https://blog.zwindler.fr/en/categories/virtualization/Recent content in Virtualization on Zwindler's ReflectionHugo -- gohugo.ioenLicensed under CC BY-SA 4.0Sat, 30 May 2026 12:00:00 +0200https://blog.zwindler.fr/en/2026/05/30/zeropod-v0.12.0-one-year-later-does-scale-to-zero-deliver/Sat, 30 May 2026 12:00:00 +0200https://blog.zwindler.fr/en/2026/05/30/zeropod-v0.12.0-one-year-later-does-scale-to-zero-deliver/<img src="https://blog.zwindler.fr/2026/05/zeropod.webp" alt="Featured image of post zeropod v0.12.0: One Year Later, Does Scale-to-Zero Deliver?" /><h2 id="what-is-zeropod">What is zeropod? </h2><p>A little less than a year ago, I <a class="link" href="https://blog.zwindler.fr/en/2025/06/20/zeropod-scale-to-zero-with-container-checkpointing/" >published a first article</a>, reviewing a tool called zeropod.</p> <blockquote> <p>Zeropod is a Kubernetes runtime (more specifically a containerd shim) that automatically checkpoints containers to disk after a certain amount of time of the last TCP connection.</p> <p>While in scaled down state, it will listen on the same port the application inside the container was listening on and will restore the container on the first incoming connection.</p> </blockquote> <p>At the time, the stable version was v0.6.x, and I tested it on a k3s cluster. The results were mixed: it mostly worked, but with deal-breaking limitations for serious use (probes impossible, flaky behavior under load, checkpointing times a bit high for my taste).</p> <p>Since then, the project has evolved quite a bit (now v0.12.0), with promises of fixes and improvements. So I decided to give it another shot to see where things stand.</p> <p>One other change: I abandoned k3s for this test series, for reasons I&rsquo;ll detail throughout the article.</p> <h2 id="prerequisites">Prerequisites </h2><p>This time, I used a freshly provisioned server at my favorite hosting provider:</p> <ul> <li>An Ubuntu 24.04.3 LTS (Noble) server, kernel 6.17.0-35 HWE, 7.7 Gi RAM, 100G disk</li> <li>A Kubernetes cluster set up with <strong>kubeadm</strong>, flannel as CNI</li> <li>Vanilla containerd</li> <li>local-path-provisioner (Rancher) for default local storage</li> <li>No cert-manager or Ingress, keeping it simple this time</li> </ul> <h2 id="installation">Installation </h2><p>I&rsquo;ve installed kubeadm many times and you probably have too, so I won&rsquo;t insult you with yet another tutorial.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Install kubeadm, kubelet, kubectl + containerd</span> </span></span><span class="line"><span class="cl">sudo kubeadm init --pod-network-cidr<span class="o">=</span>10.42.0.0/16 </span></span><span class="line"><span class="cl">kubectl apply -f https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml </span></span><span class="line"><span class="cl">kubectl taint nodes --all node-role.kubernetes.io/control-plane- </span></span></code></pre></div><p>Once the cluster is running, installing zeropod is trivial:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Apply the generic kustomize</span> </span></span><span class="line"><span class="cl">kubectl apply -k https://github.com/ctrox/zeropod/config/generic </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Add a label to our single node</span> </span></span><span class="line"><span class="cl">kubectl label node &lt;your-node&gt; zeropod.ctrox.dev/node<span class="o">=</span><span class="nb">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Verify the pod is running</span> </span></span><span class="line"><span class="cl">kubectl -n zeropod-system <span class="nb">wait</span> --for<span class="o">=</span><span class="nv">condition</span><span class="o">=</span>Ready pod -l app.kubernetes.io/name<span class="o">=</span>zeropod-node </span></span></code></pre></div><p>That&rsquo;s it. No special flags, no extra configuration. On kubeadm, kubelet is a native binary (<code>/usr/bin/kubelet</code>) detected automatically by zeropod.</p> <p><strong>Note about k3s</strong>: on k3s, the zeropod documentation differs since the config to use is <code>config/k3s</code>. The kustomize adds a <code>-probe-binary-name=k3s</code> flag on the initContainer so the shim knows the kubelet is embedded in the k3s binary. During my tests, even with this flag, the behavior wasn&rsquo;t as expected (the socket tracker didn&rsquo;t filter probes correctly). With the default config, the flag is on the initContainer but not on the manager. I suspected there was another component to patch, but I didn&rsquo;t investigate further.