Enable checkpoint/restore support with gVisor #27528
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This patch extends Podman to support checkpoint and restore operations with gVisor. In contrast to runc and crun, gVisor (runsc) does not rely on CRIU for checkpointing. Instead, it implements its own checkpoint and restore mechanism while maintaining a CLI interface compatible with runc. There are two main differences that this patch accounts for: "runsc checkpoint --help" exits with code 128 (subcommands.ExitUsageError), and it stores all checkpoint data in a single "checkpoint.img" file. Signed-off-by: Radostin Stoyanov <[email protected]>
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: rst0git The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
mheon
reviewed
Nov 17, 2025
| return true | ||
| } | ||
|
|
||
| if exitErr, ok := err.(*exec.ExitError); ok { |
Member
There was a problem hiding this comment.
Feels like we should only do this if we know the runtime is runsc; 128 could be a legitimate error in other OCI runtimes. I imagine we could get that from the output of --help but it might also be sufficient to just check that the filename we're executing is runsc?
Member
There was a problem hiding this comment.
I think the --help check was because some runtimes (at least crun) have build option to enable/disable it thus the runtime check via --help IIRC.
That said did you ask them why they exit 128 on --help? That just seems really weird and from the applications I tested I never seen this behavior at least if they have --help actually implemented.
Contributor
Author
There was a problem hiding this comment.
Yes, crun has an optional dependency on libcriu and uses dlopen to load the library at runtime. When build without this dependency, crun checkpoint --help will have non-zero exit code.
That said did you ask them why they exit 128 on --help? That just seems really weird and from the applications I tested I never seen this behavior at least if they have --help actually implemented.
gVisor returns subcommands.ExitUsageError (128) when --help is used:
It seems to be specific to google's subcommands pacakge.
Member
There was a problem hiding this comment.
But that isn't even calling --help then, it actually errors our on incorrect usage because it doesn't seem to respect --help at all which means this check isn't really doing anything useful.
Then we might as well hard code checkpoint support for the runsc name I would say.
There was a problem hiding this comment.
FYI, this should be fixed by google/gvisor#12331.
Luap99
reviewed
Nov 21, 2025
| return true | ||
| } | ||
|
|
||
| if exitErr, ok := err.(*exec.ExitError); ok { |
Member
There was a problem hiding this comment.
new code should use errors.Is/As() as erros can be wrapped in which case type casting won't work.
| return true | ||
| } | ||
|
|
||
| if exitErr, ok := err.(*exec.ExitError); ok { |
Member
There was a problem hiding this comment.
I think the --help check was because some runtimes (at least crun) have build option to enable/disable it thus the runtime check via --help IIRC.
That said did you ask them why they exit 128 on --help? That just seems really weird and from the applications I tested I never seen this behavior at least if they have --help actually implemented.
copybara-service bot
pushed a commit
to google/gvisor
that referenced
this pull request
Nov 25, 2025
This is consistent with runc; see containers/podman#27528. Before this change: ``` $ ./runsc --help Usage of ./runsc: $ echo $? 2 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) $ echo $? 2 ``` After this change: ``` $ ./runsc --help Usage: runsc <flags> <subcommand> <subcommand args> runsc is the gVisor container runtime. Functionality is provided by subcommands. For help with a specific subcommand, use "runsc help <subcommand>". Subcommands: checkpoint checkpoint current state of container (experimental) create create a secure container delete delete resources held by a container do Simplistic way to execute a command inside the sandbox. It's to be used for testing only. events display container events such as OOM notifications, cpu, memory, and IO usage statistics exec execute new process inside the container flags describe all known top-level flags help Print help documentation. kill sends a signal to the container list list containers started by runsc with the given root pause pause suspends all processes in a container port-forward port forward to a secure container ps ps displays the processes running inside a container restore restore a saved state of container (experimental) resume Resume unpauses a paused container run create and run a secure container spec create a new OCI bundle specification file start start a secure container state get the state of a container tar creates tar archives from container filesystems wait wait on a process inside a container Subcommands for debug: debug shows a variety of debug information read-control read a cgroups control value inside the container statefile shows information about a statefile symbolize Convert synthetic instruction pointers from kcov into positions in the runsc source code. Only used when Go coverage is enabled. usage Usage shows application memory usage across various categories in bytes. write-control write a cgroups control value inside the container Subcommands for helpers: cpu-features list CPU features supported on current machine install adds a runtime to docker daemon configuration mitigate mitigate mitigates the underlying system against side channel attacks nvproxy shows information about nvproxy support trace manages trace sessions for a given sandbox uninstall removes a runtime from docker daemon configuration Subcommands for internal use only: boot launch a sandbox process gofer launch a gofer process that proxies access to container files umount umount the specified directory lazily when one byte is read from sync-fd Subcommands for metrics: export-metrics export metric data for the sandbox metric-metadata export metric metadata of metrics registered in this build, in text proto format metric-server implements Prometheus metrics HTTP endpoint Additional help topics (Use "runsc help <topic>" to see help on the topic): platforms Print a list of available platforms. syscalls Print compatibility information for syscalls. Use "runsc flags" for a list of top-level flags $ echo $? 0 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) -h=false: equivalent to the 'help' flag -help=false: show this message and exit $ echo $? 0 ``` PiperOrigin-RevId: 836395969
