CRIU

Last updated
CRIU
Developer(s) OpenVZ Team at Virtuozzo
Initial release23 July 2012;10 years ago (2012-07-23) [1]
Stable release 3.15 (November 3, 2020;2 years ago (2020-11-03) [2] ) [±]
Repository
Written in C and Assembler
Operating system Linux
Platform x86-64, ARM, Power ISA, IBM System/390
Type Application checkpointing
License GNU GPL v.2
Website criu.org

Checkpoint/Restore In Userspace (CRIU) (pronounced kree-oo, /kriu/), is a software tool for the Linux operating system. Using this tool, it is possible to freeze a running application (or part of it) and checkpoint it to persistent storage as a collection of files. One can then use the files to restore and run the application from the point it was frozen at. The distinctive feature of the CRIU project is that it is mainly implemented in user space, rather than in the kernel.

Contents

History

The initial version of CRIU software was presented to the Linux developers community by Pavel Emelyanov, the OpenVZ kernel team leader, on 15 July 2011. [3]

In September 2011, the project was presented at the Linux Plumbers Conference. [4] In general, most of the attendees took a positive view of the project, which is proven by the fact that a number of kernel patches required for implementing the project were included in the mainline kernel. Andrew Morton, however, was a bit skeptical:

A note on this: this is a project by various mad Russians to perform c/r mainly from userspace, with various oddball helper code added into the kernel where the need is demonstrated... However I'm less confident than the developers that it will all eventually work! So what I'm asking them to do is to wrap each piece of new code inside CONFIG_CHECKPOINT_RESTORE. So if it all eventually comes to tears and the project as a whole fails, it should be a simple matter to go through and delete all trace of it.

Andrew Morton, [5]

The project is currently[ when? ] under active development, with monthly release cycle for stable releases. [6]

Use

The CRIU tool is being developed as part of the OpenVZ project, with the aim of replacing the in-kernel checkpoint/restore. Though its main focus is to support the migration of containers, allowing users to check-point and restore the current state of running processes and process groups. The tool can currently be used on x86-64 and ARM systems and supports the following features:

As of September 2013, no kernel patching is required because all of the required functionality has already been merged into the Linux kernel mainline since kernel version 3.11, which was released on September 2, 2013. [7] [8]

TCP connection migration

One of the initial project goals was to support the migration of TCP connections, the biggest challenge being to suspend and then restore only one side of a connection. This was necessary for performing the live migration of containers (along with all their active network connections) between physical servers, the main scenario of using the checkpoint/restore feature in OpenVZ. To cope with this problem, a new feature, "TCP repair mode", was implemented. The feature was included in version 3.5 of the Linux kernel mainline [9] and provides users with additional means to disassemble and reconstruct TCP sockets without the necessity of exchanging network packets with the opposite side of the connection.

Similar projects

The following projects provide functionality similar to CRIU:

Related Research Articles

<span class="mw-page-title-main">Security-Enhanced Linux</span> Linux kernel security module

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

Checkpointing is a technique that provides fault tolerance for computing systems. It basically consists of saving a snapshot of the application's state, so that applications can restart from that point in case of failure. This is particularly important for long running applications that are executed in failure-prone computing systems.

Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which provide the functionality required for directing packets through a network and prohibiting packets from reaching sensitive locations within a network.

udev is a device manager for the Linux kernel. As the successor of devfsd and hotplug, udev primarily manages device nodes in the /dev directory. At the same time, udev also handles all user space events raised when hardware devices are added into the system or removed from it, including firmware loading as required by certain devices.

OS-level virtualization is an operating system (OS) paradigm in which the kernel allows the existence of multiple isolated user space instances, called containers, zones, virtual private servers (OpenVZ), partitions, virtual environments (VEs), virtual kernels, or jails. Such instances may look like real computers from the point of view of programs running in them. A computer program running on an ordinary operating system can see all resources of that computer. However, programs running inside of a container can only see the container's contents and devices assigned to the container.

The Netlink socket family is a Linux kernel interface used for inter-process communication (IPC) between both the kernel and userspace processes, and between different userspace processes, in a way similar to the Unix domain sockets. Similarly to the Unix domain sockets, and unlike INET sockets, Netlink communication cannot traverse host boundaries. However, while the Unix domain sockets use the file system namespace, Netlink processes are usually addressed by process identifiers (PIDs).

<span class="mw-page-title-main">OpenVZ</span> Operating-system level virtualization technology

OpenVZ is an operating-system-level virtualization technology for Linux. It allows a physical server to run multiple isolated operating system instances, called containers, virtual private servers (VPSs), or virtual environments (VEs). OpenVZ is similar to Solaris Containers and LXC.

