beam-cloud · jsun-m · Aug 27, 2025 · Aug 27, 2025 · Aug 28, 2025 · cubic-dev-ai
diff --git a/pkg/abstractions/pod/instance.go b/pkg/abstractions/pod/instance.go
@@ -33,6 +33,8 @@ func (i *podInstance) startContainers(containersToRun int) error {
 		fmt.Sprintf("STUB_ID=%s", i.Stub.ExternalId),
 		fmt.Sprintf("STUB_TYPE=%s", i.Stub.Type),
 		fmt.Sprintf("KEEP_WARM_SECONDS=%d", i.StubConfig.KeepWarmSeconds),
+		fmt.Sprintf("CHECKPOINT_ENABLED=%t", i.StubConfig.CheckpointEnabled),
+		fmt.Sprintf("CHECKPOINT_CONDITION=%s", i.StubConfig.CheckpointCondition),
 	}...)
 
 	gpuRequest := types.GpuTypesToStrings(i.StubConfig.Runtime.Gpus)

diff --git a/pkg/abstractions/pod/pod.go b/pkg/abstractions/pod/pod.go
@@ -282,6 +282,8 @@ func (s *GenericPodService) run(ctx context.Context, authInfo *auth.AuthInfo, st
 		fmt.Sprintf("STUB_ID=%s", stub.ExternalId),
 		fmt.Sprintf("STUB_TYPE=%s", stub.Type),
 		fmt.Sprintf("KEEP_WARM_SECONDS=%d", stubConfig.KeepWarmSeconds),
+		fmt.Sprintf("CHECKPOINT_ENABLED=%t", stubConfig.CheckpointEnabled),
+		fmt.Sprintf("CHECKPOINT_CONDITION=%s", stubConfig.CheckpointCondition),
 	}...)
 
 	gpuRequest := types.GpuTypesToStrings(stubConfig.Runtime.Gpus)

diff --git a/pkg/gateway/gateway.proto b/pkg/gateway/gateway.proto
@@ -296,6 +296,7 @@ message GetOrCreateStubRequest {
   Schema inputs = 35;
   Schema outputs = 36;
   bool tcp = 37;
+  string checkpoint_condition = 38;
 }
 
 message GetOrCreateStubResponse {

diff --git a/pkg/gateway/services/stub.go b/pkg/gateway/services/stub.go
@@ -5,6 +5,7 @@ import (
 	"database/sql"
 	"encoding/json"
 	"fmt"
+	"log"
 	"math"
 	"os"
 	"path"
@@ -124,31 +125,34 @@ func (gws *GatewayService) GetOrCreateStub(ctx context.Context, in *pb.GetOrCrea
 			Memory:   in.Memory,
 			ImageId:  in.ImageId,
 		},
-		Handler:            in.Handler,
-		OnStart:            in.OnStart,
-		OnDeploy:           in.OnDeploy,
-		OnDeployStubId:     in.OnDeployStubId,
-		CallbackUrl:        in.CallbackUrl,
-		PythonVersion:      in.PythonVersion,
-		TaskPolicy:         gws.configureTaskPolicy(in.TaskPolicy, types.StubType(in.StubType)),
-		KeepWarmSeconds:    uint(in.KeepWarmSeconds),
-		Workers:            uint(in.Workers),
-		ConcurrentRequests: uint(in.ConcurrentRequests),
-		MaxPendingTasks:    uint(in.MaxPendingTasks),
-		Volumes:            in.Volumes,
-		Secrets:            []types.Secret{},
-		Authorized:         in.Authorized,
-		Autoscaler:         autoscaler,
-		Extra:              json.RawMessage(in.Extra),
-		CheckpointEnabled:  in.CheckpointEnabled,
-		EntryPoint:         in.Entrypoint,
-		Ports:              in.Ports,
-		Env:                in.Env,
-		Pricing:            pricing,
-		Inputs:             inputs,
-		Outputs:            outputs,
-		TCP:                in.Tcp,
-	}
+		Handler:             in.Handler,
+		OnStart:             in.OnStart,
+		OnDeploy:            in.OnDeploy,
+		OnDeployStubId:      in.OnDeployStubId,
+		CallbackUrl:         in.CallbackUrl,
+		PythonVersion:       in.PythonVersion,
+		TaskPolicy:          gws.configureTaskPolicy(in.TaskPolicy, types.StubType(in.StubType)),
+		KeepWarmSeconds:     uint(in.KeepWarmSeconds),
+		Workers:             uint(in.Workers),
+		ConcurrentRequests:  uint(in.ConcurrentRequests),
+		MaxPendingTasks:     uint(in.MaxPendingTasks),
+		Volumes:             in.Volumes,
+		Secrets:             []types.Secret{},
+		Authorized:          in.Authorized,
+		Autoscaler:          autoscaler,
+		Extra:               json.RawMessage(in.Extra),
+		CheckpointEnabled:   in.CheckpointEnabled,
+		CheckpointCondition: in.CheckpointCondition,
+		EntryPoint:          in.Entrypoint,
+		Ports:               in.Ports,
+		Env:                 in.Env,
+		Pricing:             pricing,
+		Inputs:              inputs,
+		Outputs:             outputs,
+		TCP:                 in.Tcp,
+	}
+
+	log.Print(stubConfig)
 