copybara-service bot
pushed a commit
to google/gvisor
that referenced
this pull request
Nov 25, 2025
This is consistent with runc; see containers/podman#27528. Before this change: ``` $ ./runsc --help Usage of ./runsc: $ echo $? 2 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) $ echo $? 2 ``` After this change: ``` $ ./runsc --help Usage: runsc <flags> <subcommand> <subcommand args> runsc is the gVisor container runtime. Functionality is provided by subcommands. For help with a specific subcommand, use "runsc help <subcommand>". Subcommands: checkpoint checkpoint current state of container (experimental) create create a secure container delete delete resources held by a container do Simplistic way to execute a command inside the sandbox. It's to be used for testing only. events display container events such as OOM notifications, cpu, memory, and IO usage statistics exec execute new process inside the container flags describe all known top-level flags help Print help documentation. kill sends a signal to the container list list containers started by runsc with the given root pause pause suspends all processes in a container port-forward port forward to a secure container ps ps displays the processes running inside a container restore restore a saved state of container (experimental) resume Resume unpauses a paused container run create and run a secure container spec create a new OCI bundle specification file start start a secure container state get the state of a container tar creates tar archives from container filesystems wait wait on a process inside a container Subcommands for debug: debug shows a variety of debug information read-control read a cgroups control value inside the container statefile shows information about a statefile symbolize Convert synthetic instruction pointers from kcov into positions in the runsc source code. Only used when Go coverage is enabled. usage Usage shows application memory usage across various categories in bytes. write-control write a cgroups control value inside the container Subcommands for helpers: cpu-features list CPU features supported on current machine install adds a runtime to docker daemon configuration mitigate mitigate mitigates the underlying system against side channel attacks nvproxy shows information about nvproxy support trace manages trace sessions for a given sandbox uninstall removes a runtime from docker daemon configuration Subcommands for internal use only: boot launch a sandbox process gofer launch a gofer process that proxies access to container files umount umount the specified directory lazily when one byte is read from sync-fd Subcommands for metrics: export-metrics export metric data for the sandbox metric-metadata export metric metadata of metrics registered in this build, in text proto format metric-server implements Prometheus metrics HTTP endpoint Additional help topics (Use "runsc help <topic>" to see help on the topic): platforms Print a list of available platforms. syscalls Print compatibility information for syscalls. Use "runsc flags" for a list of top-level flags $ echo $? 0 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) -h=false: equivalent to the 'help' flag -help=false: show this message and exit $ echo $? 0 ``` PiperOrigin-RevId: 836395969
copybara-service bot
pushed a commit
to google/gvisor
that referenced
this pull request
Nov 25, 2025
This is consistent with runc; see containers/podman#27528. Before this change: ``` $ ./runsc --help Usage of ./runsc: $ echo $? 2 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) $ echo $? 2 ``` After this change: ``` $ ./runsc --help Usage: runsc <flags> <subcommand> <subcommand args> runsc is the gVisor container runtime. Functionality is provided by subcommands. For help with a specific subcommand, use "runsc help <subcommand>". Subcommands: checkpoint checkpoint current state of container (experimental) create create a secure container delete delete resources held by a container do Simplistic way to execute a command inside the sandbox. It's to be used for testing only. events display container events such as OOM notifications, cpu, memory, and IO usage statistics exec execute new process inside the container flags describe all known top-level flags help Print help documentation. kill sends a signal to the container list list containers started by runsc with the given root pause pause suspends all processes in a container port-forward port forward to a secure container ps ps displays the processes running inside a container restore restore a saved state of container (experimental) resume Resume unpauses a paused container run create and run a secure container spec create a new OCI bundle specification file start start a secure container state get the state of a container tar creates tar archives from container filesystems wait wait on a process inside a container Subcommands for debug: debug shows a variety of debug information read-control read a cgroups control value inside the container statefile shows information about a statefile symbolize Convert synthetic instruction pointers from kcov into positions in the runsc source code. Only used when Go coverage is enabled. usage Usage shows application memory usage across various categories in bytes. write-control write a cgroups control value inside the container Subcommands for helpers: cpu-features list CPU features supported on current machine install adds a runtime to docker daemon configuration mitigate mitigate mitigates the underlying system against side channel attacks nvproxy shows information about nvproxy support trace manages trace sessions for a given sandbox uninstall removes a runtime from docker daemon configuration Subcommands for internal use only: boot launch a sandbox process gofer launch a gofer process that proxies access to container files umount umount the specified directory lazily when one byte is read from sync-fd Subcommands for metrics: export-metrics export metric data for the sandbox metric-metadata export metric metadata of metrics registered in this build, in text proto format metric-server implements Prometheus metrics HTTP endpoint Additional help topics (Use "runsc help <topic>" to see help on the topic): platforms Print a list of available platforms. syscalls Print compatibility information for syscalls. Use "runsc flags" for a list of top-level flags $ echo $? 0 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) -h=false: equivalent to the 'help' flag -help=false: show this message and exit $ echo $? 0 ``` PiperOrigin-RevId: 836395969