</p> <p>The DaemonSet deploys the following images:</p> <ul> <li><code>ghcr.io/ctrox/zeropod-manager:v0.12.0</code></li> <li><code>ghcr.io/ctrox/zeropod-installer:v0.12.0</code></li> <li><code>ghcr.io/ctrox/zeropod-criu:v4.2</code> (CRIU has been updated since v0.6.x)</li> </ul> <p>Let&rsquo;s verify the zeropod runtimeClass is available:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl get runtimeclass </span></span><span class="line"><span class="cl">NAME HANDLER AGE </span></span><span class="line"><span class="cl">zeropod zeropod 30m </span></span></code></pre></div><h2 id="first-test-nginx">First test: nginx </h2><p>Like last time, let&rsquo;s start with a simple nginx test. Deploy a basic pod:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">apps/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">nginx</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">replicas</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">nginx</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">zeropod.ctrox.dev/scaledown-duration</span><span class="p">:</span><span class="w"> </span><span class="l">10s</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">nginx</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runtimeClassName</span><span class="p">:</span><span class="w"> </span><span class="l">zeropod</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">nginx</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">nginx</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="m">80</span><span class="w"> </span></span></span></code></pre></div><p>The important parts are the annotation <code>zeropod.ctrox.dev/scaledown-duration: 10s</code> and <code>runtimeClassName: zeropod</code>.</p> <p>Shortly after deployment, zeropod detects the absence of traffic. The container is checkpointed. Looking at the manager logs:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span><span class="nt">&#34;time&#34;</span><span class="p">:</span><span class="s2">&#34;2026-05-29T14:26:37.269453861Z&#34;</span><span class="p">,</span><span class="nt">&#34;level&#34;</span><span class="p">:</span><span class="s2">&#34;INFO&#34;</span><span class="p">,</span><span class="nt">&#34;msg&#34;</span><span class="p">:</span><span class="s2">&#34;status event&#34;</span><span class="p">,</span><span class="nt">&#34;container&#34;</span><span class="p">:</span><span class="s2">&#34;nginx&#34;</span><span class="p">,</span><span class="nt">&#34;pod&#34;</span><span class="p">:</span><span class="s2">&#34;nginx-bench-7c65c8874-6pts7&#34;</span><span class="p">,</span><span class="nt">&#34;phase&#34;</span><span class="p">:</span><span class="s2">&#34;RUNNING&#34;</span><span class="p">,</span><span class="nt">&#34;duration&#34;</span><span class="p">:</span><span class="s2">&#34;0s&#34;</span><span class="p">}</span> </span></span></code></pre></div><p>Then 10 seconds later:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span><span class="nt">&#34;time&#34;</span><span class="p">:</span><span class="s2">&#34;2026-05-29T14:26:47.465510937Z&#34;</span><span class="p">,</span><span class="nt">&#34;level&#34;</span><span class="p">:</span><span class="s2">&#34;INFO&#34;</span><span class="p">,</span><span class="nt">&#34;msg&#34;</span><span class="p">:</span><span class="s2">&#34;status event&#34;</span><span class="p">,</span><span class="nt">&#34;container&#34;</span><span class="p">:</span><span class="s2">&#34;nginx&#34;</span><span class="p">,</span><span class="nt">&#34;pod&#34;</span><span class="p">:</span><span class="s2">&#34;nginx-bench-7c65c8874-6pts7&#34;</span><span class="p">,</span><span class="nt">&#34;phase&#34;</span><span class="p">:</span><span class="s2">&#34;SCALED_DOWN&#34;</span><span class="p">,</span><span class="nt">&#34;duration&#34;</span><span class="p">:</span><span class="s2">&#34;191.259383ms&#34;</span><span class="p">}</span> </span></span></code></pre></div><p>The <code>duration</code> field in the SCALED_DOWN log is the checkpoint time: <strong>191ms</strong>. That&rsquo;s already significantly better than the ~400ms from v0.6.x on k3s (likely thanks to an update, perhaps CRIU 4.2?).