This blog shows step-by-step instructions on how to deploy an application with Liberty InstantOn to Red Hat OpenShift Container Platform (OCP) using Open Liberty Operator (OLO). Liberty InstantOn provides a fast startup time for applications. The sample application guide-security-intro will be used in this blog.
Prerequisites:
Steps
-
- Run sample application to get the server startup time for comparison
- Build an InstantOn application container image and run the application on a Linux machine
- Deploy the InstantOn application container image to Red Hat OpenShift Container Platform using Open Liberty Operator
Run sample application to get the server startup time for comparison
On the Linux machine, download guide-security-intro and run the application using instructions from openliberty.io guide securing a web application. To run Open Liberty with Java 17, set JAVA_HOME to where Java 17 was installed if it is not in the PATH. Compile and run the application using mvn liberty:run command.
-
export JAVA_HOME=/jdk-17.0.12+7/
git clone https://github.com/OpenLiberty/guide-security-intro.git
cd guide-security-intro/finish
mvn liberty:run
.......
………………........
[INFO] Launching defaultServer (Open Liberty 24.0.0.9/wlp-1.0.93.cl241020240827-1743) on Eclipse OpenJ9 VM, version 17.0.12+7 (en_US)
[INFO] [AUDIT ] CWWKE0001I: The server defaultServer has been launched.
[INFO] [AUDIT ] CWWKG0028A: Processing included configuration resource: /opt/Blogs/guide-security-intro/finish/target/liberty/wlp/usr/servers/defaultServer/userRegistry.xml
[INFO] [AUDIT ] CWWKG0093A: Processing configuration drop-ins resource: /opt/Blogs/guide-security-intro/finish/target/liberty/wlp/usr/servers/defaultServer/configDropins/overrides/liberty-plugin-variable-config.xml
[INFO] [AUDIT ] CWWKZ0058I: Monitoring dropins for applications.
[INFO] [AUDIT ] CWPKI0820A: The default keystore has been created using the 'keystore_password' environment variable.
[INFO] [AUDIT ] CWWKS4104A: LTPA keys created in 2.560 seconds. LTPA key file: /opt/Blogs/guide-security-intro/finish/target/liberty/wlp/usr/servers/defaultServer/resources/security/ltpa.keys
[INFO] [AUDIT ] CWPKI0803A: SSL certificate created in 4.540 seconds. SSL key file: /opt/Blogs/guide-security-intro/finish/target/liberty/wlp/usr/servers/defaultServer/resources/security/key.p12
[INFO] [AUDIT ] CWWKT0016I: Web application available (default_host): http://tam-ub2204-svl1.fyre.ibm.com:9080/
[INFO] [AUDIT ] CWWKZ0001I: Application guide-security-intro.war started in 4.920 seconds.
[INFO] [AUDIT ] CWWKF0012I: The server installed the following features: [appSecurity-5.0, cdi-4.0, distributedMap-1.0, expressionLanguage-5.0, faces-4.0, jndi-1.0, jsonp-2.1, servlet-6.0, ssl-1.0, transportSecurity-1.0].
[INFO] [AUDIT ] CWWKF0011I: The defaultServer server is ready to run a smarter planet. The defaultServer server started in 13.592 seconds.
From the Open Liberty log above, the server was started in 13.592 seconds. This is without Liberty InstantOn.
Build an InstantOn application container image and run the application on a Linux machine
In this section, I will create a Containerfile and use podman to build and run the InstantOn guide-security-intro application container image. The Linux capabilities are required by Checkpoint/Restore In Userspace (CRIU) for checkpoint and restore application process. The following steps were run on a Linux Ubuntu 22.04 which has kernel version 5.15.0, Java 17, podman version 3.4.4, and Apache Maven 3.9.9
1. Compile and package the application target/guide-security-intro.war
2. Create a Containerfile which is used to containerize the application with Open Liberty container image and Java 17. Run checkpoint.sh script in the last line of the Containerfile to take the application checkpoint after the application starts.
-
FROM icr.io/appcafe/open-liberty:kernel-slim-java17-openj9-ubi
# Add a Liberty server configuration that includes all necessary features
COPY --chown=1001:0 ./src/main/liberty/config/server.xml /config/server.xml
COPY --chown=1001:0 ./src/main/liberty/config/userRegistry.xml /config/userRegistry.xml
# This script adds the requested XML snippets to enable Liberty features and grow the image to be fit-for-purpose.
# This option is available only in the 'kernel-slim' image type. The 'full' and 'beta' tags already include all features.
RUN features.sh
# Add an application
COPY --chown=1001:0 ./target/guide-security-intro.war /config/apps/
# This script adds the requested server configuration, applies any interim fixes, and populates caches to optimize the runtime.
