diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..cbfc785 --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +/jdk +/target +/aws-lambda-rie +/cr +/log.json +/response.json diff --git a/1-create-bucket.sh b/1-create-bucket.sh deleted file mode 100755 index 64a5f74..0000000 --- a/1-create-bucket.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -BUCKET_ID=$(dd if=/dev/random bs=8 count=1 2>/dev/null | od -An -tx1 | tr -d ' \t\n') -BUCKET_NAME=lambda-artifacts-$BUCKET_ID -echo $BUCKET_NAME > bucket-name.txt -aws s3 mb s3://$BUCKET_NAME diff --git a/2-build-layer.sh b/2-build-layer.sh deleted file mode 100755 index 9a1dd8c..0000000 --- a/2-build-layer.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -set -eo pipefail -gradle -q packageLibs -mv build/distributions/blank-java.zip build/blank-java-lib.zip \ No newline at end of file diff --git a/3-deploy.sh b/3-deploy.sh deleted file mode 100755 index 6949f21..0000000 --- a/3-deploy.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -set -eo pipefail -ARTIFACT_BUCKET=$(cat bucket-name.txt) -TEMPLATE=template.yml -if [ $1 ] -then - if [ $1 = mvn ] - then - TEMPLATE=template-mvn.yml - mvn package - fi -else - gradle build -i -fi -aws cloudformation package --template-file $TEMPLATE --s3-bucket $ARTIFACT_BUCKET --output-template-file out.yml -aws cloudformation deploy --template-file out.yml --stack-name blank-java --capabilities CAPABILITY_NAMED_IAM diff --git a/4-invoke.sh b/4-invoke.sh deleted file mode 100755 index 2186f19..0000000 --- a/4-invoke.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -set -eo pipefail -FUNCTION=$(aws cloudformation describe-stack-resource --stack-name blank-java --logical-resource-id function --query 'StackResourceDetail.PhysicalResourceId' --output text) - -while true; do - aws lambda invoke --function-name $FUNCTION --payload file://event.json out.json - cat out.json - echo "" - sleep 2 -done diff --git a/5-cleanup.sh b/5-cleanup.sh deleted file mode 100755 index e79a243..0000000 --- a/5-cleanup.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash -set -eo pipefail -STACK=blank-java -if [[ $# -eq 1 ]] ; then - STACK=$1 - echo "Deleting stack $STACK" -fi -FUNCTION=$(aws cloudformation describe-stack-resource --stack-name $STACK --logical-resource-id function --query 'StackResourceDetail.PhysicalResourceId' --output text) -aws cloudformation delete-stack --stack-name $STACK -echo "Deleted $STACK stack." - -if [ -f bucket-name.txt ]; then - ARTIFACT_BUCKET=$(cat bucket-name.txt) - if [[ ! $ARTIFACT_BUCKET =~ lambda-artifacts-[a-z0-9]{16} ]] ; then - echo "Bucket was not created by this application. Skipping." - else - while true; do - read -p "Delete deployment artifacts and bucket ($ARTIFACT_BUCKET)? (y/n)" response - case $response in - [Yy]* ) aws s3 rb --force s3://$ARTIFACT_BUCKET; rm bucket-name.txt; break;; - [Nn]* ) break;; - * ) echo "Response must start with y or n.";; - esac - done - fi -fi - -while true; do - read -p "Delete function log group (/aws/lambda/$FUNCTION)? (y/n)" response - case $response in - [Yy]* ) aws logs delete-log-group --log-group-name /aws/lambda/$FUNCTION; break;; - [Nn]* ) break;; - * ) echo "Response must start with y or n.";; - esac -done - -rm -f out.yml out.json -rm -rf build .gradle target diff --git a/Dockerfile.baseline b/Dockerfile.baseline new file mode 100644 index 0000000..e89ff50 --- /dev/null +++ b/Dockerfile.baseline @@ -0,0 +1,21 @@ +FROM ubuntu:18.04 + +COPY jdk /jdk + +# Copy function code and runtime dependencies from Maven layout +COPY target/classes /function +COPY target/dependency/* /function/lib/ + +WORKDIR /function + +ENV AWS_XRAY_CONTEXT_MISSING=LOG_ERROR + +ENTRYPOINT [ "/jdk/bin/java", \ + "-XX:-UsePerfData", \ + "-cp", "/function:/function/lib/*", \ + "--add-opens", "java.base/java.util=ALL-UNNAMED", \ + "com.amazonaws.services.lambda.runtime.api.client.AWSLambda" ] + +# Set the CMD to your handler (could also be done as a parameter override outside of the Dockerfile) +CMD [ "example.Handler::handleRequest" ] + diff --git a/Dockerfile.checkpoint b/Dockerfile.checkpoint new file mode 100644 index 0000000..c37f57b --- /dev/null +++ b/Dockerfile.checkpoint @@ -0,0 +1,24 @@ +FROM ubuntu:18.04 + +COPY jdk /jdk + +# Copy function code and runtime dependencies from Maven layout +COPY target/classes /function +COPY target/dependency/* /function/lib/ + +RUN cd /function/lib; /jdk/bin/jar -x -f aws-lambda-java-runtime-interface-client*.jar \ + jni/libaws-lambda-jni.linux_musl-x86_64.so \ + jni/libaws-lambda-jni.linux-x86_64.so \ + jni/libaws-lambda-jni.linux-aarch_64.so \ + jni/libaws-lambda-jni.linux_musl-aarch_64.so + +WORKDIR /function + +ENV AWS_XRAY_CONTEXT_MISSING=LOG_ERROR + +COPY TryLoad.java /usr/local/lib/ +COPY checkpoint.cmd.sh / +ENTRYPOINT [ "/bin/bash", "/checkpoint.cmd.sh" ] + +# Set the CMD to your handler (could also be done as a parameter override outside of the Dockerfile) +CMD [ "example.Handler::handleRequest" ] diff --git a/Dockerfile.restore b/Dockerfile.restore new file mode 100644 index 0000000..b36dff2 --- /dev/null +++ b/Dockerfile.restore @@ -0,0 +1,5 @@ +FROM crac-lambda-checkpoint + +COPY cr /cr + +ENTRYPOINT [ "/jdk/bin/java", "-XX:CRaCRestoreFrom=/cr" ] diff --git a/README.md b/README.md index c5d8130..52ebadb 100644 --- a/README.md +++ b/README.md @@ -1,96 +1,143 @@ -# Blank function (Java) +# AWS Lambda on Java with CRaC -![Architecture](/sample-apps/blank-java/images/sample-blank-java.png) +This is an example of a Java AWS Lambda that uses Project CRaC to reduce the cost and time of the first function invocation. -The project source includes function code and supporting resources: +Based on