</p> <h2 id="restore">Restore </h2><p>When we send an HTTP request, the container wakes up:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">time</span> curl http://&lt;POD_IP&gt;/ -s -o /dev/null -w <span class="s2">&#34;%{http_code} (%{time_total}s)&#34;</span> </span></span><span class="line"><span class="cl">HTTP <span class="m">200</span> <span class="o">(</span>0.101s<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">real 0m0.101s </span></span><span class="line"><span class="cl">user 0m0.003s </span></span><span class="line"><span class="cl">sys 0m0.003s </span></span></code></pre></div><p><strong>101ms</strong> to restore nginx and serve a page. That&rsquo;s comparable to the ~92ms from the original article.</p> <p>Nice new feature: under v0.6.x, <code>kubectl top pods</code> returned an error for checkpointed pods:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># v0.6.x</span> </span></span><span class="line"><span class="cl">kubectl top pods </span></span><span class="line"><span class="cl">error: Metrics not available <span class="k">for</span> pod default/php-xxx </span></span></code></pre></div><p>This bug was fixed in v0.9.0. Now pods in SCALED_DOWN state return <code>0m 0Mi</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl top pods </span></span><span class="line"><span class="cl">NAME CPU<span class="o">(</span>cores<span class="o">)</span> MEMORY<span class="o">(</span>bytes<span class="o">)</span> </span></span><span class="line"><span class="cl">nginx 0m 0Mi </span></span></code></pre></div><p>Much cleaner.</p> <h2 id="testing-liveness-probes">Testing liveness probes </h2><p>This was THE major limitation of v0.6.x: zeropod was incompatible with Kubernetes probes. If you added an httpGet liveness probe to your container, the probe would reset the scale-down timer, and your container would never go SCALED_DOWN. Result: probes unusable, making zeropod unusable in production.</p> <h3 id="what-changed">What changed </h3><p>Two fixes were made between v0.6.x and v0.12.0:</p> <ol> <li> <p><strong>The activator</strong> (the eBPF component that listens for traffic during SCALED_DOWN): it intercepts probes and replies 200 directly, without waking the container. That&rsquo;s the &ldquo;post scale-down&rdquo; behavior.</p> </li> <li> <p><strong>The socket tracker</strong> (the component that ignores connections during RUNNING state): since PR #72 (merged August 2025), zeropod can detect connections coming from kubelet and not count them as &ldquo;real&rdquo; traffic. That&rsquo;s the &ldquo;pre scale-down&rdquo; behavior.</p> </li> </ol> <h3 id="real-world-test">Real-world test </h3><p>I deployed nginx with an aggressive liveness probe (periodSeconds: 5) and <code>scaledown-duration: 10s</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runtimeClassName</span><span class="p">:</span><span class="w"> </span><span class="l">zeropod</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">nginx</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">nginx</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">livenessProbe</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">httpGet</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">80</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">periodSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">5</span><span class="w"> </span></span></span></code></pre></div><p>On k3s, this test gave me trouble: the socket tracker couldn&rsquo;t filter probe connections, which kept resetting the scale-down timer indefinitely. The activator (which filters probes once scale-down has happened) worked fine though.</p> <p>On kubeadm, the result is immediate:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl get pod -l <span class="nv">app</span><span class="o">=</span>nginx-probe -o json <span class="p">|</span> jq -r <span class="s1">&#39;.items[0].metadata.labels[&#34;status.zeropod.ctrox.dev/nginx&#34;]&#39;</span> </span></span><span class="line"><span class="cl">SCALED_DOWN </span></span></code></pre></div><p>The socket tracker correctly filters connections from the native kubelet. The <code>periodSeconds</code> &gt; <code>scaledown-duration</code> rule I had to use on k3s is no longer necessary.