RUN configure.sh
# checkpoint application
RUN checkpoint.sh afterAppStart
3. Build guide-security-inston InstantOn application container image. Run the following command as root user or using sudo. The --cap-add parameters are the Linux capabilities required by CRIU for checkpoint and restore application process.
4. Run the guide-security-inston InstantOn application container image. The criuRequiredSysCalls.json file grants access to all Linux system calls for the InstantOn restore process. From the output below, the server was restored from the checkpoint and started in 0.175 seconds instead of 13.592 seconds when there is no Liberty InstantOn.
-
podman run --rm --cap-add=CHECKPOINT_RESTORE --cap-add=SETPCAP --security-opt seccomp=./criuRequiredSysCalls.json -p 9080 -p 9443 --name guide-security-inston guide-security-inston
[AUDIT ] Launching defaultServer (Open Liberty 24.0.0.9/wlp-1.0.93.cl241020240827-1743) on Eclipse OpenJ9 VM, version 17.0.12+7 (en_US)
[AUDIT ] CWWKT0016I: Web application available (default_host): http://0a65cbf7af93:9080/
[AUDIT ] CWWKC0452I: The Liberty server process resumed operation from a checkpoint in 0.161 seconds.
[AUDIT ] CWWKZ0001I: Application guide-security-intro.war started in 0.163 seconds.
[AUDIT ] CWWKF0012I: The server installed the following features: [appSecurity-5.0, cdi-4.0, distributedMap-1.0, expressionLanguage-5.0, faces-4.0, jndi-1.0, jsonp-2.1, servlet-6.0, ssl-1.0, transportSecurity-1.0].
[AUDIT ] CWWKF0011I: The defaultServer server is ready to run a smarter planet. The defaultServer server started in 0.175 seconds.
5. Push the InstantOn application container image to a registry to deploy to OCP. For example, push the application image to "my-registry" in the commands below
Deploy the InstantOn application container image to Red Hat OpenShift Container Platform using Open Liberty Operator
In this section, I will deploy the guide-security-inston InstantOn application container image to OCP 4.15. To deploy InstantOn application to OCP, it is required to create security context constraints (SCCs) to provide additional capabilities and permissions for pods. Open Liberty Operator v1.3.3 will be used to deploy the application to sample-security project so all configuration steps are run in this project.
1. Login OCP cluster using oc login command. Below is an example of the generate oc login command when click on Copy login command from the username drop-down menu at the top right of the OCP console.
2. Install Open Liberty Operator.
In the OCP console, navigate to Operators > OperatorHub, search for Open Liberty and install OLO with the default values.
3. Create a new sample-security project.
4. If the InstantOn application container image was pushed to a secured registry, you need create an image pull secret to allow pods to pull the container image otherwise you can ignore this step. The command below is for creating a pull secret when not having a Docker credentials file for the secured registry.
5. Create security context constraints (SCCs) to add additional capabilities and permissions to pods. Create scc-cap-cr.yaml file with the following content and run command "oc apply -f scc-cap-cr.yaml" to create the SecurityContextConstraints resource
* Note: if you install Open Liberty operator 1.4.0 or later, you also need to add the following to the SecurityContextConstraints
6. Create a service account liberty-instanton-scc and add the SCC to the service account which will be associated in the OpenLibertyApplication yaml.
7. Deploy application using the following deploy-guide-security.yaml file. Run "oc apply -f deploy-guide-security.yaml". You can also use Red Hat OpenShift console to deploy the application by navigating to Operators > Installed Operators > Open Liberty > OpenLibertyApplication > Create OpenLibertyApplication, select "YAML view" and paste in the below yaml file. In this OpenLibertyApplication yaml file, the service account with SCC permissions is specified in .spec.serviceAccountName, the .spec.pullSecret is needed if your application container image is in a secured registry. The .spec.securityContext grants the container permissions for InstantOn application restore process.
8. Verify that the application pod is running in OCP. To see the pod status in OCP console, navigate to Workloads > Pods
9. View application log using oc logs command. To view pod logs from OCP console, navigate to Workloads > Pods > podname > Logs
The following log shows that the application was resumed from the checkpoint and started in OCP. Again, you can see that the server was started with a very fast time in 0.407 seconds instead 13.592 seconds when there is no InstantOn.
-
% oc logs guide-security-0
Found mounted TLS certificates, generating keystore
[9/17/24, 19:23:55:207 UTC] 00000037 com.ibm.ws.kernel.launch.internal.FrameworkManager A Launching defaultServer (Open Liberty 24.0.0.9/wlp-1.0.93.cl241020240827-1743) on Eclipse OpenJ9 VM, version 17.0.12+7 (en_US)
[9/17/24, 19:23:55:232 UTC] 00000037 com.ibm.ws.config.xml.internal.ConfigRefresher A CWWKG0016I: Starting server configuration update.
