The Deploying on Kubernetes and OpenShift with OpenJ9 CRIU Support blog post (which is now out of date) showed how to deploy on OpenShift Container Platform (OCP) using OpenJ9 CRIU Support. Since that time however, OCP has released Version 4.13 which uses Red Hat CoreOS (RHCOS) 4.13, which is based on RHEL 9. This means that the kernel now has the
clone3() system call, obviating the need to mount
/proc/sys/kernel/ns_last_pid as a volume. Additionally, IBM now provides IBM Semeru container images with the OpenJ9 CRIU Support feature. Finally, the OpenJ9 CRIU Support feature has been improved to require an even smaller set of Linux Capabilities on restore. This blog will go over how to deploy on OCP 4.13 to take advantage of all these improvements.
Build the Restore Image
The following assumes running as
root. Clone the InstantOnStartupGuide repo
git clone https://github.com/ibmruntimes/InstantOnStartupGuide.git
Run the script to build the image (note this script uses
This will generate an image with the tag
localhost/restorerun:latest. The application in the image is the same as in previous blogs (i.e. the
HelloInstantOn.java application). Tag and push the image appropriately.
It is important that the image be built on RHCOS 4.13 (or an OS with an equivalent kernel level) to ensure that the checkpoint image can be restored via
Deploy the Restore Image
Create a new project so the deployment can be appropriately scoped
oc new-project criu
oc project criu
Create a service account
oc create sa criusvcacct
Create the appropriate Security Context Constraint (SCC) to allow a restore to occur with minimal privileges. This SCC is based on the
restricted SCC. Additionally, create a new Role that uses this SCC.
oc apply -f YAMLs/ocp/scc-cap-cr-4.13.yaml
oc apply -f YAMLs/ocp/role-custom-scc-cap-cr-my-app-criu.yaml
Create a new Role Binding to bind the Role the Service Account.
oc apply -f YAMLs/ocp/rolebinding-criusvcacct-my-app-criu.yaml
Launch the deployment. Note, the
image field in
my-app-criu-4.13.yaml should be updated with the name of the container image with the checkpointed application.
oc apply -f YAMLs/common/my-app-criu-4.13.yaml
out file to view the application output.
oc get pods
-- tail -f out
Reduced SCC Capabilities
cap-cr-scc now only needs the
SETPCAP capabilities to perform a restore.
Separate CRIU Binaries
icr.io/appcafe/ibm-semeru-runtimes:open-17-jdk-ubi provides two separate
criu binaries. The checkpoint phase uses the
/usr/local/sbin/criu binary, which requires the
SETPCAP capabilities. The restore phase uses the
/opt/criu/criu binary, which only requires the
Simpler Deployment YAML
The deployment YAML no longer needs to specify
Using Semeru Base Image
The Containerfile used to build the checkpoint/restore image no longer uses an OpenLiberty image as the base image; instead it uses
At the time of this blog post, the custom SCC still needs to force the deployment to run as user
We are exploring how to remove this limitation in the future, thus further improving the user experience for OpenJ9 CRIU Support in OCP.