</p> <h2 id="a-word-on-changes-between-v06x-and-v0120">A word on changes between v0.6.x and v0.12.0 </h2><p>Here&rsquo;s a summary of improvements between the two versions:</p> <table> <thead> <tr> <th>Point</th> <th>v0.6.x</th> <th>v0.12.0</th> </tr> </thead> <tbody> <tr> <td><code>kubectl top pods</code> while scaled-down</td> <td>❌ Error</td> <td>✅ <code>0m 0Mi</code> (fix v0.9.0)</td> </tr> <tr> <td>Checkpoint (nginx)</td> <td>~400ms</td> <td>~185ms (-54%)</td> </tr> <tr> <td>Restore (nginx)</td> <td>~92ms</td> <td>~99ms (stable)</td> </tr> <tr> <td>CRIU</td> <td>v3.x</td> <td>v4.2</td> </tr> <tr> <td>Checkpoint failure handling</td> <td>basic</td> <td>metrics + events (v0.11.0)</td> </tr> <tr> <td>Configurable proxy timeouts</td> <td>❌</td> <td>✅ (v0.11.0)</td> </tr> <tr> <td>Inter-node migration</td> <td>basic</td> <td>improved + timeouts (v0.10.0)</td> </tr> <tr> <td>Probes</td> <td>❌ Incompatible</td> <td>✅ Activator + socket tracker</td> </tr> </tbody> </table> <p>Interesting technical note about CRIU flags: zeropod removed the <code>--tcp-established</code> option in September 2025. Previously, active TCP connections were saved and restored with the container. Now, zeropod uses <code>--tcp-skip-in-flight</code> (when runc &gt;= 1.3 supports it). Practical consequence: if your container has outgoing TCP connections at checkpoint time, they will be lost. You&rsquo;ll need to re-establish them after restore.</p> <h2 id="deploying-wordpress-the-realistic-use-case">Deploying WordPress (the &ldquo;&ldquo;&ldquo;realistic&rdquo;&rdquo;&rdquo; use case) </h2><p>Alright, nginx is fine but not very representative. Let&rsquo;s deploy a real app with PHP, Apache, and a database.</p> <p>Let&rsquo;s reuse the WordPress manifest from the original article, without zeropod on MySQL:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">apps/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">wordpress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">replicas</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">wordpress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">zeropod.ctrox.dev/scaledown-duration</span><span class="p">:</span><span class="w"> </span><span class="l">10s</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">zeropod.ctrox.dev/container-names</span><span class="p">:</span><span class="w"> </span><span class="l">wordpress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">zeropod.ctrox.dev/ports-map</span><span class="p">:</span><span class="w"> </span><span class="l">wordpress=80</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">wordpress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runtimeClassName</span><span class="p">:</span><span class="w"> </span><span class="l">zeropod</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">initContainers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">wait-for-mysql</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">mysql:8</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">sh</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- -<span class="l">c</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> until mysql -h mysql -u root -p${MYSQL_ROOT_PASSWORD} -e &#34;SELECT 1&#34;; do </span></span></span><span class="line"><span class="cl"><span class="sd"> echo &#34;Waiting for MySQL...&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> sleep 3 </span></span></span><span class="line"><span class="cl"><span class="sd"> done </span></span></span><span class="line"><span class="cl"><span class="sd"> mysql -h mysql -u root -p${MYSQL_ROOT_PASSWORD} -e &#34;CREATE DATABASE IF NOT EXISTS wordpress;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">MYSQL_ROOT_PASSWORD</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">verySecurePassword</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">wordpress:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">wordpress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="m">80</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">WORDPRESS_DB_HOST</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">mysql</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">WORDPRESS_DB_USER</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">root</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">WORDPRESS_DB_PASSWORD</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">verySecurePassword</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">WORDPRESS_DB_NAME</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">wordpress</span><span class="w"> </span></span></span></code></pre></div><p>MySQL (without zeropod):</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">mysql</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">3306</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">mysql</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">clusterIP</span><span