Skip to content

Add Dockerfile#8

Open
making wants to merge 2 commits intoCRaC:masterfrom
making:master
Open

Add Dockerfile#8
making wants to merge 2 commits intoCRaC:masterfrom
making:master

Conversation

@making
Copy link

@making making commented Nov 27, 2023

I have added documentation on how to build and run a docker image with a reusable and convenient Dockerfile.

rvansa
rvansa reviewed Nov 27, 2023
View reviewed changes
README.md
```
docker run -p 8080:8080 \
--cap-add CHECKPOINT_RESTORE \
--cap-add NET_ADMIN \
Copy link
Member

@rvansa rvansa Nov 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you really need NET_ADMIN and SYS_ADMIN in here?

Copy link
Author

@making making Nov 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I tried, NET_ADMIN is required on restore. Without this option you will get the following error:

Restore checkpoint from /var/crac
Error (criu/libnetlink.c:54): -1 reported by netlink: Operation not permitted
Error (criu/net.c:3744): Unable to create a veth pair: -1
2023-11-27T09:32:22.200Z  INFO 10 --- [Attach Listener] o.s.c.support.DefaultLifecycleProcessor  : Restarting Spring-managed lifecycle beans after JVM restore
2023-11-27T09:32:22.204Z  INFO 10 --- [Attach Listener] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port 8080 (http) with context path ''
2023-11-27T09:32:22.205Z  INFO 10 --- [Attach Listener] o.s.c.support.DefaultLifecycleProcessor  : Spring-managed lifecycle restart completed (restored JVM running for 24 ms)

Similarly, SYS_ADMIN is required at checkpoint. Without this option you will get the following error:

2023-11-27T09:34:05.291Z  INFO 10 --- [Attach Listener] jdk.crac                                 : Starting checkpoint
CR: Checkpoint ...
/application/entrypoint.sh: line 13:    10 Killed                  java -XX:CRaCCheckpointTo=$CHECKPOINT_RESTORE_FILES_DIR org.springframework.boot.loader.launch.JarLauncher
Error (criu/cr-restore.c:1518): Can't fork for 10: Read-only file system
Error (criu/cr-restore.c:1835): Pid 140 do not mat

Strictly speaking, the options required at checkpoint and restore are different, but normally we would want to pass options that can be used in both cases.

Copy link
Member

@AntonKozlov AntonKozlov May 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I overlooked this PR.

The errors coming from the lack of NET_ADMIN are not critical, this is a bug they were reported as errors.

Regarding SYS_ADMIN, I believe it's possible to avoid it with changes in entrypoint.sh, for which I have a very dirty PoC. remove-extra-caps.diff.txt

But before going that route, how do you find #12, which also demonstrates creation of
docker container?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AntonKozlov AntonKozlov AntonKozlov left review comments

+1 more reviewer

@rvansa rvansa rvansa left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@making @AntonKozlov @rvansa