WebSphere Application Server & Liberty

 View Only

Speedy startup with Liberty InstantOn on Red Hat OpenShift Container Platform

By Tam Dinh posted Wed September 18, 2024 04:49 PM

  

This blog shows step-by-step instructions on how to deploy an application with Liberty InstantOn to Red Hat OpenShift Container Platform (OCP) using Open Liberty Operator (OLO).   Liberty InstantOn provides a fast startup time for applications. The sample application guide-security-intro will be used in this blog.

Prerequisites:

Steps

    • Run sample application to get the server startup time for comparison
    • Build an InstantOn application container image and run the application on a Linux machine
    • Deploy the InstantOn application container image to Red Hat OpenShift Container Platform using Open Liberty Operator

Run sample application to get the server startup time for comparison

On the Linux machine, download guide-security-intro and run the application using instructions from openliberty.io guide securing a web applicationTo run Open Liberty with Java 17, set JAVA_HOME to where Java 17 was installed if it is not in the PATH.  Compile and run the application using mvn liberty:run command.  

  • export JAVA_HOME=/jdk-17.0.12+7/
    git clone https://github.com/OpenLiberty/guide-security-intro.git

    cd guide-security-intro/finish

    mvn liberty:run
    ....... 
    ………………........
    [INFO] Launching defaultServer (Open Liberty 24.0.0.9/wlp-1.0.93.cl241020240827-1743) on Eclipse OpenJ9 VM, version 17.0.12+7 (en_US)
    [INFO] [AUDIT   ] CWWKE0001I: The server defaultServer has been launched.
    [INFO] [AUDIT   ] CWWKG0028A: Processing included configuration resource: /opt/Blogs/guide-security-intro/finish/target/liberty/wlp/usr/servers/defaultServer/userRegistry.xml
    [INFO] [AUDIT   ] CWWKG0093A: Processing configuration drop-ins resource: /opt/Blogs/guide-security-intro/finish/target/liberty/wlp/usr/servers/defaultServer/configDropins/overrides/liberty-plugin-variable-config.xml
    [INFO] [AUDIT   ] CWWKZ0058I: Monitoring dropins for applications.
    [INFO] [AUDIT   ] CWPKI0820A: The default keystore has been created using the 'keystore_password' environment variable.
    [INFO] [AUDIT   ] CWWKS4104A: LTPA keys created in 2.560 seconds. LTPA key file: /opt/Blogs/guide-security-intro/finish/target/liberty/wlp/usr/servers/defaultServer/resources/security/ltpa.keys
    [INFO] [AUDIT   ] CWPKI0803A: SSL certificate created in 4.540 seconds. SSL key file: /opt/Blogs/guide-security-intro/finish/target/liberty/wlp/usr/servers/defaultServer/resources/security/key.p12
    [INFO] [AUDIT   ] CWWKT0016I: Web application available (default_host): http://tam-ub2204-svl1.fyre.ibm.com:9080/
    [INFO] [AUDIT   ] CWWKZ0001I: Application guide-security-intro.war started in 4.920 seconds.
    [INFO] [AUDIT   ] CWWKF0012I: The server installed the following features: [appSecurity-5.0, cdi-4.0, distributedMap-1.0, expressionLanguage-5.0, faces-4.0, jndi-1.0, jsonp-2.1, servlet-6.0, ssl-1.0, transportSecurity-1.0].
    [INFO] [AUDIT   ] CWWKF0011I: The defaultServer server is ready to run a smarter planet. The defaultServer server started in 13.592 seconds.
    

From the Open Liberty log above, the server was started in 13.592 seconds.  This is without Liberty InstantOn.

Build an InstantOn application container image and run the application on a Linux machine

In this section,  I will create a Containerfile and use podman to build and run the InstantOn guide-security-intro application container image.  The Linux capabilities are required by Checkpoint/Restore In Userspace (CRIU) for checkpoint and restore application process.  The following steps were run on a Linux Ubuntu 22.04 which has kernel version 5.15.0, Java 17, podman version 3.4.4, and Apache Maven 3.9.9

1. Compile and package the application target/guide-security-intro.war

  • mvn clean package
    

2. Create a Containerfile which is used to containerize the application with Open Liberty container image and Java 17.  Run checkpoint.sh script in the last line of the Containerfile to take the application checkpoint after the application starts.