class="p">:</span><span class="w"> </span><span class="l">None</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">apps/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">StatefulSet</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">mysql</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">serviceName</span><span class="p">:</span><span class="w"> </span><span class="l">mysql</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">replicas</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">mysql</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">mysql</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">mysql:8</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">mysql</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="m">3306</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">MYSQL_ROOT_PASSWORD</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">verySecurePassword</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumeMounts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l">/var/lib/mysql</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">data</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumeClaimTemplates</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">data</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">accessModes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ReadWriteOnce</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">requests</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">storage</span><span class="p">:</span><span class="w"> </span><span class="l">5Gi</span><span class="w"> </span></span></span></code></pre></div><p>WordPress (Apache + PHP) checkpoint:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span><span class="nt">&#34;time&#34;</span><span class="p">:</span><span class="s2">&#34;2026-05-29T14:33:35.915988635Z&#34;</span><span class="p">,</span><span class="nt">&#34;phase&#34;</span><span class="p">:</span><span class="s2">&#34;SCALED_DOWN&#34;</span><span class="p">,</span><span class="nt">&#34;duration&#34;</span><span class="p">:</span><span class="s2">&#34;313.286787ms&#34;</span><span class="p">}</span> </span></span></code></pre></div><p>Checkpoints take around 300ms. Restore is around 200ms:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span><span class="nt">&#34;time&#34;</span><span class="p">:</span><span class="s2">&#34;2026-05-29T14:34:31.56806589Z&#34;</span><span class="p">,</span><span class="nt">&#34;phase&#34;</span><span class="p">:</span><span class="s2">&#34;RUNNING&#34;</span><span class="p">,</span><span class="nt">&#34;duration&#34;</span><span class="p">:</span><span class="s2">&#34;206.33005ms&#34;</span><span class="p">}</span> </span></span></code></pre></div><p>The first curl request confirms it:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">time</span> curl http://&lt;POD_IP&gt;/ -s -o /dev/null -w <span class="s2">&#34;%{http_code} (%{time_total}s)&#34;</span> </span></span><span class="line"><span class="cl">HTTP <span class="m">302</span> <span class="o">(</span>0.212s<span class="o">)</span> </span></span></code></pre></div><p>212ms, about <strong>twice faster</strong> than the 454ms from the original article.</p> <h2 id="the-killer-test-cascading-wordpress--mysql">The killer test: cascading WordPress + MySQL </h2><p>In the original article, I attempted the ultimate test: putting <strong>both</strong> pods (WordPress AND MySQL) with <code>runtimeClassName: zeropod</code>, then sending an HTTP request to WordPress while both are checkpointed.</p> <p>The scenario goes like this:</p> <ol> <li>After a few seconds, WordPress goes SCALED_DOWN, MySQL goes SCALED_DOWN too</li> <li>A client sends an HTTP request to WordPress</li> <li>The WordPress activator intercepts the request and restores the WordPress container</li> <li>WordPress (Apache+PHP) starts up, executes PHP code requiring a MySQL connection</li> <li>WordPress connects to MySQL on port 3306</li> <li>The MySQL activator intercepts the connection and restores MySQL</li> <li>MySQL responds, WordPress generates the page, Apache sends back the HTTP response</li> </ol> <p>True scale to zero that scales the entire app, not just the frontend/backend.</p> <p>Important note: I know that you&rsquo;d probably <strong>never</strong> want to scale down your database in production, but testing this shows that this approach (eBPF + CRIU) works beyond just scaling webservers to zero, which other tools on the market already do very well.