Liberty 24.0.0.11 InstantOn restore fail on Amazon EKS

tam512 commented 4 hours ago

Test Liberty InstantOn restore on Amazon EKS.
App checkpoint image was built on stg.icr.io/cp/olc/open-liberty-vnext:24.0.0.11-full-java21-openj9-ubi-minimal.
Restore the checkpoint app image on EKS and it fails to restore with the following errors in restore.log

Warn  (criu/kerndat.c:1153): $XDG_RUNTIME_DIR not set. Cannot find location for kerndat file
Error (criu/sockets.c:210): sockets: Diag module missing (-2)
Warn  (criu/kerndat.c:1153): $XDG_RUNTIME_DIR not set. Cannot find location for kerndat file
Error (criu/cr-restore.c:1325): Can't open -1/sys/kernel/ns_last_pid on procfs: Read-only file system
Error (criu/cr-restore.c:1451): Setting PID failed
Error (criu/cr-restore.c:2557): Restoring FAILED.

EKS cluster:

% kubectl get nodes -o wide
NAME                                           STATUS   ROLES    AGE   VERSION               INTERNAL-IP      EXTERNAL-IP    OS-IMAGE         KERNEL-VERSION                  CONTAINER-RUNTIME
ip-192-168-4-209.us-east-2.compute.internal    Ready    <none>   4h    v1.30.4-eks-a737599   192.168.4.209    18.216.72.67   Amazon Linux 2   5.10.226-214.880.amzn2.x86_64   containerd://1.7.22
ip-192-168-66-185.us-east-2.compute.internal   Ready    <none>   4h    v1.30.4-eks-a737599   192.168.66.185   13.59.29.158   Amazon Linux 2   5.10.226-214.880.amzn2.x86_64   containerd://1.7.22

Java version

% oc -n ebuy-olf-j21 exec ebuy-olf-j21-0 -- java -version
openjdk version "21.0.4" 2024-07-16 LTS
IBM Semeru Runtime Open Edition 21.0.4.1 (build 21.0.4+7-LTS)
Eclipse OpenJ9 VM 21.0.4.1 (build openj9-0.46.1, JRE 21 Linux amd64-64-Bit Compressed References 20240716_264 (JIT enabled, AOT enabled)
OpenJ9   - 4760d5d320
OMR      - 840a9adba
JCL      - db3fffb417c based on jdk-21.0.4+7)

Attach is restore.log with CRIU_LOG_LEVEL 4

criu4-logs.zip

github-actions[bot] commented 4 hours ago

Issue Number: 20416 Status: Open Recommended Components: comp:vm, comp:build, comp:gc Recommended Assignees: tajila, jasonfengj9, keithc-ca

pshipton commented 4 hours ago

@tajila

tajila commented 3 hours ago

@ymanton Please take a look at this

ymanton commented 2 hours ago

Looks like the clone3 system call is blocked via seccomp. Seccomp needs to be disabled or a custom seccomp profile that allows clone3 needs to be used.

tam512 commented 2 hours ago

I added the following to app deploy yaml as @ymanton suggested on slack discussion and the app can restore ok

securityContext:
    seccompProfile:
        type: Unconfined

Can we improve the error message so users know how to fix the problem?

eclipse-openj9 / openj9

Liberty 24.0.0.11 InstantOn restore fail on Amazon EKS #20416