  • FROM icr.io/appcafe/open-liberty:kernel-slim-java17-openj9-ubi
    
    # Add a Liberty server configuration that includes all necessary features
    COPY --chown=1001:0 ./src/main/liberty/config/server.xml /config/server.xml
    COPY --chown=1001:0 ./src/main/liberty/config/userRegistry.xml /config/userRegistry.xml
    
    # This script adds the requested XML snippets to enable Liberty features and grow the image to be fit-for-purpose.
    # This option is available only in the 'kernel-slim' image type. The 'full' and 'beta' tags already include all features.
    RUN features.sh
    
    # Add an application
    COPY --chown=1001:0 ./target/guide-security-intro.war /config/apps/
    
    # This script adds the requested server configuration, applies any interim fixes, and populates caches to optimize the runtime.
    RUN configure.sh
    
    # checkpoint application
    RUN checkpoint.sh afterAppStart
    

3. Build guide-security-inston InstantOn application container image.   Run the following command as root user or using sudo.  The --cap-add parameters are the Linux capabilities required by CRIU for checkpoint and restore application process.

  • podman build -t guide-security-inston --cap-add=CHECKPOINT_RESTORE --cap-add=SYS_PTRACE --cap-add=SETPCAP --security-opt seccomp=unconfined -f Containerfile .
    

4. Run the guide-security-inston InstantOn application container image.  The criuRequiredSysCalls.json file grants access to all Linux system calls for the InstantOn restore process.  From the output below, the server was restored from the checkpoint and started in 0.175 seconds instead of 13.592 seconds when there is no Liberty InstantOn.

  • podman run --rm --cap-add=CHECKPOINT_RESTORE --cap-add=SETPCAP --security-opt seccomp=./criuRequiredSysCalls.json -p 9080 -p 9443 --name guide-security-inston guide-security-inston
    
    [AUDIT   ] Launching defaultServer (Open Liberty 24.0.0.9/wlp-1.0.93.cl241020240827-1743) on Eclipse OpenJ9 VM, version 17.0.12+7 (en_US)
    [AUDIT   ] CWWKT0016I: Web application available (default_host): http://0a65cbf7af93:9080/
    [AUDIT   ] CWWKC0452I: The Liberty server process resumed operation from a checkpoint in 0.161 seconds.
    [AUDIT   ] CWWKZ0001I: Application guide-security-intro.war started in 0.163 seconds.
    [AUDIT   ] CWWKF0012I: The server installed the following features: [appSecurity-5.0, cdi-4.0, distributedMap-1.0, expressionLanguage-5.0, faces-4.0, jndi-1.0, jsonp-2.1, servlet-6.0, ssl-1.0, transportSecurity-1.0].
    [AUDIT   ] CWWKF0011I: The defaultServer server is ready to run a smarter planet. The defaultServer server started in 0.175 seconds.
    

5.  Push the InstantOn application container image to a registry to deploy to OCP.  For example, push the application image to "my-registry" in the commands below 

  • podman tag guide-security-inston my-registry/instanton/guide-security-inston
    podman login my-registry -u <myUser> -p <myToken>
    podman push my-registry/instanton/guide-security-inston

Deploy the InstantOn application container image to Red Hat OpenShift Container Platform using Open Liberty Operator

In this section, I will deploy the guide-security-inston InstantOn application container image to OCP 4.15.   To deploy InstantOn application to OCP, it is required to create security context constraints (SCCs) to provide additional capabilities and permissions for pods.  Open Liberty Operator v1.3.3 will be used to deploy the application to sample-security project so all configuration steps are run in this project.

1. Login OCP cluster using oc login command.  Below is an example of the generate oc login command when click on Copy login command from the username drop-down menu at the top right of the OCP console.

  • oc login --token=xxxxx --server=https://api.my-ocp.cp.fyre.ibm.com:6443

2. Install Open Liberty Operator. 

In the OCP console, navigate to Operators > OperatorHub, search for Open Liberty and install OLO with the default values.

3. Create a new sample-security project. 

  • oc new-project sample-security
    

4. If the InstantOn application container image was pushed to a secured registry, you need create an image pull secret to allow pods to pull the container image otherwise you can ignore this step.  The command below is for creating a pull secret when not having a Docker credentials file for the secured registry.