https://github.com/awsdocs/aws-lambda-developer-guide/tree/main/sample-apps/blank-java. -- `src/main` - A Java function. -- `src/test` - A unit test and helper classes. -- `template.yml` - An AWS CloudFormation template that creates an application. -- `build.gradle` - A Gradle build file. -- `pom.xml` - A Maven build file. -- `1-create-bucket.sh`, `2-build-layer.sh`, etc. - Shell scripts that use the AWS CLI to deploy and manage the application. +In this example the function will be packed as the [container image](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-images.html#gettingstarted-images-package) together with JDK CRaC runtime and the CRaC image. -Use the following instructions to deploy the sample application. +The CRaC image with the snapshot of JVM and application states will be preparied with the help of [AWS Runtime Interface Emulator](https://github.com/aws/aws-lambda-runtime-interface-emulator). -# Requirements -- [Java 8 runtime environment (SE JRE)](https://www.oracle.com/java/technologies/javase-downloads.html) -- [Gradle 5](https://gradle.org/releases/) or [Maven 3](https://maven.apache.org/docs/history.html) -- The Bash shell. For Linux and macOS, this is included by default. In Windows 10, you can install the [Windows Subsystem for Linux](https://docs.microsoft.com/en-us/windows/wsl/install-win10) to get a Windows-integrated version of Ubuntu and Bash. -- [The AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) v1.17 or newer. +The deployment scheme will be: +* Create the container image with the function +* Create the CRaC image: + * Run the function in the local environment + * Optionally, warm-up the function + * Trigger checkpoint to dump the image +* Create the container image with the function and the image +* Deploy the container to AWS -If you use the AWS CLI v2, add the following to your [configuration file](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) (`~/.aws/config`): +![Deployment](./deployment.png) + +* [Instruction](#instruction) + * [Build](#build) + * [Checkpoint](#checkpoint) + * [Deploy](#deploy) + * [Test locally](#test-locally) + * [Deploy to AWS](#deploy-to-aws) +* [Techical details](#techical-details) + +## Instruction + +The repo contain a helper script to perform routine operations. +It is intended to be "executable documentation", so the reader is invited to look to the script + +The step zero fetches necessary dependencies: ``` -cli_binary_format=raw-in-base64-out +./crac-steps.sh s00_init ``` -This setting enables the AWS CLI v2 to load JSON events from a file, matching the v1 behavior. +It will be required to download the latest development build of OpenJDK CRaC from https://github.com/CRaC/openjdk-builds/actions/workflows/release.yml. Then run: -# Setup -Download or clone this repository. +``` +./crac-steps.sh dojlink ./path/to/the/extracted/crac/jdk +``` + +### Build - $ git clone https://github.com/awsdocs/aws-lambda-developer-guide.git - $ cd aws-lambda-developer-guide/sample-apps/blank-java +The function needs to use a fork of [AWS Lambda Java Libraries](https://github.com/CRaC/aws-lambda-java-libs), `pom.xml` was changed to: + +``` + + io.github.crac.com.amazonaws + aws-lambda-java-runtime-interface-client + 1.0.0 + +``` + +Build the app and create the container image for checkpoint (`crac-lambda-checkpoint`): +``` +./crac-steps.sh s01_build +``` + +### Checkpoint + +Run the container for checkpoint on the local machine: + +``` +./crac-steps.sh s02_start_checkpoint +``` -To create a new bucket for deployment artifacts, run `1-create-bucket.sh`. +At this point you may provide a workload to warm-up your function, served on port `8080`. - blank-java$ ./1-create-bucket.sh - make_bucket: lambda-artifacts-a5e491dbb5b22e0d +Then trigger checkpoint from another terminal: +``` +./crac-steps.sh s03_checkpoint +``` -To build a Lambda layer that contains the function's runtime dependencies, run `2-build-layer.sh`. Packaging dependencies in a layer reduces the size of the deployment package that you upload when you modify your code. +The former function process should exit, leaving the CRaC image in the `cr` directory. - blank-java$ ./2-build-layer.sh +Create the final container image with the CRaC image (`crac-lambda-restore`): -# Deploy +``` +./crac-steps.sh s04_prepare_restore +``` -To deploy the application, run `3-deploy.sh`. +### Deploy - blank-java$ ./3-deploy.sh - BUILD SUCCESSFUL in 1s - Successfully packaged artifacts and wrote output template to file out.yml. - Waiting for changeset to be created.. - Successfully created/updated stack - blank-java +Now you can deploy `crac-lambda-restore` as the container function to the AWS. -This script uses AWS CloudFormation to deploy the Lambda functions and an IAM role. If the AWS CloudFormation stack that contains the resources already exists, the script updates it with any changes to the template or function code. +You may also check the function locally with RIE. -You can also build the application with Maven. To use maven, add `mvn` to the command. +#### Test locally - java-basic$ ./3-deploy.sh mvn - [INFO] Scanning for projects... - [INFO] -----------------------< com.example:blank-java >----------------------- - [INFO] Building blank-java-function 1.0-SNAPSHOT - [INFO] --------------------------------[ jar ]--------------------------------- - ... +You can also test the container locally: -# Test -To invoke the function, run `4-invoke.sh`. +``` +./crac-steps.sh s05_local_restore +``` - blank-java$ ./4-invoke.sh - { - "StatusCode": 200, - "ExecutedVersion": "$LATEST" - } +From another terminal: +``` +./crac-steps.sh post hi +``` -Let the script invoke the function a few times and then press `CRTL+C` to exit. +To test cold