.UpperSuffix), upper)
+}
+
+func renameAllSubDirs(from, to string) error {
+	dirs, err := os.ReadDir(from)
+	if err != nil {
+		return err
+	}
+
+	var errs []error
+	for _, dir := range dirs {
+		errs = append(errs, os.Rename(filepath.Join(from, dir.Name()), filepath.Join(to, dir.Name())))
+	}
+
+	return errors.Join(errs...)
+}
+
+func findUpperDir(containerID string) (string, error) {
+	p, err := procfs.NewFS("/proc")
+	if err != nil {
+		return "", fmt.Errorf("new procfs: %w", err)
+	}
+
+	proc, err := p.Self()
+	if err != nil {
+		return "", fmt.Errorf("getting process info: %w", err)
+	}
+
+	mountInfo, err := proc.MountInfo()
+	if err != nil {
+		return "", fmt.Errorf("getting mount info: %w", err)
+	}
+
+	for _, mount := range mountInfo {
+		if strings.Contains(mount.MountPoint, containerID) {
+			if v, ok := mount.SuperOptions["upperdir"]; ok {
+				return v, nil
+			}
+		}
+	}
+
+	return "", fmt.Errorf("upper dir not found for container %s", containerID)
+}