  • oc create secret docker-registry my-secret --docker-server="my-registry" --docker-username="my-user" --docker-password="my-password" --docker-email="my-email" 

5. Create security context constraints (SCCs) to add additional capabilities and permissions to pods.  Create scc-cap-cr.yaml file with the following content and run command "oc apply -f scc-cap-cr.yaml" to create the SecurityContextConstraints resource

  • kind: SecurityContextConstraints
    metadata:
      annotations:
        kubernetes.io/description: criu-scc is based on the restricted SCC but removes any restrictions
          that prevent the restore image from running successfully.
      generation: 1
      name: scc-cap-cr
    allowHostDirVolumePlugin: true
    allowHostIPC: false
    allowHostNetwork: false
    allowHostPID: false
    allowHostPorts: false
    allowPrivilegeEscalation: true
    allowPrivilegedContainer: false
    allowedCapabilities: null
    apiVersion: security.openshift.io/v1
    defaultAddCapabilities:
    - CHECKPOINT_RESTORE
    - SETPCAP
    fsGroup:
      type: RunAsAny
    groups:
    - system:authenticated
    priority: null
    readOnlyRootFilesystem: false
    requiredDropCapabilities:
    - KILL
    - MKNOD
    - SETUID
    - SETGID
    runAsUser:
      type: RunAsAny
    seLinuxContext:
      type: RunAsAny
    supplementalGroups:
      type: RunAsAny
    users: []
    volumes:
    - configMap
    - downwardAPI
    - emptyDir
    - persistentVolumeClaim
    - projected
    - secret
    

* Note:  if you install Open Liberty operator 1.4.0 or later, you also need to add the following to the SecurityContextConstraints

  • seccompProfiles
      - runtime/default
    

6. Create a service account liberty-instanton-scc and add the SCC to the service account which will be associated in the OpenLibertyApplication yaml.

  • oc create serviceaccount liberty-instanton-scc
    oc adm policy add-scc-to-user scc-cap-cr -z liberty-instanton-scc

    7. Deploy application using the following deploy-guide-security.yaml file.  Run "oc apply -f deploy-guide-security.yaml".  You can also use Red Hat OpenShift console to deploy the application by navigating to Operators > Installed Operators > Open Liberty > OpenLibertyApplication > Create OpenLibertyApplication, select "YAML view" and paste in the below yaml file.  In this OpenLibertyApplication yaml file, the service account with SCC permissions is specified in .spec.serviceAccountName, the .spec.pullSecret is needed if your application container image is in a secured registry. The .spec.securityContext grants the container permissions for InstantOn application restore process.

    • kind: OpenLibertyApplication
      apiVersion: apps.openliberty.io/v1
      metadata:
        name: guide-security
        labels:
          app: guide-security
      spec:
        applicationImage: 'my-registry/instanton/guide-security-inston'
        expose: true
        replicas: 1
        serviceAccount:
          mountToken: true
        statefulSet: {}
        pullPolicy: Always
        pullSecret: my-secret
        env:
          - name: WLP_LOGGING_CONSOLE_FORMAT
            value: simple
        serviceAccountName: liberty-instanton-scc
        securityContext:
          allowPrivilegeEscalation: true
          privileged: false
          runAsNonRoot: true
          capabilities:
            add:
            - CHECKPOINT_RESTORE
            - SETPCAP
            drop:
            - ALL
      

    8. Verify that the application pod is running in OCP.  To see the pod status in OCP console, navigate to Workloads > Pods  

    • oc get pods
      NAME               READY   STATUS    RESTARTS   AGE
      guide-security-0   1/1     Running   0          22s
      

    9. View application log using oc logs command.  To view pod logs from OCP console, navigate to Workloads > Pods > podname > Logs

    The following log shows that the application was resumed from the checkpoint and started in OCP.  Again, you can see that the server was started with a very fast time in 0.407 seconds instead 13.592 seconds when there is no InstantOn.

    • % oc logs guide-security-0
      Found mounted TLS certificates, generating keystore
      