start, drop file system caches by: +``` +./crac-steps.sh make_cold_local +``` -The application uses AWS X-Ray to trace requests. Open the [X-Ray console](https://console.aws.amazon.com/xray/home#/service-map) to view the service map. +#### Deploy to AWS -![Service Map](/sample-apps/blank-java/images/blank-java-servicemap.png) +The helper script can deploy the container, assuming there is a function named `crac-test` configured to use image `crac-test`. -Choose a node in the main function graph. Then choose **View traces** to see a list of traces. Choose any trace to view a timeline that breaks down the work done by the function. +Initialize the evironment: +``` +eval $(./crac-steps.sh s06_init_aws) +``` -![Trace](/sample-apps/blank-java/images/blank-java-trace.png) +Push the container and update the function: +``` +./crac-steps.sh s07_deploy_aws +``` -Finally, view the application in the Lambda console. +To test cold start, reconfigure the function by: +``` +./crac-steps.sh make_cold_aws +``` -*To view the application* -1. Open the [applications page](https://console.aws.amazon.com/lambda/home#/applications) in the Lambda console. -2. Choose **blank-java**. +## Techical details - ![Application](/sample-apps/blank-java/images/blank-java-application.png) +AWS environment restricts features and capabilities for functions in containers: +* the file system is read-only, except `/tmp` +* setting PID/TIDs for being restored process, `ptrace`, and some other syscalls that are usually required by CRIU are not allowed +* storage performance is not great -# Cleanup -To delete the application, run `5-cleanup.sh`. +To overcome storage limits we unpack libjvm.so to /tmp at the start of the container. +Same is done for CRaC image after it's added to the container image. - blank$ ./5-cleanup.sh +CRaC's build of CRIU attempts to set the PID/TIDs on restore first, in case this functionality is presented. +When this fails in AWS, it attempts to align the next PID by creating empty do-nothing processes/threads. +As in the vanilla CRIU, there is strict requirement for PID/TIDs to be available. +To ensure Java PID/TIDs won't intersect with another processes on restore, checkpoint script ensures Java PID/TIDs are created with a reasonable offset, see [the script](./checkpoint.cmd.sh#L8). diff --git a/TryLoad.java b/TryLoad.java new file mode 100644 index 0000000..22b59ab --- /dev/null +++ b/TryLoad.java @@ -0,0 +1,16 @@ + +public class TryLoad { + public static void main(String... args) { + for (String path : args) { + System.err.printf("Trying %s ... ", path); + try { + System.load(path); + System.err.println("OK"); + System.out.println(path); + break; + } catch (UnsatisfiedLinkError ignore) { + System.err.println("FAIL"); + } + } + } +} diff --git a/checkpoint.cmd.sh b/checkpoint.cmd.sh new file mode 100644 index 0000000..7c02121 --- /dev/null +++ b/checkpoint.cmd.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +detect_native_client() { + /jdk/bin/java -cp /function:/function/lib/* /usr/local/lib/TryLoad.java $@ +} + +export AWS_NATIVE_CLIENT=$(detect_native_client /function/lib/jni/libaws-lambda-jni.*.so) +# Don't create dump4.log +export CRAC_CRIU_OPTS="--compress -o -" + +# Ensure small PID, for privileged-less criu to be able to restore PID by bumping. +# But not too small, to avoid clashes with other occasional processes on restore. +# Experimentally -XX:CPUFeatures=0x21801fdbbd7,0x3e6 would work but to be on the safe +# side in this example we'll go with generic +exec /aws-lambda-rie /jdk/bin/java \ + -Xshare:off \ + -XX:-UsePerfData \ + -XX:CRaCMinPid=128 \ + -XX:CPUFeatures=generic \ + -XX:CRaCCheckpointTo=/cr \ + -cp /function:/function/lib/* \ + -Dcom.amazonaws.services.lambda.runtime.api.client.runtimeapi.NativeClient.JNI=$AWS_NATIVE_CLIENT \ + --add-opens java.base/java.util=ALL-UNNAMED \ + com.amazonaws.services.lambda.runtime.api.client.AWSLambda "$@" diff --git a/crac-steps.sh b/crac-steps.sh new file mode 100755 index 0000000..521af9b --- /dev/null +++ b/crac-steps.sh @@ -0,0 +1,178 @@ +#!/bin/bash + +LAMBDA_NAME=crac-test +LAMBDA_IMAGE=crac-test + +IOLIM=60m +DEV=/dev/nvme0n1 +CPU=0.88 + + dev() { DEV=$1; } +iolim() { IOLIM=$1; } + cpu() { CPU=$1; } + +dojlink() { + local JDK=$1 + rm -rf jdk + MODS=java.base,jdk.unsupported,java.sql + [ -f $JDK/jmods/jdk.crac.jmod ] && MODS+=",jdk.crac" + $JDK/bin/jlink --bind-services --output jdk --module-path $JDK/jmods --add-modules $MODS + # XXX + cp $JDK/lib/criu jdk/lib/ +} + +s00_init() { + curl -L -o aws-lambda-rie https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/download/v1.3/aws-lambda-rie-$(uname -m) + chmod +x aws-lambda-rie + + echo + echo "Take the latest build of openjdk/crac and run: "$0" dojlink ./path/to/crac/jdk" + echo "https://github.com/CRaC/openjdk-builds/actions/workflows/release.yml" + + #CRAC_VERSION=17-crac+2 + #curl -LO https://github.com/CRaC/openjdk-builds/releases/download/$CRAC_VERSION/jdk$CRAC_VERSION.tar.gz + #tar axf jdk$CRAC_VERSION.tar.gz + #dojlink jdk$CRAC_VERSION +} + +s01_build() { + mvn clean compile dependency:copy-dependencies -DincludeScope=runtime + docker build -t crac-lambda-checkpoint -f Dockerfile.checkpoint . +} + +s02_start_checkpoint() { + docker run \ + --ulimit nofile=1024 \ + --privileged \ + --rm \ + --name crac-checkpoint \ + -m 512m \ + -v $PWD/aws-lambda-rie:/aws-lambda-rie \ + -v $PWD/cr:/cr \ + -p 8080:8080 \ + -e AWS_REGION=us-west-2 \ + crac-lambda-checkpoint +} + +rawpost() { + local c=0 + while [ $c -lt 20 ]; do + curl -XPOST --no-progress-meter -d "$@" http://localhost:8080/2015-03-31/functions/function/invocations && break + sleep 0.2 + c=$(($c + 1)) + done +} + +post() { + rawpost "{ Records : [ { body : \"${1}\" } ] }" +} + +s03_checkpoint() { + post checkpoint + sleep 2 + post fini + docker rm -f crac-checkpoint +} + +s04_prepare_restore() { + docker build -t crac-lambda-restore -f Dockerfile.restore . +} + +make_cold_local() { + sync + echo 3 | sudo tee /proc/sys/vm/drop_caches > /dev/null +} + +local_test() { + docker run \ + --rm \ + --name crac-test \ + -v $PWD/aws-lambda-rie:/aws-lambda-rie \ + -p 8080:8080 \ + --device-read-bps $DEV:$IOLIM \ + --device-write-bps $DEV:$IOLIM \ + --cpus $CPU \ + --entrypoint '' \ + --security-opt seccomp=$PWD/seccomp.json \ + "$@" +} + +s05_local_restore() { + local_test \ + crac-lambda-restore \ + /aws-lambda-rie /jdk/bin/java -XX:CRaCRestoreFrom=/cr +} + +local_baseline() { + local_test ${1:-crac-lambda-checkpoint} \ + /aws-lambda-rie /jdk/bin/java \ + -XX:-UsePerfData \ + -cp /function:/function/lib/* \ + -Dcom.amazonaws.services.lambda.runtime.api.client.NativeClient.libsBase=/function/lib/ \ + --add-opens java.base/java.util=ALL-UNNAMED \ + com.amazonaws.services.lambda.runtime.api.client.AWSLambda \ + example.Handler::handleRequest +} + +ltest() { + local_test \ + -v /home:/home \ + -v $PWD/logdir:/tmp/log \ + crac-lambda-restore \ + $PWD/jdk/bin/java -XX:CRaCRestoreFrom=$PWD/cr +} + +s06_init_aws() { + ACCOUNT=$(aws sts get-caller-identity | jq -r '.Account') + echo export ACCOUNT=$ACCOUNT + REGION=$(aws configure get region) + echo export REGION=$REGION + ECR=$ACCOUNT.dkr.ecr.$REGION.amazonaws.com + echo export ECR=$ECR + REMOTEIMG=$ECR/$LAMBDA_IMAGE + echo export REMOTEIMG=$REMOTEIMG + aws ecr get-login-password | docker login --username AWS --password-stdin $ECR 1>&2 +} + +s07_deploy_aws() { + docker tag ${1:-crac-lambda-restore} $REMOTEIMG + docker push $REMOTEIMG + + local digest=$(docker inspect -f '{{ index .RepoDigests 0 }}' $REMOTEIMG) + aws lambda update-function-code --function-name $LAMBDA_NAME --image $digest + aws lambda wait function-updated --function-name $LAMBDA_NAME +} + +s08_invoke_aws() { + rm -f response.json log.json + + aws lambda invoke \ + --cli-binary-format raw-in-base64-out \ + --function-name $LAMBDA_NAME \ + --payload "$(< event.json) " \ + --log-type Tail \ + response.json \ + > log.json + + jq . < response.json + jq -r .LogResult < log.json | base64 -d +} + +make_cold_aws() { + aws lambda update-function-configuration --function-name $LAMBDA_NAME --memory-size 511 + aws lambda wait function-updated --function-name $LAMBDA_NAME + aws lambda update-function-configuration --function-name $LAMBDA_NAME --memory-size 512 + aws lambda wait function-updated --function-name $LAMBDA_NAME +} + +steps() { + for i; do + $i || break + done +} + +okify() { + "$@" || true +} + +"$@" diff --git a/deployment.png b/deployment.png new file mode 100644 index 0000000..89bb159 Binary files /dev/null and b/deployment.png differ diff --git a/images/blank-java-application.png b/images/blank-java-application.png deleted file mode 100644 index e52a4c4..0000000 Binary files a/images/blank-java-application.png and /dev/null differ diff --git a/images/blank-java-servicemap.png b/images/blank-java-servicemap.png deleted file mode 100644 index 0221737..0000000 Binary files a/images/blank-java-servicemap.png and /dev/null differ diff --git a/images/blank-java-trace.png b/images/blank-java-trace.png deleted file mode 100644 index 205efe7..0000000 Binary files a/images/blank-java-trace.png and /dev/null differ diff --git a/images/sample-blank-java.png b/images/sample-blank-java.png deleted file mode 100644 index 989a809..0000000 Binary files a/images/sample-blank-java.png and /dev/null differ diff --git a/pom.xml b/pom.xml index 85cc2f5..8d9e294 100644 --- a/pom.xml +++ b/pom.xml @@ -10,12 +10,18 @@ UTF-8 1.8 1.8 + 1.7.36 - com.amazonaws - aws-lambda-java-core - 1.2.1 + com.amazonaws.serverless + aws-serverless-java-container-springboot2 + 1.8 + + + io.github.crac.com.amazonaws + aws-lambda-java-runtime-interface-client + 2.4.1.CRAC.0 com.amazonaws @@ -47,11 +53,23 @@ log4j-slf4j18-impl [2.17.1,) + + org.slf4j + slf4j-api + ${slf4j.version} + + + org.slf4j + slf4j-simple + ${slf4j.version} + + software.amazon.awssdk lambda 2.10.72 + org.junit.jupiter junit-jupiter-api @@ -131,6 +150,23 @@ 1.8 + + org.apache.maven.plugins + maven-dependency-plugin + 3.1.2 + + + copy-dependencies + package + + copy-dependencies + + + + + + + - \ No newline at end of file + diff --git a/seccomp.json b/seccomp.json new file mode 100644 index 0000000..8848b68 --- /dev/null +++ b/seccomp.json @@ -0,0 +1,1558 @@ +{ + "defaultAction": "SCMP_ACT_ERRNO", + "architectures": [ + "SCMP_ARCH_X86_64", + "SCMP_ARCH_X86", + "SCMP_ARCH_X32" + ], + "syscalls": [ + { + "name": "accept", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "accept4", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "access", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "alarm", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "bind", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "brk", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "capget", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "capset", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "chdir", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "chmod", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "chown", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "chown32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "clock_getres", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "clock_gettime", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "clock_nanosleep", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "close", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "connect", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "copy_file_range", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "creat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "dup", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "dup2", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "dup3", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_create", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_create1", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_ctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_ctl_old", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_pwait", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_wait", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_wait_old", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "eventfd", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "eventfd2", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "execve", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "execveat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "exit", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "exit_group", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "faccessat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fadvise64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fadvise64_64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fallocate", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fanotify_mark", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchdir", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchmod", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchmodat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchown", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchown32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchownat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fcntl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fcntl64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fdatasync", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fgetxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "flistxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "flock", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fork", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fremovexattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fsetxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fstat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fstat64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fstatat64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fstatfs", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fstatfs64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fsync", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ftruncate", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ftruncate64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "futex", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "futimesat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getcpu", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getcwd", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getdents", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getdents64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getegid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getegid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "geteuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "geteuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getgid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getgroups", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getgroups32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getitimer", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getpeername", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getpgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getpgrp", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getpid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getppid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getpriority", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getrandom", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getresgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getresgid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getresuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getresuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getrlimit", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "get_robust_list", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getrusage", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getsid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getsockname", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getsockopt", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "get_thread_area", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "gettid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "gettimeofday", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "inotify_add_watch", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "inotify_init", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "inotify_init1", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "inotify_rm_watch", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "io_cancel", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ioctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "io_destroy", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "io_getevents", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ioprio_get", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ioprio_set", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "io_setup", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "io_submit", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ipc", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "kill", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lchown", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lchown32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lgetxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "link", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "linkat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "listen", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "listxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "llistxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "_llseek", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lremovexattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lseek", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lsetxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lstat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lstat64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "madvise", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "memfd_create", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mincore", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mkdir", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mkdirat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mknod", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mknodat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mmap", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mmap2", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mprotect", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mq_getsetattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mq_notify", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mq_open", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mq_timedreceive", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mq_timedsend", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mq_unlink", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mremap", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "msgctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "msgget", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "msgrcv", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "msgsnd", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "msync", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "munlock", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "munlockall", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "munmap", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "nanosleep", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "newfstatat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "_newselect", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "open", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "openat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "pause", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "personality", + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 0, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ] + }, + { + "name": "personality", + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 8, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ] + }, + { + "name": "personality", + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 4294967295, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ] + }, + { + "name": "pipe", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "pipe2", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "poll", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ppoll", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "prctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "pread64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "preadv", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "prlimit64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "pselect6", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "pwrite64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "pwritev", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "read", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "readahead", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "readlink", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "readlinkat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "readv", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "recv", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "recvfrom", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "recvmmsg", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "recvmsg", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "remap_file_pages", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "removexattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rename", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "renameat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "renameat2", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "restart_syscall", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rmdir", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigaction", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigpending", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigprocmask", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigqueueinfo", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigreturn", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigsuspend", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigtimedwait", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_tgsigqueueinfo", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_getaffinity", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_getattