Running Spring Boot with CRaC on Knative

Dockerfile

FROM ubuntu:22.04 AS build-app
WORKDIR /home/app

USER root

# Add required libraries
RUN apt-get update && apt-get install -y \
        curl \
        jq \
        libnl-3-200 \
    && rm -rf /var/lib/apt/lists/*

ENV JAVA_HOME /azul-crac-jdk

RUN mkdir $JAVA_HOME \
  && curl https://cdn.azul.com/zulu/bin/zulu17.42.21-ca-crac-jdk17.0.7-linux_x64.tar.gz | tar -xz --strip-components 1 -C $JAVA_HOME

COPY mvnw mvnw.cmd pom.xml /home/app/
COPY .mvn/ /home/app/.mvn/
COPY src/ /home/app/src/
RUN ./mvnw package && mv target/spring-boot-crac-demo-1.0.0-SNAPSHOT.jar spring-boot-crac-demo.jar

FROM ubuntu:22.04

WORKDIR /home/app

USER root

ENV JAVA_HOME /azul-crac-jdk
ENV PATH $PATH:$JAVA_HOME/bin

# Add required libraries
RUN apt-get update && apt-get install -y \
        libnl-3-200 \
    && rm -rf /var/lib/apt/lists/*

# Copy CRaC JDK from the checkpoint image (to save a download)
COPY --from=build-app $JAVA_HOME $JAVA_HOME



# Copy layers
COPY --from=build-app /home/app/spring-boot-crac-demo.jar /home/app/spring-boot-crac-demo.jar
COPY src/scripts/entrypoint.sh /home/app/entrypoint.sh

ENTRYPOINT ["/home/app/entrypoint.sh"]

entrypoint.sh

#!/bin/bash
set -x

CRAC_FILES_DIR=`eval echo ${CRAC_FILES_DIR}`
mkdir -p $CRAC_FILES_DIR

if [ -z "$(ls -A $CRAC_FILES_DIR)" ]; then
  ( echo 128 > /proc/sys/kernel/ns_last_pid ) 2>/dev/null || while [ $(cat /proc/sys/kernel/ns_last_pid) -lt 128 ]; do :; done
  java -Dmanagement.endpoint.health.probes.add-additional-paths="true" -Dmanagement.health.probes.enabled="true" -XX:CRaCCheckpointTo=$CRAC_FILES_DIR -jar  /home/app/spring-boot-crac-demo.jar&
  sleep 5
  jcmd /home/app/spring-boot-crac-demo.jar JDK.checkpoint
  sleep 30
else
  java -Dmanagement.endpoint.health.probes.add-additional-paths="true" -Dmanagement.health.probes.enabled="true" -XX:CRaCRestoreFrom=$CRAC_FILES_DIR&
  PID=$!
  trap "kill $PID" SIGINT SIGTERM
  wait $PID
fi

k8s-job-and-pvc.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: crac-cache
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 500Mi
  storageClassName: "standard"
---
apiVersion: batch/v1
kind: Job
metadata:
  name: create-checkpoint
spec:
  template:
    spec:
      containers:
      - name: workload
        image: harbor.emea.end2end.link/tsalm/spring-boot-crac-knative
        env:
        - name: CRAC_FILES_DIR
          value: /var/crac/test
        securityContext:
          privileged: true
          capabilities:
            add:
            - CHECKPOINT_RESTORE
            - SYS_ADMIN
            - SYS_PTRACE
          runAsUser: 0
        volumeMounts:
        - mountPath: /var/crac
          name: crac-cache
      restartPolicy: OnFailure
      imagePullSecrets:
      - name: registries-credentials
      volumes:
      - name: crac-cache
        persistentVolumeClaim:
          claimName: crac-cache
  backoffLimit: 4

restore-kservice.yaml

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: restore-checkpoint
spec:
  template:
    metadata:
      annotations:
        autoscaling.knative.dev/min-scale: "1"
    spec:
      containers:
      - name: workload
        image: harbor.emea.end2end.link/tsalm/spring-boot-crac-knative
        env:
        - name: CRAC_FILES_DIR
          value: /var/crac/test
        securityContext:
          runAsUser: 0
          capabilities:
            add:
            - CHECKPOINT_RESTORE
            - NET_ADMIN
            - SYS_PTRACE
        volumeMounts:
        - mountPath: /var/crac
          name: crac-cache
      volumes:
      - name: crac-cache
        persistentVolumeClaim:
          claimName: crac-cache

restore-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: restore-checkpoint
spec:
  containers:
  - name: workload
    image: harbor.emea.end2end.link/tsalm/spring-boot-crac-knative
    env:
    - name: CRAC_FILES_DIR
      value: /var/crac/test
    securityContext:
      runAsUser: 0
      capabilities:
        add:
        - CHECKPOINT_RESTORE
        - NET_ADMIN
        - SYS_PTRACE
    volumeMounts:
    - mountPath: /var/crac
      name: crac-cache
  volumes:
  - name: crac-cache
    persistentVolumeClaim:
      claimName: crac-cache

spring-boot-crac-on-knative.md

1. Apply the Kubernetes Job that creates the checkpoint and the PVC it stores the data on.

kubectl apply -f k8s-job-and-pvc.yaml

2. Wait until the Job completed

kubectl get job create-checkpoint

3. Apply the Knative Service or as an alternative the Pod the restores the checkpoint.

kubectl apply -f restore-pod.yaml

Knative alternative:

Before applying the kService, you have to edit the config-features configmap to enable the following confguration.

kubectl edit cm -n knative-serving config-features

kubernetes.containerspec-addcapabilities: enabled
kubernetes.podspec-securitycontext: enabled
kubernetes.podspec-persistent-volume-claim: "enabled"
kubernetes.podspec-persistent-volume-write: "enabled"
kubernetes.podspec-fieldref: "enabled"

kubectl apply -f restore-kservice.yaml

4. Inspect the logs of application