Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Dockerfile #8

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add Dockerfile #8

wants to merge 2 commits into from

Conversation

making
Copy link

@making making commented Nov 27, 2023

I have added documentation on how to build and run a docker image with a reusable and convenient Dockerfile.

rvansa
rvansa reviewed Nov 27, 2023
View reviewed changes
README.md
```
docker run -p 8080:8080 \
--cap-add CHECKPOINT_RESTORE \
--cap-add NET_ADMIN \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you really need NET_ADMIN and SYS_ADMIN in here?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I tried, NET_ADMIN is required on restore. Without this option you will get the following error:

Restore checkpoint from /var/crac
Error (criu/libnetlink.c:54): -1 reported by netlink: Operation not permitted
Error (criu/net.c:3744): Unable to create a veth pair: -1
2023-11-27T09:32:22.200Z  INFO 10 --- [Attach Listener] o.s.c.support.DefaultLifecycleProcessor  : Restarting Spring-managed lifecycle beans after JVM restore
2023-11-27T09:32:22.204Z  INFO 10 --- [Attach Listener] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port 8080 (http) with context path ''
2023-11-27T09:32:22.205Z  INFO 10 --- [Attach Listener] o.s.c.support.DefaultLifecycleProcessor  : Spring-managed lifecycle restart completed (restored JVM running for 24 ms)

Similarly, SYS_ADMIN is required at checkpoint. Without this option you will get the following error:

2023-11-27T09:34:05.291Z  INFO 10 --- [Attach Listener] jdk.crac                                 : Starting checkpoint
CR: Checkpoint ...
/application/entrypoint.sh: line 13:    10 Killed                  java -XX:CRaCCheckpointTo=$CHECKPOINT_RESTORE_FILES_DIR org.springframework.boot.loader.launch.JarLauncher
Error (criu/cr-restore.c:1518): Can't fork for 10: Read-only file system
Error (criu/cr-restore.c:1835): Pid 140 do not mat

Strictly speaking, the options required at checkpoint and restore are different, but normally we would want to pass options that can be used in both cases.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I overlooked this PR.

The errors coming from the lack of NET_ADMIN are not critical, this is a bug they were reported as errors.

Regarding SYS_ADMIN, I believe it's possible to avoid it with changes in entrypoint.sh, for which I have a very dirty PoC. remove-extra-caps.diff.txt

But before going that route, how do you find #12, which also demonstrates creation of
docker container?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rvansa rvansa rvansa left review comments

@AntonKozlov AntonKozlov AntonKozlov left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@making @AntonKozlov @rvansa