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_getparam", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_get_priority_max", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_get_priority_min", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_getscheduler", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_rr_get_interval", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_setaffinity", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_setattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_setparam", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_setscheduler", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_yield", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "seccomp", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "select", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "semctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "semget", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "semop", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "semtimedop", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "send", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sendfile", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sendfile64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sendmmsg", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sendmsg", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sendto", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setfsgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setfsgid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setfsuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setfsuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setgid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setgroups", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setgroups32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setitimer", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setpgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setpriority", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setregid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setregid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setresgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setresgid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setresuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setresuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setreuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setreuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setrlimit", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "set_robust_list", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setsid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setsockopt", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "set_thread_area", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "set_tid_address", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "shutdown", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sigaltstack", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "signalfd", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "signalfd4", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sigreturn", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "socket", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "socketcall", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "socketpair", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "splice", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "stat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "stat64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "statfs", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "statfs64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "symlink", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "symlinkat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sync", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sync_file_range", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "syncfs", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sysinfo", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "syslog", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "tee", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "tgkill", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "time", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timer_create", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timer_delete", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timerfd_create", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timerfd_gettime", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timerfd_settime", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timer_getoverrun", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timer_gettime", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timer_settime", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "times", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "tkill", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "truncate", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "truncate64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ugetrlimit", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "umask", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "uname", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "unlink", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "unlinkat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "utime", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "utimensat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "utimes", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "vfork", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "vmsplice", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "wait4", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "waitid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "waitpid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "write", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "writev", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "arch_prctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "modify_ldt", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "chroot", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "clone", + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 