</p> <h2 id="on-k3s-no-luck-on-kubeadm-victory">On k3s: no luck, on kubeadm: victory </h2><p>On k3s, I still haven&rsquo;t managed to make this scenario work: WordPress would restore but wouldn&rsquo;t respond on port 80. I spent quite some time trying to figure out why, without success.</p> <p>Same test, same zeropod version, but on kubeadm:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl http://&lt;POD_IP&gt;/ -s -o /dev/null -w <span class="s2">&#34;%{http_code} (%{time_total}s)&#34;</span> </span></span><span class="line"><span class="cl">HTTP <span class="m">302</span> <span class="o">(</span>0.224s<span class="o">)</span> </span></span></code></pre></div><p><strong>224ms.</strong> Both pods went from SCALED_DOWN to RUNNING, the WordPress page loads. I repeated the test 5 times in a row:</p> <table> <thead> <tr> <th>Cycle</th> <th>Time (curl)</th> <th>HTTP</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>229ms</td> <td>302</td> </tr> <tr> <td>2</td> <td>192ms</td> <td>302</td> </tr> <tr> <td>3</td> <td>227ms</td> <td>302</td> </tr> <tr> <td>4</td> <td>230ms</td> <td>302</td> </tr> <tr> <td>5</td> <td>211ms</td> <td>302</td> </tr> </tbody> </table> <p>The zeropod logs confirm both containers waking up:</p> <pre tabindex="0"><code>WordPress: SCALED_DOWN → RUNNING MySQL: SCALED_DOWN → RUNNING </code></pre><h2 id="what-really-changed-since-v06x">What really changed since v0.6.x </h2><p><strong>Probes (finally!)</strong></p> <p>This was my main grievance in the first article. Today, it&rsquo;s resolved:</p> <ul> <li>Before: impossible to use Kubernetes probes → zeropod unusable in any somewhat serious use case</li> <li>After: the activator intercepts probes in SCALED_DOWN (replies 200 without restore), and the socket tracker filters kubelet connections in RUNNING state</li> </ul> <p><strong>Stability</strong></p> <p>The flaky behavior (pod loss under simultaneous load) is gone. Where I had failures in the original article, sequential and simultaneous load tests all pass now.</p> <p><strong>Performance</strong></p> <p>Checkpoint gained ~50% speed (185ms vs 400ms). Restore too (200ms vs 454ms). Probably thanks to CRIU v4.2 and zeropod optimizations.</p> <p><strong>kubectl top pods</strong></p> <p>This small detail was an eyesore — <code>kubectl top pods</code> crashed on checkpointed pods. Fixed in v0.9.0.</p> <h2 id="some-remaining-limitations">Some remaining limitations </h2><p>I&rsquo;d be dishonest if I said everything is perfect. Here&rsquo;s what&rsquo;s still problematic:</p> <ol> <li>Since September 2025, zeropod no longer uses <code>--tcp-established</code> for CRIU. This means if your container has outgoing TCP connections at checkpoint time, they will be lost. In practice, for a web server, this means reconnecting to the database after restore. With zeropod, the MySQL connection is re-established automatically (the current PHP request fails, the next one succeeds). This is a detail that may matter depending on your use case.</li> <li>I only tested WordPress (Apache + mod_php) and MySQL. Applications using websockets, streaming, or long-lived connections might behave differently.</li> <li>I had difficulties getting it to work properly on k3s.</li> <li>I observed a glitch (Apache segfault) on the first restore of a freshly created WordPress pod. It&rsquo;s not reproducible after a normal checkpoint/restore cycle, but if you frequently redeploy your pods, you might encounter it.</li> </ol> <h2 id="verdict">Verdict </h2><p>One year later, zeropod seems to deliver on more of its promises:</p> <ul> <li>Even though it wasn&rsquo;t a dealbreaker, checkpoint/restore performance has improved significantly (~50% faster), which is always welcome</li> <li>Kubernetes probe support has been added, lifting what I considered the main blocker</li> <li>General stability is better</li> <li>The cascade test (WordPress + MySQL) works</li> </ul> <p>I&rsquo;m still just as hyped about the idea of freezing a container and restoring it 10 seconds later like nothing happened. The magic of CRIU and eBPF combined is starting to materialize, after years of waiting.</p> <p>Would I put this in production? Let&rsquo;s say it&rsquo;s less risky than a year ago. On my personal cluster for fun, why not. For a production database with long-lived connections, I think I&rsquo;d still pass ;-).</p> <p>But honestly, the project has evolved well and deserves a closer look.</p>