Introduce WG Checkpoint Restore

[adrianreber]

As described in sig-wg-lifecycle.md this PR is the next step after sending an email to [email protected] about the creation of the Working Group Checkpoint Restore.

CC: @rst0git, @viktoriaas, @xhejtman

[k8s-ci-robot]

Welcome @adrianreber!

It looks like this is your first PR to kubernetes/community 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/community has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: adrianreber
Once this PR has been reviewed and has the lgtm label, please assign saschagrunert for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @adrianreber. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kannon92]

/ok-to-test

[kannon92]

Looking at #8519,

I see that we are missing a charter.

[adrianreber]

Looking at #8519,

I see that we are missing a charter.

In https://github.com/kubernetes/community/blob/master/sig-wg-lifecycle.md#GitHub is says to add a charter once this initial PR has been merged. That's why is skipped it.

[SergeyKanzhelev]

sig auth may have a big say in security of this whole restoration pipeline

[rst0git]

Thank you for pointing this out! Security is definitely an important topic that we need to discuss with sig-auth, both for the checkpoint API and the restoration pipeline. The following paper and master thesis describe our recent work on this topic:

• Towards Efficient End-to-End Encryption for Container Checkpointing Systems
• Improving Checkpoint/Restore Functionality in Kubernetes

[adrianreber]

I added sig auth to the list of stakeholder sigs

[liggitt]

this showed up in the sig-auth meeting, we may have missed the discussion around this WG

if this WG is contemplating taking state from a running pod / saving it / letting it be consumed on another node or from another pod or another namespace, then sig-auth is definitely interested in making sure the permissions model around that exists and is ~consistent with similar things Kubernetes does elsewhere (like PVC / snapshots)

We're happy to consult on that, I'm not sure our awareness / involvement rises to the level of sponsoring the WG :)

cc @kubernetes/sig-auth-leads

[mikebrow]

nod.. definitely needs an extra level of security due to customer data being serialized and available in the checkpoint, esp if not encrypted, but also due to windows of opportunity to do transactions/data manipulation.. then "undo" them by restoring a checkpoint

[aramase]

/assign ritazh

(assigned as part of SIG Auth triage; to review the SIG Auth updates)

[BenTheElder]

@kubernetes/sig-node-leads are you all +1, officially?

[haircommander]

+1 from me

[aojea]

I have doubts if this incentivize the right behavior and will encourage people to build WG to get a slot in the kubecon

[soltysh]

I agree with Antonio, this particular line should be removed, it's sufficient what the previous point shows.

[adrianreber]

This was just copied from 0743da8, but I will remove it.

[soltysh]

I agree with Janet here, but please make sure to show up and present the scope of this proposal to one of the future SIG-Apps calls.

[soltysh]

Why it has to be a central part of Kubernetes, where multiple external solutions already exists?

[haircommander]

i personally like the idea of having it be integrated because then the ecosystem can rely on it. for instance, we could make eviction or preemption less disruptive in kubelet/kueue respectively

[adrianreber]

Why it has to be a central part of Kubernetes, where multiple external solutions already exists?

Can you be more specific about what already exists? Not sure what you are referring to?

[soltysh]

This first thing that I'd like to point out is that there are 2 main use cases:

1. the whole control-plane snapshot
2. workload

Which one this group is planning to cover? As I'm reading this document I'm seeing both used interchangeably which is very confusing. That's why I'd start with clearly drawing the line between the two and properly documenting which one of these two (or both) are you planning to tackle.

[adrianreber]

What do yo mean by "control-plane-snapshot"?

[rst0git]

In our presentations, we use the following diagram to illustrate how checkpoint/restore operations work in Kubernetes:

Reference: Efficient Transparent Checkpointing of AI/ML Workloads in Kubernetes

[soltysh]

Why pod checkpointing would have anything to do with scheduling?

[adrianreber]

Because, as far as I know, a pod is always scheduled on one node. It doesn't sound useful to base the scheduling on the possibility to migrate containers. Container migration is an important first step, but for automatic scheduling decisions, it would make more sense to be able to easily migrate a complete pod.

[rst0git]

Our use-case is similar to how CRIU is integrated with Google's Borg ¹ and Microsoft's Singularity ² to enable preemptive and elastic scheduling.

Footnotes

1. Task Migration at Scale Using CRIU ↩

2. Singularity: Planet-Scale, Preemptive and Elastic Scheduling of AI Workloads ↩

[lujinda]

Why pod checkpointing would have anything to do with scheduling?

I agree that pod checkpointing needs to take scheduling into consideration. Let's assume the following scenario: after a Pod is checkpointed, it might not be deleted. However, since the memory, CPU, and GPU resources have already been dumped to a volume, the resources originally allocated to the Pod could then be reallocated to other Pods. When the Pod needs to be resumed later via restore, the scheduler should also be involved.

[soltysh]

I agree with Antonio, this particular line should be removed, it's sufficient what the previous point shows.

[aojea]

SIG Network questions (cc @danwinship @thockin )

does checkpoint restore move the network state ? as the established TCP connections? if affirmative, it requires IP mobility or uses Services or any other abstraction?

[adrianreber]

SIG Network questions (cc @danwinship @thockin )

does checkpoint restore move the network state ? as the established TCP connections? if affirmative, it requires IP mobility or uses Services or any other abstraction?

Migrating a container with established TCP connections is possible, but only if the restored container has the same IP as the checkpointed container. In Podman we were able to implement but I am not sure if this is something easily doable in Kubernetes. From our side we would need the possibility to create a pod with a certain IP and then it would work. Is there something in Kuberentes which would allow pod creation with a given IP address?

[aojea]

. Is there something in Kuberentes which would allow pod creation with a given IP address?

For Pod IPs, Is an IPAM choice of the CNI plugin, kubernetes network model allows that, but implementing it is more complex since most implementations have locality implied for the assigned Pod IPs, and to allow IP mobility it requires to deal with routing and ipam across the entire cluster to keep the IP connectivity that adds a considerable complexity.

Another thing is if you just expose the Pod application as a Service or Gateway API or some high level abstraction that have VirtualIP, then it is simpler, since those are already abstraction with cluster scope ... This works for Ingress traffic to the application, for Egress traffic is also more complex

[k8s-ci-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[lujinda]

Is there a slack channel where we can discuss C/R related ideas? Thanks

[adrianreber]

Is there a slack channel where we can discuss C/R related ideas? Thanks

You are not the first to ask. We kind of are waiting for the proposal to be accepted to have a slack channel. Not sure if there is a another way to have a slack channel without having the proposal merged.

[rst0git]

Is there a slack channel where we can discuss C/R related ideas?

@lujinda Please reach out to us in the Kubernetes slack. You can find Viktoria, Adrian, and myself there :)