copybara-service bot
pushed a commit
to google/gvisor
that referenced
this pull request
Nov 25, 2025
This is consistent with runc; see containers/podman#27528. Before this change: ``` $ ./runsc --help Usage of ./runsc: $ echo $? 2 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) $ echo $? 2 ``` After this change: ``` $ ./runsc --help Usage: runsc <flags> <subcommand> <subcommand args> runsc is the gVisor container runtime. Functionality is provided by subcommands. For help with a specific subcommand, use "runsc help <subcommand>". Subcommands: checkpoint checkpoint current state of container (experimental) create create a secure container delete delete resources held by a container do Simplistic way to execute a command inside the sandbox. It's to be used for testing only. events display container events such as OOM notifications, cpu, memory, and IO usage statistics exec execute new process inside the container flags describe all known top-level flags help Print help documentation. kill sends a signal to the container list list containers started by runsc with the given root pause pause suspends all processes in a container port-forward port forward to a secure container ps ps displays the processes running inside a container restore restore a saved state of container (experimental) resume Resume unpauses a paused container run create and run a secure container spec create a new OCI bundle specification file start start a secure container state get the state of a container tar creates tar archives from container filesystems wait wait on a process inside a container Subcommands for debug: debug shows a variety of debug information read-control read a cgroups control value inside the container statefile shows information about a statefile symbolize Convert synthetic instruction pointers from kcov into positions in the runsc source code. Only used when Go coverage is enabled. usage Usage shows application memory usage across various categories in bytes. write-control write a cgroups control value inside the container Subcommands for helpers: cpu-features list CPU features supported on current machine install adds a runtime to docker daemon configuration mitigate mitigate mitigates the underlying system against side channel attacks nvproxy shows information about nvproxy support trace manages trace sessions for a given sandbox uninstall removes a runtime from docker daemon configuration Subcommands for internal use only: boot launch a sandbox process gofer launch a gofer process that proxies access to container files umount umount the specified directory lazily when one byte is read from sync-fd Subcommands for metrics: export-metrics export metric data for the sandbox metric-metadata export metric metadata of metrics registered in this build, in text proto format metric-server implements Prometheus metrics HTTP endpoint Additional help topics (Use "runsc help <topic>" to see help on the topic): platforms Print a list of available platforms. syscalls Print compatibility information for syscalls. Use "runsc flags" for a list of top-level flags $ echo $? 0 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) -h=false: equivalent to the 'help' flag -help=false: show this message and exit $ echo $? 0 ``` PiperOrigin-RevId: 836395969
copybara-service bot
pushed a commit
to google/gvisor
that referenced
this pull request
Nov 26, 2025
This is consistent with runc; see containers/podman#27528. Before this change: ``` $ ./runsc --help Usage of ./runsc: $ echo $? 2 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) $ echo $? 2 ``` After this change: ``` $ ./runsc --help Usage: runsc <flags> <subcommand> <subcommand args> runsc is the gVisor container runtime. Functionality is provided by subcommands. For help with a specific subcommand, use "runsc help <subcommand>". Subcommands: checkpoint checkpoint current state of container (experimental) create create a secure container delete delete resources held by a container do Simplistic way to execute a command inside the sandbox. It's to be used for testing only. events display container events such as OOM notifications, cpu, memory, and IO usage statistics exec execute new process inside the container flags describe all known top-level flags help Print help documentation. kill sends a signal to the container list list containers started by runsc with the given root pause pause suspends all processes in a container port-forward port forward to a secure container ps ps displays the processes running inside a container restore restore a saved state of container (experimental) resume Resume unpauses a paused container run create and run a secure container spec create a new OCI bundle specification file start start a secure container state get the state of a container tar creates tar archives from container filesystems wait wait on a process inside a container Subcommands for debug: debug shows a variety of debug information read-control read a cgroups control value inside the container statefile shows information about a statefile symbolize Convert synthetic instruction pointers from kcov into positions in the runsc source code. Only used when Go coverage is enabled. usage Usage shows application memory usage across various categories in bytes. write-control write a cgroups control value inside the container Subcommands for helpers: cpu-features list CPU features supported on current machine install adds a runtime to docker daemon configuration mitigate mitigate mitigates the underlying system against side channel attacks nvproxy shows information about nvproxy support trace manages trace sessions for a given sandbox uninstall removes a runtime from docker daemon configuration Subcommands for internal use only: boot launch a sandbox process gofer launch a gofer process that proxies access to container files umount umount the specified directory lazily when one byte is read from sync-fd Subcommands for metrics: export-metrics export metric data for the sandbox metric-metadata export metric metadata of metrics registered in this build, in text proto format metric-server implements Prometheus metrics HTTP endpoint Additional help topics (Use "runsc help <topic>" to see help on the topic): platforms Print a list of available platforms. syscalls Print compatibility information for syscalls. Use "runsc flags" for a list of top-level flags $ echo $? 0 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) -h=false: equivalent to the 'help' flag -help=false: show this message and exit $ echo $? 0 ``` PiperOrigin-RevId: 836395969