2080505856, + "valueTwo": 0, + "op": "SCMP_CMP_MASKED_EQ" + } + ] + } + ] +} diff --git a/src/main/java/example/Handler.java b/src/main/java/example/Handler.java index b096271..d2f84be 100644 --- a/src/main/java/example/Handler.java +++ b/src/main/java/example/Handler.java @@ -1,65 +1,50 @@ package example; import com.amazonaws.services.lambda.runtime.Context; -import com.amazonaws.services.lambda.runtime.LambdaLogger; import com.amazonaws.services.lambda.runtime.RequestHandler; import com.amazonaws.services.lambda.runtime.events.SQSEvent; import com.amazonaws.services.lambda.runtime.events.SQSEvent.SQSMessage; - -import software.amazon.awssdk.services.lambda.model.GetAccountSettingsRequest; -import software.amazon.awssdk.services.lambda.model.GetAccountSettingsResponse; -import software.amazon.awssdk.services.lambda.model.ServiceException; -import software.amazon.awssdk.services.lambda.LambdaAsyncClient; -import software.amazon.awssdk.services.lambda.model.AccountUsage; - -import com.google.gson.Gson; -import com.google.gson.GsonBuilder; - +import org.crac.CheckpointException; +import org.crac.RestoreException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import java.lang.StringBuilder; -import java.util.Map; -import java.util.List; -import java.util.concurrent.CompletableFuture; - -// Handler value: example.Handler +// Handler value: io.github.crac.example.lambda.Handler public class Handler implements RequestHandler{ private static final Logger logger = LoggerFactory.getLogger(Handler.class); - private static final Gson gson = new GsonBuilder().setPrettyPrinting().create(); - private static final LambdaAsyncClient lambdaClient = LambdaAsyncClient.create(); + public Handler(){ - CompletableFuture accountSettings = lambdaClient.getAccountSettings(GetAccountSettingsRequest.builder().build()); - try { - GetAccountSettingsResponse settings = accountSettings.get(); - } catch(Exception e) { - e.getStackTrace(); - } } + @Override public String handleRequest(SQSEvent event, Context context) { - String response = new String(); - // call Lambda API - logger.info("Getting account settings"); - CompletableFuture accountSettings = - lambdaClient.getAccountSettings(GetAccountSettingsRequest.builder().build()); - // log execution details - logger.info("ENVIRONMENT VARIABLES: {}", gson.toJson(System.getenv())); - logger.info("CONTEXT: {}", gson.toJson(context)); - logger.info("EVENT: {}", gson.toJson(event)); + logger.info("handleRequest start"); + // process event - for(SQSMessage msg : event.getRecords()){ + String response = ""; + + for (SQSMessage msg : event.getRecords()) { logger.info(msg.getBody()); + response = msg.getBody(); + + switch (msg.getBody()) { + case "checkpoint": + (new Thread(() -> { + try { + Thread.sleep(1_000); + org.crac.Core.checkpointRestore(); + } catch (CheckpointException | RestoreException | InterruptedException e) { + e.printStackTrace(); + } + })).start(); + break; + default: + // Just echo. Will also be used to break out of curl waiting for connection. + break; + } } - // process Lambda API response - try { - GetAccountSettingsResponse settings = accountSettings.get(); - response = gson.toJson(settings.accountUsage()); - logger.info("Account usage: {}", response); - } catch(Exception e) { - e.getStackTrace(); - } + return response; } -} \ No newline at end of file +} diff --git a/template-mvn.yml b/template-mvn.yml deleted file mode 100644 index a2c3d5d..0000000 --- a/template-mvn.yml +++ /dev/null @@ -1,20 +0,0 @@ -AWSTemplateFormatVersion: '2010-09-09' -Transform: 'AWS::Serverless-2016-10-31' -Description: An AWS Lambda application that calls the Lambda API. -Resources: - function: - Type: AWS::Serverless::Function - Properties: - CodeUri: target/blank-java-1.0-SNAPSHOT.jar - Handler: example.Handler::handleRequest - Runtime: java8 - Description: Java function - MemorySize: 512 - Timeout: 10 - # Function's execution role - Policies: - - AWSLambdaBasicExecutionRole - - AWSLambda_ReadOnlyAccess - - AWSXrayWriteOnlyAccess - - AWSLambdaVPCAccessExecutionRole - Tracing: Active diff --git a/template.yml b/template.yml deleted file mode 100644 index 748d3b7..0000000 --- a/template.yml +++ /dev/null @@ -1,30 +0,0 @@ -AWSTemplateFormatVersion: '2010-09-09' -Transform: 'AWS::Serverless-2016-10-31' -Description: An AWS Lambda application that calls the Lambda API. -Resources: - function: - Type: AWS::Serverless::Function - Properties: - CodeUri: build/distributions/blank-java.zip - Handler: example.Handler::handleRequest - Runtime: java8 - Description: Java function - MemorySize: 512 - Timeout: 10 - # Function's execution role - Policies: - - AWSLambdaBasicExecutionRole - - AWSLambda_ReadOnlyAccess - - AWSXrayWriteOnlyAccess - - AWSLambdaVPCAccessExecutionRole - Tracing: Active - Layers: - - !Ref libs - libs: - Type: AWS::Serverless::LayerVersion - Properties: - LayerName: blank-java-lib - Description: Dependencies for the blank-java sample app. - ContentUri: build/blank-java-lib.zip - CompatibleRuntimes: - - java8 \ No newline at end of file