The Open Source Automation Development Lab eG (OSADL) is a German organization intended to promote and coordinate the development of open source software for the machine, machine tool, and automation industry. As of March 2013, it has more than 40 member companies from around the world, including machine manufacturers, manufacturers of automation hardware and software, semiconductor companies, user associations and open source software service providers. Membership fees are used for the most part to fund development of the software.

<span class="mw-page-title-main">SystemTap</span> Scripting language and tool

In computing, SystemTap is a scripting language and tool for dynamically instrumenting running production Linux-based operating systems. System administrators can use SystemTap to extract, filter and summarize data in order to enable diagnosis of complex performance or functional problems.

<span class="mw-page-title-main">SocketCAN</span> Open source controller area network drivers and networking stack for the Linux kernel

SocketCAN is a set of open source CAN drivers and a networking stack contributed by Volkswagen Research to the Linux kernel. SocketCAN was formerly known as Low Level CAN Framework (LLCF).

<span class="mw-page-title-main">Network block device</span>

On Linux, network block device (NBD) is a network protocol that can be used to forward a block device from one machine to a second machine. As an example, a local machine can access a hard disk drive that is attached to another computer.

Sockstress is a method that is used to attack servers on the Internet and other networks utilizing TCP, including Windows, Mac, Linux, BSD and any router or other internet appliance that accepts TCP connections. The method does this by attempting to use up local resources in order to crash a service or the entire machine, essentially a denial of service attack.

<span class="mw-page-title-main">Linux kernel</span> Operating system kernel

The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU operating system, which was written to be a free (libre) replacement for Unix.

nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. It has been available since Linux kernel 3.13 released on 19 January 2014.

<span class="mw-page-title-main">LXC</span> Operating system-level virtualization for Linux

Linux Containers (LXC) is an operating-system-level virtualization method for running multiple isolated Linux systems (containers) on a control host using a single Linux kernel.

cgroups is a Linux kernel feature that limits, accounts for, and isolates the resource usage of a collection of processes.

perf is a performance analyzing tool in Linux, available from Linux kernel version 2.6.31 in 2009. Userspace controlling utility, named perf, is accessed from the command line and provides a number of subcommands; it is capable of statistical profiling of the entire system.

kGraft is a feature of the Linux kernel that implements live patching of a running kernel, which allows kernel patches to be applied while the kernel is still running. By avoiding the need for rebooting the system with a new kernel that contains the desired patches, kGraft aims to maximize the system uptime and availability. At the same time, kGraft allows kernel-related security updates to be applied without deferring them to scheduled downtimes. Internally, kGraft allows entire functions in a running kernel to be replaced with their patched versions, doing that safely by selectively using original versions of functions to ensure per-process consistency while the live patching is performed.

kpatch is a feature of the Linux kernel that implements live patching of a running kernel, which allows kernel patches to be applied while the kernel is still running. By avoiding the need for rebooting the system with a new kernel that contains the desired patches, kpatch aims to maximize the system uptime and availability. At the same time, kpatch allows kernel-related security updates to be applied without deferring them to scheduled downtimes. Internally, kpatch allows entire functions in a running kernel to be replaced with their patched versions, doing that safely by stopping all running processes while the live patching is performed.

<span class="mw-page-title-main">Proxmox Virtual Environment</span> Linux distribution for server virtualization

Proxmox Virtual Environment is an open-source software server for virtualization management. It is a hosted hypervisor that can run operating systems including Linux and Windows on x64 hardware. It is a Debian-based Linux distribution with a modified Ubuntu LTS kernel and allows deployment and management of virtual machines and containers. Proxmox VE includes a web console and command-line tools, and provides a REST API for third-party tools. Two types of virtualization are supported: container-based with LXC, and full virtualization with KVM. It includes a web-based management interface.

References

  1. Pavel Emelyanov (2012-07-23). "Checkpoint-restore tool v0.1".
  2. "Release schedule".
  3. Pavel Emelyanov (2011-07-15). "Checkpoint/restore mostly in the userspace".
  4. "Checkpoint/restart in the userspace". Linux Plumbers Conf 2011.
  5. "Merge branch 'akpm' (aka "Andrew's patch-bomb, take two")". Linux kernel source tree. 2012-01-13.
  6. "Release schedule - CRIU".
  7. "Installation: Linux Kernel". Linux kernel v3.11 or newer is required, with some specific options set
  8. "Linux kernel 3.11, Section 1.5. Detailed tracking of which pages a task writes". kernelnewbies.org. 2013-09-02. Retrieved 2016-05-03.
  9. Pavel Emelyanov (2012-02-29). "TCP connection repair". Linux Netdev Mailing List.
  10. "DMTCP: Distributed MultiThreaded CheckPointing". SourceForge.
  11. "Berkeley Lab Checkpoint/Restart (BLCR) for LINUX". Lawrence Berkeley National Laboratory .
  12. "Linux Checkpoint/Restart". kernel.org.

Further reading