 	// Ensure GPU count is at least 1 if a GPU is required
 	if stubConfig.RequiresGPU() && in.GpuCount == 0 {

diff --git a/pkg/types/backend.go b/pkg/types/backend.go
@@ -369,32 +369,33 @@ const (
 )
 
 type StubConfigV1 struct {
-	Runtime            Runtime         `json:"runtime"`
-	Handler            string          `json:"handler"`
-	OnStart            string          `json:"on_start"`
-	OnDeploy           string          `json:"on_deploy"`
-	OnDeployStubId     string          `json:"on_deploy_stub_id"`
-	PythonVersion      string          `json:"python_version"`
-	KeepWarmSeconds    uint            `json:"keep_warm_seconds"`
-	MaxPendingTasks    uint            `json:"max_pending_tasks"`
-	CallbackUrl        string          `json:"callback_url"`
-	TaskPolicy         TaskPolicy      `json:"task_policy"`
-	Workers            uint            `json:"workers"`
-	ConcurrentRequests uint            `json:"concurrent_requests"`
-	Authorized         bool            `json:"authorized"`
-	Volumes            []*pb.Volume    `json:"volumes"`
-	Secrets            []Secret        `json:"secrets,omitempty"`
-	Env                []string        `json:"env,omitempty"`
-	Autoscaler         *Autoscaler     `json:"autoscaler"`
-	Extra              json.RawMessage `json:"extra"`
-	CheckpointEnabled  bool            `json:"checkpoint_enabled"`
-	WorkDir            string          `json:"work_dir"`
-	EntryPoint         []string        `json:"entry_point"`
-	Ports              []uint32        `json:"ports"`
-	Pricing            *PricingPolicy  `json:"pricing"`
-	Inputs             *Schema         `json:"inputs"`
-	Outputs            *Schema         `json:"outputs"`
-	TCP                bool            `json:"tcp"`
+	Runtime             Runtime         `json:"runtime"`
+	Handler             string          `json:"handler"`
+	OnStart             string          `json:"on_start"`
+	OnDeploy            string          `json:"on_deploy"`
+	OnDeployStubId      string          `json:"on_deploy_stub_id"`
+	PythonVersion       string          `json:"python_version"`
+	KeepWarmSeconds     uint            `json:"keep_warm_seconds"`
+	MaxPendingTasks     uint            `json:"max_pending_tasks"`
+	CallbackUrl         string          `json:"callback_url"`
+	TaskPolicy          TaskPolicy      `json:"task_policy"`
+	Workers             uint            `json:"workers"`
+	ConcurrentRequests  uint            `json:"concurrent_requests"`
+	Authorized          bool            `json:"authorized"`
+	Volumes             []*pb.Volume    `json:"volumes"`
+	Secrets             []Secret        `json:"secrets,omitempty"`
+	Env                 []string        `json:"env,omitempty"`
+	Autoscaler          *Autoscaler     `json:"autoscaler"`
+	Extra               json.RawMessage `json:"extra"`
+	CheckpointEnabled   bool            `json:"checkpoint_enabled"`
+	CheckpointCondition string          `json:"checkpoint_condition"`
+	WorkDir             string          `json:"work_dir"`
+	EntryPoint          []string        `json:"entry_point"`
+	Ports               []uint32        `json:"ports"`
+	Pricing             *PricingPolicy  `json:"pricing"`
+	Inputs              *Schema         `json:"inputs"`
+	Outputs             *Schema         `json:"outputs"`
+	TCP                 bool            `json:"tcp"`
 }
 
 type StubConfigLimitedValues struct {

diff --git a/pkg/worker/criu.go b/pkg/worker/criu.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	_ "embed"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"log/slog"
@@ -84,14 +85,14 @@ func InitializeCRIUManager(ctx context.Context, config types.CRIUConfig) (CRIUMa
 	return criuManager, nil
 }
 