      [9/17/24, 19:23:55:207 UTC] 00000037 com.ibm.ws.kernel.launch.internal.FrameworkManager           A Launching defaultServer (Open Liberty 24.0.0.9/wlp-1.0.93.cl241020240827-1743) on Eclipse OpenJ9 VM, version 17.0.12+7 (en_US)
      [9/17/24, 19:23:55:232 UTC] 00000037 com.ibm.ws.config.xml.internal.ConfigRefresher               A CWWKG0016I: Starting server configuration update.
      [9/17/24, 19:23:55:233 UTC] 00000037 com.ibm.ws.config.xml.internal.ServerXMLConfiguration        A CWWKG0093A: Processing configuration drop-ins resource: /opt/ol/wlp/usr/servers/defaultServer/configDropins/defaults/keystore.xml
      [9/17/24, 19:23:55:234 UTC] 00000037 com.ibm.ws.config.xml.internal.ServerXMLConfiguration        A CWWKG0093A: Processing configuration drop-ins resource: /opt/ol/wlp/usr/servers/defaultServer/configDropins/defaults/open-default-port.xml
      [9/17/24, 19:23:55:237 UTC] 00000037 com.ibm.ws.config.xml.internal.XMLConfigParser               A CWWKG0028A: Processing included configuration resource: /opt/ol/wlp/usr/servers/defaultServer/userRegistry.xml
      [9/17/24, 19:23:55:239 UTC] 00000037 com.ibm.ws.config.xml.internal.ServerXMLConfiguration        A CWWKG0093A: Processing configuration drop-ins resource: /opt/ol/wlp/usr/servers/defaultServer/configDropins/overrides/truststore.xml
      [9/17/24, 19:23:55:282 UTC] 0000003e com.ibm.ws.config.xml.internal.ConfigRefresher               A CWWKG0017I: The server configuration was successfully updated in 0.053 seconds.
      [9/17/24, 19:23:55:289 UTC] 00000037 com.ibm.ws.http.internal.VirtualHostImpl                     A CWWKT0016I: Web application available (default_host): http://guide-security-0.guide-security-headless.sample-security.svc.cluster.local:9080/
      [9/17/24, 19:23:55:322 UTC] 00000037 io.openliberty.checkpoint.internal.CheckpointImpl            A CWWKC0452I: The Liberty server process resumed operation from a checkpoint in 0.378 seconds.
      [9/17/24, 19:23:55:326 UTC] 00000037 com.ibm.ws.app.manager.AppMessageHelper                      A CWWKZ0001I: Application guide-security-intro.war started in 0.381 seconds.
      [9/17/24, 19:23:55:342 UTC] 00000042 com.ibm.ws.security.ready.internal.SecurityReadyServiceImpl  I CWWKS0008I: The security service is ready.
      [9/17/24, 19:23:55:343 UTC] 00000042 com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask    I CWWKS4105I: LTPA configuration is ready after 0.059 seconds.
      [9/17/24, 19:23:55:346 UTC] 00000037 com.ibm.ws.tcpchannel.internal.TCPPort                       I CWWKO0219I: TCP Channel defaultHttpEndpoint has been started and is now listening for requests on host *  (IPv4) port 9080.
      [9/17/24, 19:23:55:351 UTC] 00000037 com.ibm.ws.kernel.feature.internal.FeatureManager            A CWWKF0012I: The server installed the following features: [appSecurity-5.0, cdi-4.0, distributedMap-1.0, expressionLanguage-5.0, faces-4.0, jndi-1.0, jsonp-2.1, servlet-6.0, ssl-1.0, transportSecurity-1.0].
      [9/17/24, 19:23:55:352 UTC] 00000037 com.ibm.ws.kernel.feature.internal.FeatureManager            I CWWKF0008I: Feature update completed in 0.407 seconds.
      [9/17/24, 19:23:55:352 UTC] 00000037 com.ibm.ws.kernel.feature.internal.FeatureManager            A CWWKF0011I: The defaultServer server is ready to run a smarter planet. The defaultServer server started in 0.407 seconds.
      [9/17/24, 19:23:55:466 UTC] 00000033 com.ibm.ws.ssl.config.WSKeyStore                             I Successfully loaded default keystore: /opt/ol/wlp/output/defaultServer/resources/security/key.p12 of type: PKCS12
      [9/17/24, 19:23:55:494 UTC] 0000004f com.ibm.ws.tcpchannel.internal.TCPPort                       I CWWKO0219I: TCP Channel defaultHttpEndpoint-ssl has been started and is now listening for requests on host *  (IPv4) port 9443.
      

    10. Now you can run the application using its route.  To view the application route host, run command "oc get routes".    From the routes example below, you can run the application with url https://guide-security-sample-security.apps.my-ocp.cp.fyre.ibm.com.  For more information on how to run the application, see Securing a web application guide.

    To run the application from OCP console, navigate to Networking > Routes, click on the link under Location

    • oc get routes
      NAME             HOST/PORT                                                        PATH   SERVICES         PORT       TERMINATION   WILDCARD
      guide-security   guide-security-sample-security.apps.my-ocp.cp.fyre.ibm.com          guide-security   9443-tcp   reencrypt     None
      

    Conclusion

    In conclusion, we deployed an existing application with Liberty InstantOn and achieved much faster startup time without making any application changes.  The process includes taking checkpoint when building the application container image, and restoring it during deployment on OCP.  The fast startup time is essential in "serverless" deployments.  In my next blog, I will talk about how to run this InstantOn application container image with Red Hat OpenShift Serverless operator.

     

    0 comments
    111 views

    Permalink