Getting started with OpenJ9 CRIU Support

Overview

The previous blog introduced Eclipse OpenJ9 CRIU Support. In this blog you will learn how you can use our setup containerfiles as a convenience to create an environment for experimentation with OpenJ9 CRIU Support.

This blog assumes the demo below is run as the root user. This is because the user who launches the containers below must have the authority to grant them the necessary privileges. This is particularly relevant when running with podman, which, unlike docker, does not use a daemon with root authority.

Get the containerfile

The following section uses a Ubuntu 20.04 containerfile. Click here to jump to using a UBI8 containerfile.

Ubuntu 20.04

To get started clone the InstantOnStartupGuide repo

git clone https://github.com/ibmruntimes/InstantOnStartupGuide.git
cd InstantOnStartupGuide

Next build the container image. This will first acquire the prerequisites for running Eclipse OpenJ9, then it will acquire the CRIU prerequisites and build CRIU from source.

docker build -f Containerfiles/Containerfile.ubuntu20.privileged -t instantondemo:ub20 .

Next launch the container image

docker run --privileged -it instantondemo:ub20

The next section goes over using a UBI8 containerfile. Click here to jump to trying the demo.

UBI8

To get started clone the InstantOnStartupGuide repo

git clone https://github.com/ibmruntimes/InstantOnStartupGuide.git
cd InstantOnStartupGuide

Next build the container image. This will first acquire the prerequisites for running Eclipse OpenJ9, then it will acquire the CRIU prerequisites as well as the CRIU binary and shared library. It should be noted that the CRIU binary provided by UBI8 may not work if the host is newer than RHEL8.X.

podman build -f Containerfiles/Containerfile.ubi8.privileged -t instantondemo:ubi8 .

Next launch the container image

podman run --privileged -it instantondemo:ubi8

Trying the demo

At this point you should have a terminal session inside the newly created container. In the current directory you’ll see a simple demo application named “HelloInstantOn.java”. This demo application just sleeps for 3 seconds to simulate the time taken to load classes and run initialization logic in a more realistic application. With OpenJ9 CRIU Support you can perform the initialization phase during a checkpoint run, then restore the application when its ready. This means that on a restore run you skip the entire initialization phase and greatly improve the startup time of the application. We will try this out next. Run the following command

javac HelloInstantOn.java
time java HelloInstantOn

Depending on your machine capabilities this should take about 3 seconds to complete. You should see:

Start
Load and initialize classes
....
Application ready!

Looking at the file with vim.

vim HelloInstantOn.java

You’ll see that there is a loop that waits a total of 3 seconds before moving on to the application ready phase in order to simulate the logic that your application might have. Next, we’ll look at how to take a checkpoint after this loop to boost startup time. Un-comment the line that begins with checkpoint and save the changes.

//checkPointJVM("checkpointData");

checkPointJVM is a helper method that creates a CRIUSupport instance and triggers a checkpoint in the specified directory. In this case that’s “checkpointData”. Once you’ve saved and closed the file. Create the “checkpointData” directory.

mkdir checkpointData

The CRIU Support capabilities are not available by default, so you’ll need to add a command line option, -XX:+EnableCRIUSupport, to enable it. Next, we will recompile the application and try it again with the new option. Running the following commands will create a checkpoint image in the “checkpointData” directory. Note, for this run we will not track the time it takes, as this step is typically something that will be done in the build phase and it is more relevant to measure the time at the restore phase.

javac HelloInstantOn.java
java -XX:+EnableCRIUSupport HelloInstantOn

You should see this:

Start
Load and initialize classes
....
Killed

Now that you’ve created a checkpoint, the next step is to restore the image. This time will we track how long it takes.

time criu restore -D ./checkpointData --shell-job -v4 --log-file=restore.log

You should observe that application resumes after the “checkpointJVM” method and that the application is ready roughly 10 times faster than when the application was run from the start. This is the kind of startup boost the users can expect with OpenJ9 CRIU Support.

Setting up container restore

The previous steps demonstrate how to create a checkpoint and restore it. In production you’d ideally want to save the checkpointed image as part of your build phase and restore it at deployment. To accomplish this one can construct a container image with the checkpointed image.

The following section uses a Ubuntu 20.04 container. Click here to jump to using a UBI8 container.

Ubuntu 20.04

To start, first exit the container to return to the InstantOnStartupGuide repo, then launch the build script.

bash Scripts/privileged/build.sh

The script will run all the steps in the previous section and save it has a container image. Once it completes the only remaining step is to launch the restore container. Below is a helpful script that can launch it for you; use

bash Scripts/privileged/restoreContainer.sh

UBI8

To start, first exit the container to return to the InstantOnStartupGuide repo, then launch the build script.

bash Scripts/privileged/buildUBI.sh

The script will run all the steps in the previous section and save it has a container image. Once it completes the only remaining step is to launch the restore container. Below is a helpful script that can launch it for you; use

bash Scripts/privileged/restoreContainerUBI.sh

An important distinction

Now, you may have noticed that all the demos in this blog were done with --privileged and elevated capabilities. This mode was used in this introductory article for you to try out the OpenJ9 CRIU support with minimal setup, but in the real world this is not good practice as potential attackers may be able to cause harm in this mode. See Unprivileged OpenJ9 CRIU Support for instructions on how to run OpenJ9 CRIU Support in unprivileged mode.