copybara-service bot
pushed a commit
to google/gvisor
that referenced
this pull request
Nov 26, 2025
This is consistent with runc; see containers/podman#27528. Before this change: ``` $ ./runsc --help Usage of ./runsc: $ echo $? 2 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) $ echo $? 2 ``` After this change: ``` $ ./runsc --help Usage: runsc <flags> <subcommand> <subcommand args> runsc is the gVisor container runtime. Functionality is provided by subcommands. For help with a specific subcommand, use "runsc help <subcommand>". Subcommands: checkpoint checkpoint current state of container (experimental) create create a secure container delete delete resources held by a container do Simplistic way to execute a command inside the sandbox. It's to be used for testing only. events display container events such as OOM notifications, cpu, memory, and IO usage statistics exec execute new process inside the container flags describe all known top-level flags help Print help documentation. kill sends a signal to the container list list containers started by runsc with the given root pause pause suspends all processes in a container port-forward port forward to a secure container ps ps displays the processes running inside a container restore restore a saved state of container (experimental) resume Resume unpauses a paused container run create and run a secure container spec create a new OCI bundle specification file start start a secure container state get the state of a container tar creates tar archives from container filesystems wait wait on a process inside a container Subcommands for debug: debug shows a variety of debug information read-control read a cgroups control value inside the container statefile shows information about a statefile symbolize Convert synthetic instruction pointers from kcov into positions in the runsc source code. Only used when Go coverage is enabled. usage Usage shows application memory usage across various categories in bytes. write-control write a cgroups control value inside the container Subcommands for helpers: cpu-features list CPU features supported on current machine install adds a runtime to docker daemon configuration mitigate mitigate mitigates the underlying system against side channel attacks nvproxy shows information about nvproxy support trace manages trace sessions for a given sandbox uninstall removes a runtime from docker daemon configuration Subcommands for internal use only: boot launch a sandbox process gofer launch a gofer process that proxies access to container files umount umount the specified directory lazily when one byte is read from sync-fd Subcommands for metrics: export-metrics export metric data for the sandbox metric-metadata export metric metadata of metrics registered in this build, in text proto format metric-server implements Prometheus metrics HTTP endpoint Additional help topics (Use "runsc help <topic>" to see help on the topic): platforms Print a list of available platforms. syscalls Print compatibility information for syscalls. Use "runsc flags" for a list of top-level flags $ echo $? 0 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) -h=false: equivalent to the 'help' flag -help=false: show this message and exit $ echo $? 0 ``` PiperOrigin-RevId: 836395969
copybara-service bot
pushed a commit
to google/gvisor
that referenced
this pull request
Nov 26, 2025
This is consistent with runc; see containers/podman#27528. Before this change: ``` $ ./runsc --help Usage of ./runsc: $ echo $? 2 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) $ echo $? 2 ``` After this change: ``` $ ./runsc --help Usage: runsc <flags> <subcommand> <subcommand args> runsc is the gVisor container runtime. Functionality is provided by subcommands. For help with a specific subcommand, use "runsc help <subcommand>". Subcommands: checkpoint checkpoint current state of container (experimental) create create a secure container delete delete resources held by a container do Simplistic way to execute a command inside the sandbox. It's to be used for testing only. events display container events such as OOM notifications, cpu, memory, and IO usage statistics exec execute new process inside the container flags describe all known top-level flags help Print help documentation. kill sends a signal to the container list list containers started by runsc with the given root pause pause suspends all processes in a container port-forward port forward to a secure container ps ps displays the processes running inside a container restore restore a saved state of container (experimental) resume Resume unpauses a paused container run create and run a secure container spec create a new OCI bundle specification file start start a secure container state get the state of a container tar creates tar archives from container filesystems wait wait on a process inside a container Subcommands for debug: debug shows a variety of debug information read-control read a cgroups control value inside the container statefile shows information about a statefile symbolize Convert synthetic instruction pointers from kcov into positions in the runsc source code. Only used when Go coverage is enabled. usage Usage shows application memory usage across various categories in bytes. write-control write a cgroups control value inside the container Subcommands for helpers: cpu-features list CPU features supported on current machine