Add support for CRIU unprivileged mode #20683
Conversation
If the io.openliberty.checkpoint.criu.unprivileged property is set to to true, set unprivileged mode to true before invoking CRIU dump. If NoSuchMethodError is thrown it means that the JVM does not support unprivileged mode, in which case throw an exception to that effect. Signed-off-by: Younes Manton <[email protected]>
|
Please code review, @OpenLiberty/reviewer |
|
The corresponding OpenJ9 is eclipse-openj9/openj9#14836 |
|
#build |
|
I cannot process this build request due to one or both of the following:
|
tjwatson
added
CRIU
|
#build |
|
Your personal build request is at https://wasrtc.hursley.ibm.com:9443/jazz/resource/itemOid/com.ibm.team.build.BuildResult/_3Kcm8LHiEeyG_Ki6n8QKXg Target locations of links might be accessible only to IBM employees. |
|
The build ymanton-20683-20220401-1149 For help analyzing your personal build, go to https://cognitive.hursley.ibm.com/buildAnalysis.html?uuid=_3Kcm8LHiEeyG_Ki6n8QKXg |
|
#build |
|
Your personal build request is at https://wasrtc.hursley.ibm.com:9443/jazz/resource/itemOid/com.ibm.team.build.BuildResult/_HuM3gLahEey_l6cwP43xMA Target locations of links might be accessible only to IBM employees. |
| DO_CRIU_UNPRIVILEGED=false | ||
| if [ "$(id -u)" != 0 ]; then | ||
| # Not root, unprivileged by default if CRIU supports it | ||
| if [ $CRIU_SUPPORTS_UNPRIVILEGED = true -a "${CRIU_UNPRIVILEGED}" != "false" -a "${CRIU_UNPRIVILEGED}" != "1" -a "${CRIU_UNPRIVILEGED}" != "FALSE" -a "${CRIU_UNPRIVILEGED}" != "False" ]; then |
There was a problem hiding this comment.
Just noticed the "${CRIU_UNPRIVILEGED}" != "1" part should be "${CRIU_UNPRIVILEGED}" != "0".
There was a problem hiding this comment.
My latest commit removes the false check altogether. If not set to one of the "true" values then it just sets DO_CRIU_UNPRIVILEGED to false.
I also moved the check for the CRIU_UNPRIVILEGED variable to be first and if set then it never does a check for support in a criu help check. @ymanton let me know if you see an issue with that. I figured if someone sets the variable then just take what they specified and there is no need to run a criu to see if it is supported.
There was a problem hiding this comment.
Looks good, it reads clearly to me. I updated the comment as a suggestion.
ymanton
force-pushed
the
criu-unprivileged
branch
from
358830d to
e13f8f8
Compare
Introduce the CRIU_EXTRA_ARGS env var to allow the user to pass extra arguments to `criu restore`. Introduce the CRIU_UNPRIVILEGED env var to allow the user to control/override whether CRIU is invoked in privileged or unprivileged mode. Check whether CRIU supports unprivileged mode by looking for "--unprivileged" in the output of `criu --help`. If the script is invoked as root or CRIU doesn't support unprivileged mode or CRIU_UNPRIVILEGED is false, invoke CRIU in privileged mode. If the script is invoked as non-root and CRIU supports unprivileged mode, or CRIU_UNPRIVILEGED is true, invoke CRIU in unprivileged mode. Signed-off-by: Younes Manton <[email protected]>
ymanton
force-pushed
the
criu-unprivileged
branch
from
e13f8f8 to
2433ee5
Compare
|
The build ymanton-20683-20220407-1244 For help analyzing your personal build, go to https://cognitive.hursley.ibm.com/buildAnalysis.html?uuid=_HuM3gLahEey_l6cwP43xMA |
|
#build |
|
Your personal build request is at https://wasrtc.hursley.ibm.com:9443/jazz/resource/itemOid/com.ibm.team.build.BuildResult/_2IAskLdTEey_l6cwP43xMA Target locations of links might be accessible only to IBM employees. |
|
For completeness, here are the results of various combinations of support amongst the relevant components:
|
Co-authored-by: Younes Manton <[email protected]>
|
The build ymanton-20683-20220408-1103 For help analyzing your personal build, go to https://cognitive.hursley.ibm.com/buildAnalysis.html?uuid=_2IAskLdTEey_l6cwP43xMA |
|
#libby |
Code analysis and actionsDO NOT DELETE THIS COMMENT.
|
This PR adds support for CRIU unprivileged mode to the checkpoint feature and the server script.
Regarding the checkpoint feature implementation:
Regarding the server script implementation: