The capabilities needed to restore give the application more privileges than it would otherwise need resulting in a larger attack surface. Restoring a CRIU process requires running as root.Restarting a checkpoint results in exactly the same address space layout as previous runs making it easier for attackers to “learn” addresses for later attacks. It defeats address space layout randomization (ASLR).That’s the basic premise of CRIU: live migrating systems is more performant than stopping and restarting.ĬRIU, while being an amazing piece of technology, has some drawbacks: Past experiments with CRIU have demonstrated that JVM startup time can be greatly improved by checkpointing the process and then subsequently creating new processes from that checkpointed state. The snapshot work is originally inspired by Linux’s CRIU (checkpoint restore in user-space) which does the same thing as snapshot+restore but for a full Linux process. To understand how we arrived at snapshot+restore of the JVM as the best approach for the widest set of workloads, I’d like to share the journey we went on as we investigated this space. In the next major evolution of our work in this space, the project recently created a new snapshot branch containing an early prototype of snapshot+restore functionality at the JVM level which allows snapshotting (saving) a running JVM process and restoring it later from the saved point. And we’ve done a pretty good job of it - see any of our claims about fast startup with comparable performance in roughly half the memory. >java -XX:CRaCCheckpointTo=PATH -jar app.The Eclipse OpenJ9 project has a strong focus on finding the right balance between startup performance, peak throughput and memory usage. Uses JVM safepoint mechanism (to stop threads etc.) Throws CheckpointException (in case of open Heap is cleaned, compacted (JVM is in a safe state) (PID will be restored which will lead to problems)Ī Java Virtual Machine would assume it was continuing its tasks Start multiple instances of same state on same machine Restart from saved state on another machine.Main goal is migration of containers for microservicesĬan rebuild TCP connection from one side without need to exchange packets Mainly implemented in userspace (not kernel).Used by/integrated in OpenVZ, LXC/LXD, Docker, Restore the container/application from the saved data. Overall performance will typically be higher Overall performance will typically be lowerĬan use aggressive method inlining at runtime Start up could be up to 1-2 seconds fasterĪOT Compiled Code with Profile Guided Optimisation Gerrit Grunwald | Developer Advocate | Azul.This session will give you a short overview of the CRaC project and shows some results from a proof of concept implementation. The idea is to take a snapshot of the running JVM, store it in files and restore the JVM at a later point in time (or even on another machine). There is a new OpenJDK project called CRaC (Coordinated Restore at Checkpoint) which goal it is to address the JVM warmup problem with a different approach. The overall performance might be slower because of the missing JIT optimizations at runtime. But even with the shorter startup time and smaller footprint it doesn’t come without a drawback. Native images are one solution to solve these problems because their statically ahead of time compiled code simply doesn’t have to warmup and so has short startup time. Especially when you look at spinning up new instances of an app as response to changes in load, the warmup time can be a problem. In a world where microservices are more and more a standard architecture for Java based applications running in the cloud, the JVM warmup time can become a limitation.
0 Comments
Leave a Reply. |