install adds a runtime to docker daemon configuration mitigate mitigate mitigates the underlying system against side channel attacks nvproxy shows information about nvproxy support trace manages trace sessions for a given sandbox uninstall removes a runtime from docker daemon configuration Subcommands for internal use only: boot launch a sandbox process gofer launch a gofer process that proxies access to container files umount umount the specified directory lazily when one byte is read from sync-fd Subcommands for metrics: export-metrics export metric data for the sandbox metric-metadata export metric metadata of metrics registered in this build, in text proto format metric-server implements Prometheus metrics HTTP endpoint Additional help topics (Use "runsc help <topic>" to see help on the topic): platforms Print a list of available platforms. syscalls Print compatibility information for syscalls. Use "runsc flags" for a list of top-level flags $ echo $? 0 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) -h=false: equivalent to the 'help' flag -help=false: show this message and exit $ echo $? 0 ``` PiperOrigin-RevId: 836395969
copybara-service bot
pushed a commit
to google/gvisor
that referenced
this pull request
Nov 26, 2025
This is consistent with runc; see containers/podman#27528. Before this change: ``` $ ./runsc --help Usage of ./runsc: $ echo $? 2 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) $ echo $? 2 ``` After this change: ``` $ ./runsc --help Usage: runsc <flags> <subcommand> <subcommand args> runsc is the gVisor container runtime. Functionality is provided by subcommands. For help with a specific subcommand, use "runsc help <subcommand>". Subcommands: checkpoint checkpoint current state of container (experimental) create create a secure container delete delete resources held by a container do Simplistic way to execute a command inside the sandbox. It's to be used for testing only. events display container events such as OOM notifications, cpu, memory, and IO usage statistics exec execute new process inside the container flags describe all known top-level flags help Print help documentation. kill sends a signal to the container list list containers started by runsc with the given root pause pause suspends all processes in a container port-forward port forward to a secure container ps ps displays the processes running inside a container restore restore a saved state of container (experimental) resume Resume unpauses a paused container run create and run a secure container spec create a new OCI bundle specification file start start a secure container state get the state of a container tar creates tar archives from container filesystems wait wait on a process inside a container Subcommands for debug: debug shows a variety of debug information read-control read a cgroups control value inside the container statefile shows information about a statefile symbolize Convert synthetic instruction pointers from kcov into positions in the runsc source code. Only used when Go coverage is enabled. usage Usage shows application memory usage across various categories in bytes. write-control write a cgroups control value inside the container Subcommands for helpers: cpu-features list CPU features supported on current machine install adds a runtime to docker daemon configuration mitigate mitigate mitigates the underlying system against side channel attacks nvproxy shows information about nvproxy support trace manages trace sessions for a given sandbox uninstall removes a runtime from docker daemon configuration Subcommands for internal use only: boot launch a sandbox process gofer launch a gofer process that proxies access to container files umount umount the specified directory lazily when one byte is read from sync-fd Subcommands for metrics: export-metrics export metric data for the sandbox metric-metadata export metric metadata of metrics registered in this build, in text proto format metric-server implements Prometheus metrics HTTP endpoint Additional help topics (Use "runsc help <topic>" to see help on the topic): platforms Print a list of available platforms. syscalls Print compatibility information for syscalls. Use "runsc flags" for a list of top-level flags $ echo $? 0 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) -h=false: equivalent to the 'help' flag -help=false: show this message and exit $ echo $? 0 ``` PiperOrigin-RevId: 836395969
copybara-service bot
pushed a commit
to google/gvisor
that referenced
this pull request
Nov 26, 2025
This is consistent with runc; see containers/podman#27528. Before this change: ``` $ ./runsc --help Usage of ./runsc: $ echo $? 2 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) $ echo $? 2 ``` After this change: ``` $ ./runsc --help Usage: runsc <flags> <subcommand> <subcommand args> runsc is the gVisor container runtime. Functionality is provided by subcommands. For help with a specific subcommand, use "runsc help <subcommand>". Subcommands: checkpoint checkpoint current state of container (experimental) create create a secure container delete delete resources held by a container do Simplistic way to execute a command inside the sandbox. It's to be used for testing only. events display container events such as OOM notifications, cpu, memory, and IO usage statistics exec execute new process inside the container flags describe all known top-level flags help Print help documentation. kill sends a signal to the container list list containers started by runsc with the given root pause pause suspends all processes in a container port-forward port forward to a secure container ps ps displays the processes running inside a container restore restore a saved state of container (experimental) resume Resume unpauses a paused container run create and run a secure container spec create a new OCI bundle specification file start start a secure container state get the state of a container tar creates tar archives from container filesystems wait wait on a process inside a container Subcommands for debug: debug shows a variety of debug information read-control read a cgroups control value inside the container statefile shows information about a statefile symbolize Convert synthetic instruction pointers from kcov into positions in the runsc