Add instructions for a privileged build (#13)

Author: rvansa

.dockerignore

@@ -0,0 +1 @@
+Dockerfile.*

Dockerfile.checkpoint

@@ -1,6 +1,7 @@
-ARG JDK_NAME=zulu22.30.13-ca-crac-jdk22.0.1-linux_x64
+ARG BASE_IMAGE=ubuntu:24.04
+ARG JDK_NAME=zulu22.32.17-ca-crac-jdk22.0.2-linux_x64
 
-FROM ubuntu:24.04 as builder
+FROM $BASE_IMAGE AS builder
 ARG JDK_NAME
 
 RUN apt-get update && apt-get install -y wget
@@ -9,7 +10,7 @@ RUN tar zxf ./crac-jdk.tar.gz -C /usr/share
 
 # End of builder
 
-FROM ubuntu:24.04
+FROM $BASE_IMAGE
 ARG JDK_NAME
 ARG FAT_JAR=
 

Dockerfile.privileged

@@ -0,0 +1,57 @@
+# syntax=docker/dockerfile:1.3-labs
+
+###
+# This Dockerfile requires priviledged builder and as such cannot be run usin
+# regular `docker build ...`. You need to first create a buildx builder and
+# then use it to perform the build:
+#
+#   docker buildx create --buildkitd-flags '--allow-insecure-entitlement security.insecure' --name privileged-builder
+#   docker buildx build --load --builder privileged-builder --allow=security.insecure -f Dockerfile.privileged -t example-spring-boot .
+#
+###
+
+ARG BASE_IMAGE=ubuntu:24.04
+ARG JDK_NAME=zulu22.32.17-ca-crac-jdk22.0.2-linux_x64
+
+FROM $BASE_IMAGE AS builder
+ARG JDK_NAME
+ENV JAVA_HOME=/usr/share/$JDK_NAME
+ENV ENDPOINT=http://localhost:8080
+
+RUN apt-get update && apt-get install -y curl maven siege wget
+RUN wget -O crac-jdk.tar.gz https://cdn.azul.com/zulu/bin/$JDK_NAME.tar.gz
+RUN tar zxf ./crac-jdk.tar.gz -C /usr/share
+
+ADD . /example-spring-boot
+RUN cd /example-spring-boot && mvn -B install && mv target/example-spring-boot-0.0.1-SNAPSHOT.jar /example-spring-boot.jar
+
+RUN --security=insecure <<END_OF_SCRIPT
+#!/bin/bash
+
+# Start the process in background. We are adding -XX:CRaCMinPid to explicitly
+# offset PIDs (needed for unprivileged restore) as the process started from
+# this script won't be running as PID 1, disabling the built-in offsetting.
+$JAVA_HOME/bin/java -XX:CPUFeatures=generic -XX:CRaCMinPid=128 -XX:CRaCCheckpointTo=/cr -jar /example-spring-boot.jar &
+PID=$!
+# Wait until the connection is opened
+until curl --output /dev/null --silent --head --fail $ENDPOINT; do
+    sleep 0.1
+done
+# Warm-up the server by executing 100k requests against it
+siege -c 1 -r 100000 -b $ENDPOINT
+# Do the checkpoint
+$JAVA_HOME/bin/jcmd /example-spring-boot.jar JDK.checkpoint
+# Wait until the process completes, returning success (wait would return exit code 137)
+wait $PID || true
+
+END_OF_SCRIPT
+
+FROM $BASE_IMAGE
+ARG JDK_NAME
+ENV JAVA_HOME=/usr/share/$JDK_NAME
+ENV PATH="$PATH:$JAVA_HOME/bin"
+
+COPY --from=builder /usr/share/${JDK_NAME} /usr/share/${JDK_NAME}
+COPY --from=builder /cr /cr
+COPY --from=builder /example-spring-boot.jar /example-spring-boot.jar
+CMD [ "java", "-XX:CRaCRestoreFrom=/cr" ]

README.md

@@ -73,3 +73,20 @@ docker run -it --rm -p 8080:8080 example-spring-boot
 # In another terminal
 curl localhost:8080
 ```
+
+## Checkpoint as Dockerfile build step
+
+In order to perform a checkpoint in a container we need those extra capabilites mentioned in the commands above. Regular `docker build ...` does not include these and therefore it is not possible to do the checkpoint as a build step - unless we create a docker buildx builder that will include these. See [Dockerfile reference](https://docs.docker.com/reference/dockerfile/#run---security) for more details. Note that you require a recent version of Docker BuildKit to do so.
+
+```
+docker buildx create --buildkitd-flags '--allow-insecure-entitlement security.insecure' --name privileged-builder
+docker buildx build --load --builder privileged-builder --allow=security.insecure -f Dockerfile.privileged -t example-spring-boot .
+```
+
+Now you can start the example as before with
+```
+docker run -it --rm -p 8080:8080 example-spring-boot
+```
+
+The most important part of the Dockerfile is invoking the checkpoint with `RUN --security=insecure`. Also, when creating your own Dockerfiles don't forget to enable the experimental syntax using `# syntax=docker/dockerfile:1.3-labs`.
+