[9/17/24, 19:23:55:233 UTC] 00000037 com.ibm.ws.config.xml.internal.ServerXMLConfiguration A CWWKG0093A: Processing configuration drop-ins resource: /opt/ol/wlp/usr/servers/defaultServer/configDropins/defaults/keystore.xml
[9/17/24, 19:23:55:234 UTC] 00000037 com.ibm.ws.config.xml.internal.ServerXMLConfiguration A CWWKG0093A: Processing configuration drop-ins resource: /opt/ol/wlp/usr/servers/defaultServer/configDropins/defaults/open-default-port.xml
[9/17/24, 19:23:55:237 UTC] 00000037 com.ibm.ws.config.xml.internal.XMLConfigParser A CWWKG0028A: Processing included configuration resource: /opt/ol/wlp/usr/servers/defaultServer/userRegistry.xml
[9/17/24, 19:23:55:239 UTC] 00000037 com.ibm.ws.config.xml.internal.ServerXMLConfiguration A CWWKG0093A: Processing configuration drop-ins resource: /opt/ol/wlp/usr/servers/defaultServer/configDropins/overrides/truststore.xml
[9/17/24, 19:23:55:282 UTC] 0000003e com.ibm.ws.config.xml.internal.ConfigRefresher A CWWKG0017I: The server configuration was successfully updated in 0.053 seconds.
[9/17/24, 19:23:55:289 UTC] 00000037 com.ibm.ws.http.internal.VirtualHostImpl A CWWKT0016I: Web application available (default_host): http://guide-security-0.guide-security-headless.sample-security.svc.cluster.local:9080/
[9/17/24, 19:23:55:322 UTC] 00000037 io.openliberty.checkpoint.internal.CheckpointImpl A CWWKC0452I: The Liberty server process resumed operation from a checkpoint in 0.378 seconds.
[9/17/24, 19:23:55:326 UTC] 00000037 com.ibm.ws.app.manager.AppMessageHelper A CWWKZ0001I: Application guide-security-intro.war started in 0.381 seconds.
[9/17/24, 19:23:55:342 UTC] 00000042 com.ibm.ws.security.ready.internal.SecurityReadyServiceImpl I CWWKS0008I: The security service is ready.
[9/17/24, 19:23:55:343 UTC] 00000042 com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask I CWWKS4105I: LTPA configuration is ready after 0.059 seconds.
[9/17/24, 19:23:55:346 UTC] 00000037 com.ibm.ws.tcpchannel.internal.TCPPort I CWWKO0219I: TCP Channel defaultHttpEndpoint has been started and is now listening for requests on host * (IPv4) port 9080.
[9/17/24, 19:23:55:351 UTC] 00000037 com.ibm.ws.kernel.feature.internal.FeatureManager A CWWKF0012I: The server installed the following features: [appSecurity-5.0, cdi-4.0, distributedMap-1.0, expressionLanguage-5.0, faces-4.0, jndi-1.0, jsonp-2.1, servlet-6.0, ssl-1.0, transportSecurity-1.0].
[9/17/24, 19:23:55:352 UTC] 00000037 com.ibm.ws.kernel.feature.internal.FeatureManager I CWWKF0008I: Feature update completed in 0.407 seconds.
[9/17/24, 19:23:55:352 UTC] 00000037 com.ibm.ws.kernel.feature.internal.FeatureManager A CWWKF0011I: The defaultServer server is ready to run a smarter planet. The defaultServer server started in 0.407 seconds.
[9/17/24, 19:23:55:466 UTC] 00000033 com.ibm.ws.ssl.config.WSKeyStore I Successfully loaded default keystore: /opt/ol/wlp/output/defaultServer/resources/security/key.p12 of type: PKCS12
[9/17/24, 19:23:55:494 UTC] 0000004f com.ibm.ws.tcpchannel.internal.TCPPort I CWWKO0219I: TCP Channel defaultHttpEndpoint-ssl has been started and is now listening for requests on host * (IPv4) port 9443.
10. Now you can run the application using its route. To view the application route host, run command "oc get routes". From the routes example below, you can run the application with url https://guide-security-sample-security.apps.my-ocp.cp.fyre.ibm.com. For more information on how to run the application, see Securing a web application guide.
To run the application from OCP console, navigate to Networking > Routes, click on the link under Location
Conclusion
In conclusion, we deployed an existing application with Liberty InstantOn and achieved much faster startup time without making any application changes. The process includes taking checkpoint when building the application container image, and restoring it during deployment on OCP. The fast startup time is essential in "serverless" deployments. In my next blog, I will talk about how to run this InstantOn application container image with Red Hat OpenShift Serverless operator.