source code. Only used when Go coverage is enabled. usage Usage shows application memory usage across various categories in bytes. write-control write a cgroups control value inside the container Subcommands for helpers: cpu-features list CPU features supported on current machine install adds a runtime to docker daemon configuration mitigate mitigate mitigates the underlying system against side channel attacks nvproxy shows information about nvproxy support trace manages trace sessions for a given sandbox uninstall removes a runtime from docker daemon configuration Subcommands for internal use only: boot launch a sandbox process gofer launch a gofer process that proxies access to container files umount umount the specified directory lazily when one byte is read from sync-fd Subcommands for metrics: export-metrics export metric data for the sandbox metric-metadata export metric metadata of metrics registered in this build, in text proto format metric-server implements Prometheus metrics HTTP endpoint Additional help topics (Use "runsc help <topic>" to see help on the topic): platforms Print a list of available platforms. syscalls Print compatibility information for syscalls. Use "runsc flags" for a list of top-level flags $ echo $? 0 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) -h=false: equivalent to the 'help' flag -help=false: show this message and exit $ echo $? 0 ``` PiperOrigin-RevId: 836395969
copybara-service bot
pushed a commit
to google/gvisor
that referenced
this pull request
Nov 26, 2025
This is consistent with runc; see containers/podman#27528. Before this change: ``` $ ./runsc --help Usage of ./runsc: $ echo $? 2 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) $ echo $? 2 ``` After this change: ``` $ ./runsc --help Usage: runsc <flags> <subcommand> <subcommand args> runsc is the gVisor container runtime. Functionality is provided by subcommands. For help with a specific subcommand, use "runsc help <subcommand>". Subcommands: checkpoint checkpoint current state of container (experimental) create create a secure container delete delete resources held by a container do Simplistic way to execute a command inside the sandbox. It's to be used for testing only. events display container events such as OOM notifications, cpu, memory, and IO usage statistics exec execute new process inside the container flags describe all known top-level flags help Print help documentation. kill sends a signal to the container list list containers started by runsc with the given root pause pause suspends all processes in a container port-forward port forward to a secure container ps ps displays the processes running inside a container restore restore a saved state of container (experimental) resume Resume unpauses a paused container run create and run a secure container spec create a new OCI bundle specification file start start a secure container state get the state of a container tar creates tar archives from container filesystems wait wait on a process inside a container Subcommands for debug: debug shows a variety of debug information read-control read a cgroups control value inside the container statefile shows information about a statefile symbolize Convert synthetic instruction pointers from kcov into positions in the runsc source code. Only used when Go coverage is enabled. usage Usage shows application memory usage across various categories in bytes. write-control write a cgroups control value inside the container Subcommands for helpers: cpu-features list CPU features supported on current machine install adds a runtime to docker daemon configuration mitigate mitigate mitigates the underlying system against side channel attacks nvproxy shows information about nvproxy support trace manages trace sessions for a given sandbox uninstall removes a runtime from docker daemon configuration Subcommands for internal use only: boot launch a sandbox process gofer launch a gofer process that proxies access to container files umount umount the specified directory lazily when one byte is read from sync-fd Subcommands for metrics: export-metrics export metric data for the sandbox metric-metadata export metric metadata of metrics registered in this build, in text proto format metric-server implements Prometheus metrics HTTP endpoint Additional help topics (Use "runsc help <topic>" to see help on the topic): platforms Print a list of available platforms. syscalls Print compatibility information for syscalls. Use "runsc flags" for a list of top-level flags $ echo $? 0 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) -h=false: equivalent to the 'help' flag -help=false: show this message and exit $ echo $? 0 ``` PiperOrigin-RevId: 836395969
copybara-service bot
pushed a commit
to google/gvisor
that referenced
this pull request
Nov 26, 2025
This is consistent with runc; see containers/podman#27528. Before this change: ``` $ ./runsc --help Usage of ./runsc: $ echo $? 2 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) $ echo $? 2 ``` After this change: ``` $ ./runsc --help Usage: runsc <flags> <subcommand> <subcommand args> runsc is the gVisor container runtime. Functionality is provided by subcommands. For help with a specific subcommand, use "runsc help <subcommand>". Subcommands: checkpoint checkpoint current state of container (experimental) create create a secure container delete delete resources held by a container do Simplistic way to execute a command inside the sandbox. It's to be used for testing only. events display container events such as OOM notifications, cpu, memory, and IO usage statistics exec execute new process inside the container flags describe all known top-level flags help Print help documentation. kill sends a signal to the container list list containers started by runsc with the given root pause pause suspends all processes in a container port-forward port forward to a secure container ps ps displays the processes running inside a container restore restore a saved state of container (experimental) resume Resume unpauses a paused container run create and run a secure container spec create a new OCI bundle specification file start start a secure container state get the state of a container tar creates tar archives from container filesystems wait wait on a process