-func (s *Worker) attemptCheckpointOrRestore(ctx context.Context, request *types.ContainerRequest, outputLogger *slog.Logger, outputWriter io.Writer, startedChan chan int, checkpointPIDChan chan int, configPath string) (int, string, error) {
+func (s *Worker) attemptCheckpointOrRestore(ctx context.Context, request *types.ContainerRequest, outputLogger *slog.Logger, outputWriter io.Writer, startedChan chan int, checkpointPIDChan chan int, configPath string, exposeNetwork func() error) (int, string, error) {
 	state, createCheckpoint := s.shouldCreateCheckpoint(request)
 
 	// If checkpointing is enabled, attempt to create a checkpoint
 	if createCheckpoint {
 		outputLogger.Info("Attempting to create container checkpoint...")
 
-		exitCode, err := s.createCheckpoint(ctx, request, outputWriter, outputLogger, startedChan, checkpointPIDChan, configPath)
+		exitCode, err := s.createCheckpoint(ctx, request, outputWriter, outputLogger, startedChan, checkpointPIDChan, configPath, exposeNetwork)
 		if err != nil {
 			return -1, "", err
 		}
@@ -113,6 +114,11 @@ func (s *Worker) attemptCheckpointOrRestore(ctx context.Context, request *types.
 		}
 		defer f.Close()
 
+		err = exposeNetwork()
+		if err != nil {
+			return -1, "", fmt.Errorf("failed to expose network: %v", err)
-			return -1, "", fmt.Errorf("failed to expose network: %v", err)
+			return -1, "", fmt.Errorf("failed to expose network: %w", err)
-			return -1, "", fmt.Errorf("failed to expose network: %v", err)
+			return -1, "", fmt.Errorf("failed to expose network: %w", err)
+		}
+
 		exitCode, err := s.criuManager.RestoreCheckpoint(ctx, &RestoreOpts{
 			request: request,
 			state:   state,
@@ -123,31 +129,30 @@ func (s *Worker) attemptCheckpointOrRestore(ctx context.Context, request *types.
 			configPath: configPath,
 		})
 		if err != nil {
-			updateStateErr := s.updateCheckpointState(request, types.CheckpointStatusRestoreFailed)
-			if updateStateErr != nil {
-				log.Error().Str("container_id", request.ContainerId).Msgf("failed to update checkpoint state: %v", updateStateErr)
+			var e *runc.ExitError
+			if errors.As(err, &e) {
+				code := e.Status
+
+				if code != 137 {
+					log.Error().Str("container_id", request.ContainerId).Msgf("failed to restore checkpoint: %v", err)
+					updateStateErr := s.updateCheckpointState(request, types.CheckpointStatusRestoreFailed)
+					if updateStateErr != nil {
+						log.Error().Str("container_id", request.ContainerId).Msgf("failed to update checkpoint state: %v", updateStateErr)
+					}
+				}
 			}
 			return exitCode, "", err
 		}
 
-		outputLogger.Info("Checkpoint found and restored")
 		return exitCode, request.ContainerId, nil
 	}
 
-	// If a checkpoint exists but is not available (previously failed), run the container normally
-	bundlePath := filepath.Dir(configPath)
-
-	exitCode, err := s.runcHandle.Run(s.ctx, request.ContainerId, bundlePath, &runc.CreateOpts{
-		OutputWriter: outputWriter,
-		Started:      startedChan,
-	})
-
-	return exitCode, request.ContainerId, err
+	return -1, "", fmt.Errorf("checkpoint not found")
 }
 
 // Waits for the container to be ready to checkpoint at the desired point in execution, ie.
 // after all processes within a container have reached a checkpointable state
-func (s *Worker) createCheckpoint(ctx context.Context, request *types.ContainerRequest, outputWriter io.Writer, outputLogger *slog.Logger, startedChan chan int, checkpointPIDChan chan int, configPath string) (int, error) {
+func (s *Worker) createCheckpoint(ctx context.Context, request *types.ContainerRequest, outputWriter io.Writer, outputLogger *slog.Logger, startedChan chan int, checkpointPIDChan chan int, configPath string, exposeNetwork func() error) (int, error) {
 	bundlePath := filepath.Dir(configPath)
 
 	go func() {
@@ -214,6 +219,11 @@ func (s *Worker) createCheckpoint(ctx context.Context, request *types.ContainerR
 		if updateStateErr != nil {
 			log.Error().Str("container_id", request.ContainerId).Msgf("failed to update checkpoint state: %v", updateStateErr)
 		}
+
+		err = exposeNetwork()
+		if err != nil {
+			log.Error().Str("container_id", request.ContainerId).Msgf("failed to expose network: %v", err)
+		}
 	}()
 
 	exitCode, err := s.criuManager.Run(ctx, request, bundlePath, &runc.CreateOpts{

diff --git a/pkg/worker/lifecycle.go b/pkg/worker/lifecycle.go
@@ -86,7 +86,7 @@ func (s *Worker) stopContainer(containerId string, kill bool) error {
 		return nil
 	}
 
