From 358830d271d74212c34dfd94026a11b46283eb10 Mon Sep 17 00:00:00 2001 From: Younes Manton Date: Fri, 1 Apr 2022 15:48:33 +0000 Subject: [PATCH] Add CRIU unprivileged mode to server script Introduce the CRIU_EXTRA_ARGS env var to allow the user to pass extra arguments to `criu restore`. Introduce the CRIU_UNPRIVILEGED env var to allow the user to control/override whether CRIU is invoked in privileged or unprivileged mode. Check whether CRIU supports unprivileged mode by looking for "--unprivileged" in the output of `criu --help`. If the script is invoked as root or CRIU doesn't support unprivileged mode or CRIU_UNPRIVILEGED is false, invoke CRIU in privileged mode. If the script is invoked as non-root and CRIU supports unprivileged mode, or CRIU_UNPRIVILEGED is true, invoke CRIU in unprivileged mode. Signed-off-by: Younes Manton --- .../publish/bin/server | 48 ++++++++++++++++++- 1 file changed, 46 insertions(+), 2 deletions(-) diff --git a/dev/com.ibm.ws.kernel.boot.ws-server/publish/bin/server b/dev/com.ibm.ws.kernel.boot.ws-server/publish/bin/server index e1c4d5ff0d7d..12f0ef996198 100644 --- a/dev/com.ibm.ws.kernel.boot.ws-server/publish/bin/server +++ b/dev/com.ibm.ws.kernel.boot.ws-server/publish/bin/server @@ -30,6 +30,15 @@ #TODO need to reflect this to criu checkpoint # Set to 1-4 with 4 being max verbosity. Two "2" is the default. # +# CRIU_UNPRIVILEGED - Use criu in unprivileged mode. +# Set to one of true, True, TRUE, 1 +# or false, False, FALSE, 0 to continue +# to use criu in privileged mode. +# +# CRIU_EXTRA_ARGS - Pass extra arguments to `criu restore`. Extra arguments are +# appended to the end of the list of arguments and can therefore +# override existing arguments, if desired. +# # PID_DIR - The directory that should be used for server pid file(s). # The default value is ${WLP_OUTPUT_DIR}/.pid # @@ -296,6 +305,31 @@ if [ -n "${WLP_SKIP_BOOTSTRAP_AGENT}" ]; then JAVA_AGENT_QUOTED= fi +## +## Determine if CRIU supports unprivileged mode. +## Determine which CRIU mode to use, based on current euid, whether or not criu supports unprivileged mode, and the value of the CRIU_UNPRIVILEGED env var. +## Set DO_CRIU_UNPRIVILEGED based on the above. +## +checkCriuUnprivileged() +{ + # Determine if CRIU supports unprivileged mode + criu --help | grep -q -e '--unprivileged' && CRIU_SUPPORTS_UNPRIVILEGED=true || CRIU_SUPPORTS_UNPRIVILEGED=false + + # Determine which CRIU mode to use, based on current euid and values of CRIU_SUPPORTS_UNPRIVILEGED and CRIU_UNPRIVILEGED + DO_CRIU_UNPRIVILEGED=false + if [ "$(id -u)" != 0 ]; then + # Not root, unprivileged by default if CRIU supports it + if [ $CRIU_SUPPORTS_UNPRIVILEGED = true -a "${CRIU_UNPRIVILEGED}" != "false" -a "${CRIU_UNPRIVILEGED}" != "1" -a "${CRIU_UNPRIVILEGED}" != "FALSE" -a "${CRIU_UNPRIVILEGED}" != "False" ]; then + DO_CRIU_UNPRIVILEGED=true + fi + fi + + # Use unprivileged if explicitly requested; if CRIU doesn't support it we'll hit an error later that will be shown to the user + if [ "${CRIU_UNPRIVILEGED}" = "true" -o "${CRIU_UNPRIVILEGED}" = "1" -o "${CRIU_UNPRIVILEGED}" = "TRUE" -o "${CRIU_UNPRIVILEGED}" = "True" ]; then + DO_CRIU_UNPRIVILEGED=true + fi +} + ## ## createServer: Function to launch server create ## @@ -932,6 +966,11 @@ javaCmd() fi JVM_OPTIONS_QUOTED="$JVM_OPTIONS_QUOTED -XX:+EnableCRIUSupport $X_WLP_IMMUTABLE_VARS" + + checkCriuUnprivileged + if [ $DO_CRIU_UNPRIVILEGED = true ]; then + JVM_OPTIONS_QUOTED="$JVM_OPTIONS_QUOTED -Dio.openliberty.checkpoint.criu.unprivileged=true" + fi fi @@ -1293,13 +1332,18 @@ criuRestore() CRIU_LOG_LEVEL=2 fi + checkCriuUnprivileged + if [ $DO_CRIU_UNPRIVILEGED = true ]; then + CRIU_EXTRA_ARGS="--unprivileged $CRIU_EXTRA_ARGS" + fi + if $BACKGROUND_RESTORE then mkdirs "${X_PID_DIR}" rmIfExist "${X_PID_FILE}" criu restore --cpu-cap=none --file-locks --tcp-established --images-dir=${SERVER_OUTPUT_DIR}/workarea/checkpoint/image \ --shell-job --verbosity=${CRIU_LOG_LEVEL} --log-file ${X_LOG_DIR}/checkpoint/restore.log --pidfile ${X_PID_FILE} \ - --restore-detached + --restore-detached ${CRIU_EXTRA_ARGS} rc=$? PID=`cat ${X_PID_FILE}` if [ $rc = 0 ]; then @@ -1326,7 +1370,7 @@ criuRestore() trap "killIfRunning $TAIL_PID" EXIT criu restore --cpu-cap=none --file-locks --tcp-established --images-dir=${SERVER_OUTPUT_DIR}/workarea/checkpoint/image \ - --shell-job --verbosity=${CRIU_LOG_LEVEL} --log-file ${X_LOG_DIR}/checkpoint/restore.log + --shell-job --verbosity=${CRIU_LOG_LEVEL} --log-file ${X_LOG_DIR}/checkpoint/restore.log ${CRIU_EXTRA_ARGS} rc=$? kill $TAIL_PID