inside a container Subcommands for debug: debug shows a variety of debug information read-control read a cgroups control value inside the container statefile shows information about a statefile symbolize Convert synthetic instruction pointers from kcov into positions in the runsc source code. Only used when Go coverage is enabled. usage Usage shows application memory usage across various categories in bytes. write-control write a cgroups control value inside the container Subcommands for helpers: cpu-features list CPU features supported on current machine install adds a runtime to docker daemon configuration mitigate mitigate mitigates the underlying system against side channel attacks nvproxy shows information about nvproxy support trace manages trace sessions for a given sandbox uninstall removes a runtime from docker daemon configuration Subcommands for internal use only: boot launch a sandbox process gofer launch a gofer process that proxies access to container files umount umount the specified directory lazily when one byte is read from sync-fd Subcommands for metrics: export-metrics export metric data for the sandbox metric-metadata export metric metadata of metrics registered in this build, in text proto format metric-server implements Prometheus metrics HTTP endpoint Additional help topics (Use "runsc help <topic>" to see help on the topic): platforms Print a list of available platforms. syscalls Print compatibility information for syscalls. Use "runsc flags" for a list of top-level flags $ echo $? 0 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) -h=false: equivalent to the 'help' flag -help=false: show this message and exit $ echo $? 0 ``` PiperOrigin-RevId: 836395969
copybara-service bot
pushed a commit
to google/gvisor
that referenced
this pull request
Nov 26, 2025
This is consistent with runc; see containers/podman#27528. Before this change: ``` $ ./runsc --help Usage of ./runsc: $ echo $? 2 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) $ echo $? 2 ``` After this change: ``` $ ./runsc --help Usage: runsc <flags> <subcommand> <subcommand args> runsc is the gVisor container runtime. Functionality is provided by subcommands. For help with a specific subcommand, use "runsc help <subcommand>". Subcommands: checkpoint checkpoint current state of container (experimental) create create a secure container delete delete resources held by a container do Simplistic way to execute a command inside the sandbox. It's to be used for testing only. events display container events such as OOM notifications, cpu, memory, and IO usage statistics exec execute new process inside the container flags describe all known top-level flags help Print help documentation. kill sends a signal to the container list list containers started by runsc with the given root pause pause suspends all processes in a container port-forward port forward to a secure container ps ps displays the processes running inside a container restore restore a saved state of container (experimental) resume Resume unpauses a paused container run create and run a secure container spec create a new OCI bundle specification file start start a secure container state get the state of a container tar creates tar archives from container filesystems wait wait on a process inside a container Subcommands for debug: debug shows a variety of debug information read-control read a cgroups control value inside the container statefile shows information about a statefile symbolize Convert synthetic instruction pointers from kcov into positions in the runsc source code. Only used when Go coverage is enabled. usage Usage shows application memory usage across various categories in bytes. write-control write a cgroups control value inside the container Subcommands for helpers: cpu-features list CPU features supported on current machine install adds a runtime to docker daemon configuration mitigate mitigate mitigates the underlying system against side channel attacks nvproxy shows information about nvproxy support trace manages trace sessions for a given sandbox uninstall removes a runtime from docker daemon configuration Subcommands for internal use only: boot launch a sandbox process gofer launch a gofer process that proxies access to container files umount umount the specified directory lazily when one byte is read from sync-fd Subcommands for metrics: export-metrics export metric data for the sandbox metric-metadata export metric metadata of metrics registered in this build, in text proto format metric-server implements Prometheus metrics HTTP endpoint Additional help topics (Use "runsc help <topic>" to see help on the topic): platforms Print a list of available platforms. syscalls Print compatibility information for syscalls. Use "runsc flags" for a list of top-level flags $ echo $? 0 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) -h=false: equivalent to the 'help' flag -help=false: show this message and exit $ echo $? 0 ``` PiperOrigin-RevId: 836395969
copybara-service bot
pushed a commit
to google/gvisor
that referenced
this pull request
Nov 26, 2025
This is consistent with runc; see containers/podman#27528. Before this change: ``` $ ./runsc --help Usage of ./runsc: $ echo $? 2 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) $ echo $? 2 ``` After this change: ``` $ ./runsc --help Usage: runsc <flags> <subcommand> <subcommand args> runsc is the gVisor container runtime. Functionality is provided by subcommands. For help with a specific subcommand, use "runsc help <subcommand>". Subcommands: checkpoint checkpoint current state of container (experimental) create create a secure container delete delete resources held by a container do Simplistic way to execute a command inside the sandbox. It's to be used for testing only. events display container events such as OOM notifications, cpu, memory, and IO usage statistics exec execute new process inside the container flags describe all known top-level flags help Print help documentation. kill sends a signal to the container list list containers started by runsc with the given root pause pause suspends all processes in a container port-forward port forward to a secure container ps ps displays the processes running inside a container restore restore a saved state of container (experimental) resume Resume unpauses a paused container run create and run a secure container spec create a new OCI bundle specification file start start a secure container state get the state of a container tar creates tar archives from container filesystems wait wait on a process inside a container Subcommands for debug: debug shows a variety of debug information read-control read a cgroups control value inside the container statefile shows information about a statefile symbolize Convert synthetic instruction pointers from kcov into positions in the runsc source code. Only used when Go coverage is enabled. usage Usage shows application memory usage across various categories in bytes. write-control write a cgroups control value inside the container Subcommands for helpers: cpu-features list CPU features supported on current machine install adds a runtime to docker daemon configuration mitigate mitigate mitigates the underlying system against side channel attacks nvproxy shows information about nvproxy support trace manages trace sessions for a given sandbox uninstall removes a runtime from docker daemon configuration Subcommands for internal use only: boot launch a sandbox process gofer launch a gofer process that proxies access to container files umount umount the specified directory lazily when one byte is read from sync-fd Subcommands for metrics: export-metrics export metric data for the sandbox metric-metadata export metric metadata of metrics registered in this build, in text proto format metric-server implements Prometheus metrics HTTP endpoint Additional help topics (Use "runsc help <topic>" to see help on the topic): platforms Print a list of available platforms. syscalls Print compatibility information for syscalls. Use "runsc flags" for a list of top-level flags $ echo $? 0 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) -h=false: equivalent to the 'help' flag -help=false: show this message and exit $ echo $? 0 ``` PiperOrigin-RevId: 836395969
copybara-service bot
pushed a commit
to google/gvisor
that referenced
this pull request
Nov 26, 2025
This is consistent with runc; see containers/podman#27528. Before this change: ``` $ ./runsc --help Usage of ./runsc: $ echo $? 2 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) $ echo $? 2 ``` After this change: ``` $ ./runsc --help Usage: runsc <flags> <subcommand> <subcommand args> runsc is the gVisor container runtime. Functionality is provided by subcommands. For help with a specific subcommand, use "runsc help <subcommand>". Subcommands: checkpoint checkpoint current state of container (experimental) create create a secure container delete delete resources held by a container do Simplistic way to execute a command inside the sandbox. It's to be used for testing only. events display container events such as OOM notifications, cpu, memory, and IO usage statistics exec execute new process inside the container flags describe all known top-level flags help Print help documentation. kill sends a signal to the container list list containers started by runsc with the given root pause pause suspends all processes in a container port-forward port forward to a secure container ps ps displays the processes running inside a container restore restore a saved state of container (experimental) resume Resume unpauses a paused container run create and run a secure container spec create a new OCI bundle specification file start start a secure container state get the state of a container tar creates tar archives from container filesystems wait wait on a process inside a container Subcommands for debug: debug shows a variety of debug information read-control read a cgroups control value inside the container statefile shows information about a statefile symbolize Convert synthetic instruction pointers from kcov into positions in the runsc source code. Only used when Go coverage is enabled. usage Usage shows application memory usage across various categories in bytes. write-control write a cgroups control value inside the container Subcommands for helpers: cpu-features list CPU features supported on current machine install adds a runtime to docker daemon configuration mitigate mitigate mitigates the underlying system against side channel attacks nvproxy shows information about nvproxy support trace manages trace sessions for a given sandbox uninstall removes a runtime from docker daemon configuration Subcommands for internal use only: boot launch a sandbox process gofer launch a gofer process that proxies access to container files umount umount the specified directory lazily when one byte is read from sync-fd Subcommands for metrics: export-metrics export metric data for the sandbox metric-metadata export metric metadata of metrics registered in this build, in text proto format metric-server implements Prometheus metrics HTTP endpoint Additional help topics (Use "runsc help <topic>" to see help on the topic): platforms Print a list of available platforms. syscalls Print compatibility information for syscalls. Use "runsc flags" for a list of top-level flags $ echo $? 0 $ ./runsc ps --help <container-id> [ps options] -format="table": output format. Select one of: table or json (default: table) -h=false: equivalent to the 'help' flag -help=false: show this message and exit $ echo $? 0 ``` PiperOrigin-RevId: 837251082
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch extends Podman to support checkpoint and restore operations with gVisor. In contrast to
runcandcrun, gVisor (runsc) does not rely on CRIU for checkpointing. Instead, it implements its own checkpoint and restore mechanism while maintaining a CLI interface compatible with runc.There are two main differences that this patch accounts for:
runsc checkpoint --helpexits with code128(subcommands.ExitUsageError) and it stores all checkpoint data in a singlecheckpoint.imgfile.Checklist
Ensure you have completed the following checklist for your pull request to be reviewed:
commits. (
git commit -s). (If needed, usegit commit -s --amend). The author email must matchthe sign-off email address. See CONTRIBUTING.md
for more information.
Fixes: #00000in commit message (if applicable)make validatepr(format/lint checks)Noneif no user-facing changes)Does this PR introduce a user-facing change?