-	log.Info().Str("container_id", containerId).Msg("container stopped")
+	log.Info().Str("container_id", containerId).Msgf("container stopped with signal %d", signal)
 	return nil
 }
 
@@ -542,6 +542,16 @@ func (s *Worker) getContainerEnvironment(request *types.ContainerRequest, option
 	return env
 }
 
+func (s *Worker) exposeBindPorts(containerId string, request *types.ContainerRequest, opts *ContainerOptions) error {
+	for idx, bindPort := range opts.BindPorts {
+		err := s.containerNetworkManager.ExposePort(containerId, bindPort, int(request.Ports[idx]))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 // spawn a container using runc binary
 func (s *Worker) spawn(request *types.ContainerRequest, spec *specs.Spec, outputLogger *slog.Logger, opts *ContainerOptions) {
 	ctx, cancel := context.WithCancel(s.ctx)
@@ -668,15 +678,6 @@ func (s *Worker) spawn(request *types.ContainerRequest, spec *specs.Spec, output
 		}
 	}
 
-	// Expose the bind ports
-	for idx, bindPort := range opts.BindPorts {
-		err = s.containerNetworkManager.ExposePort(containerId, bindPort, int(request.Ports[idx]))
-		if err != nil {
-			log.Error().Str("container_id", containerId).Msgf("failed to expose container bind port: %v", err)
-			return
-		}
-	}
-
 	// Write runc config spec to disk
 	configContents, err := json.MarshalIndent(spec, "", " ")
 	if err != nil {
@@ -726,7 +727,7 @@ func (s *Worker) spawn(request *types.ContainerRequest, spec *specs.Spec, output
 		go s.watchOOMEvents(ctx, request, outputLogger, &isOOMKilled) // Watch for OOM events
 	}()
 
-	exitCode, containerId, _ = s.runContainer(ctx, request, configPath, outputLogger, outputWriter, startedChan, checkpointPIDChan)
+	exitCode, containerId, _ = s.runContainer(ctx, request, configPath, outputLogger, outputWriter, startedChan, checkpointPIDChan, opts)
 
 	stopReason := types.StopContainerReasonUnknown
 	containerInstance, exists = s.containerInstances.Get(containerId)
@@ -762,16 +763,24 @@ func (s *Worker) spawn(request *types.ContainerRequest, spec *specs.Spec, output
 	}
 }
 
-func (s *Worker) runContainer(ctx context.Context, request *types.ContainerRequest, configPath string, outputLogger *slog.Logger, outputWriter *common.OutputWriter, startedChan chan int, checkpointPIDChan chan int) (int, string, error) {
+func (s *Worker) runContainer(ctx context.Context, request *types.ContainerRequest, configPath string, outputLogger *slog.Logger, outputWriter *common.OutputWriter, startedChan chan int, checkpointPIDChan chan int, opts *ContainerOptions) (int, string, error) {
 	// Handle checkpoint creation & restore if applicable
 	if s.IsCRIUAvailable(request.GpuCount) && request.CheckpointEnabled {
-		exitCode, containerId, err := s.attemptCheckpointOrRestore(ctx, request, outputLogger, outputWriter, startedChan, checkpointPIDChan, configPath)
+		exitCode, containerId, err := s.attemptCheckpointOrRestore(ctx, request, outputLogger, outputWriter, startedChan, checkpointPIDChan, configPath, func() error {
+			return s.exposeBindPorts(request.ContainerId, request, opts)
+		})
 		if err == nil {
 			return exitCode, containerId, err
 		}
 		log.Warn().Str("container_id", request.ContainerId).Err(err).Msgf("error running container from checkpoint/restore, exit code %d", exitCode)
 	}
 
+	err := s.exposeBindPorts(request.ContainerId, request, opts)
+	if err != nil {
+		log.Error().Str("container_id", request.ContainerId).Msgf("failed to expose container bind ports: %v", err)
+		return -1, "", err
+	}
+
 	bundlePath := filepath.Dir(configPath)
 	exitCode, err := s.runcHandle.Run(ctx, request.ContainerId, bundlePath, &runc.CreateOpts{
 		OutputWriter: outputWriter,