From 32743868c797bdb63f7e764b477b66ac7fb67e1c Mon Sep 17 00:00:00 2001
From: Louis Tu <92532497+tu1h@users.noreply.github.com>
Date: Wed, 8 Nov 2023 23:57:32 +0800
Subject: [PATCH] Add cri-o criu support (#10479)

Signed-off-by: tu1h <lihai.tu@daocloud.io>
---
 docs/vars.md                                        | 2 ++
 roles/container-engine/cri-o/defaults/main.yml      | 3 +++
 roles/container-engine/cri-o/templates/crio.conf.j2 | 5 +++++
 3 files changed, 10 insertions(+)

diff --git a/docs/vars.md b/docs/vars.md
index 36dd3621d..b3239da94 100644
--- a/docs/vars.md
+++ b/docs/vars.md
@@ -186,6 +186,8 @@ Stack](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/dns-stack.m
 * *containerd_additional_runtimes* - Sets the additional Containerd runtimes used by the Kubernetes CRI plugin.
   [Default config](https://github.com/kubernetes-sigs/kubespray/blob/master/roles/container-engine/containerd/defaults/main.yml) can be overridden in inventory vars.
 
+* *crio_criu_support_enabled* - When set to `true`, enables the container checkpoint/restore in CRI-O. It's required to install [CRIU](https://criu.org/Installation) on the host when dumping/restoring checkpoints. And it's recommended to enable the feature gate `ContainerCheckpoint` so that the kubelet get a higher level API to simplify the operations (**Note**: It's still in experimental stage, just for container analytics so far). You can follow the [documentation](https://kubernetes.io/blog/2022/12/05/forensic-container-checkpointing-alpha/).
+
 * *http_proxy/https_proxy/no_proxy/no_proxy_exclude_workers/additional_no_proxy* - Proxy variables for deploying behind a
   proxy. Note that no_proxy defaults to all internal cluster IPs and hostnames
   that correspond to each node.
diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml
index 949ed69ed..21de17aeb 100644
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@@ -97,3 +97,6 @@ crio_man_files:
   8:
     - crio
     - crio-status
+
+# If set to true, it will enable the CRIU support in cri-o
+crio_criu_support_enabled: false
diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2
index f0455d093..81d5a421e 100644
--- a/roles/container-engine/cri-o/templates/crio.conf.j2
+++ b/roles/container-engine/cri-o/templates/crio.conf.j2
@@ -273,6 +273,11 @@ pinns_path = ""
 pinns_path = "{{ bin_dir }}/pinns"
 {% endif %}
 
+{% if crio_criu_support_enabled %}
+# Enable CRIU integration, requires that the criu binary is available in $PATH.
+enable_criu_support = true
+{% endif %}
+
 # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.
 # The runtime to use is picked based on the runtime_handler provided by the CRI.
 # If no runtime_handler is provided, the runtime will be picked based on the level