Add runc_nocriu build tag

This allows to make a 17% smaller runc binary by not compiling in checkpoint/restore support. It turns out that google.golang.org/protobuf package, used by go-criu, is quite big, and go linker can't drop unused stuff if reflection is used anywhere in the code. Currently there's no alternative to using protobuf in go-criu, and since not all users use c/r, let's provide them an option for a smaller binary. For the reference, here's top10 biggest vendored packages, as reported by gsa[1]: $ gsa runc | grep vendor | head │ 8.59% │ google.golang.org/protobuf │ 1.3 MB │ vendor │ │ 5.76% │ github.com/opencontainers/runc │ 865 kB │ vendor │ │ 4.05% │ github.com/cilium/ebpf │ 608 kB │ vendor │ │ 2.86% │ github.com/godbus/dbus/v5 │ 429 kB │ vendor │ │ 1.25% │ github.com/urfave/cli │ 188 kB │ vendor │ │ 0.90% │ github.com/vishvananda/netlink │ 135 kB │ vendor │ │ 0.59% │ github.com/sirupsen/logrus │ 89 kB │ vendor │ │ 0.56% │ github.com/checkpoint-restore/go-criu/v6 │ 84 kB │ vendor │ │ 0.51% │ golang.org/x/sys │ 76 kB │ vendor │ │ 0.47% │ github.com/seccomp/libseccomp-golang │ 71 kB │ vendor │ And here is a total binary size saving when `runc_nocriu` is used. For non-stripped binaries: $ gsa runc-cr runc-nocr | tail -3 │ -17.04% │ runc-cr │ 15 MB │ 12 MB │ -2.6 MB │ │ │ runc-nocr │ │ │ │ └─────────┴──────────────────────────────────────────┴──────────┴──────────┴─────────┘ And for stripped binaries: │ -17.01% │ runc-cr-stripped │ 11 MB │ 8.8 MB │ -1.8 MB │ │ │ runc-nocr-stripped │ │ │ │ └─────────┴──────────────────────────────────────────┴──────────┴──────────┴─────────┘ [1]: https://github.com/Zxilly/go-size-analyzer Signed-off-by: Kir Kolyshkin <[email protected]>
opencontainers · Dec 6, 2024 · 57aeb86 · 57aeb86
1 parent a7a840e
commit 57aeb86
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 0 deletions.
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -76,8 +76,14 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: "${{ env.GO_VERSION }}"
+      - name: install deps
+        run: |
+          sudo apt update
+          sudo apt -y install libseccomp-dev
       - name: compile with no build tags
         run: make BUILDTAGS=""
+      - name: compile with runc_nocriu build tag
+        run: make EXTRA_BUILDTAGS="runc_nocriu"
 
   codespell:
     runs-on: ubuntu-24.04

diff --git a/README.md b/README.md
@@ -103,9 +103,17 @@ e.g. to disable seccomp:
 make BUILDTAGS=""
 ```
 
+To add some more build tags to the default set, use the `EXTRA_BUILDTAGS`
+make variable, e.g. to disable checkpoint/restore:
+
+```bash
+make EXTRA_BUILDTAGS="runc_nocriu"
+```
+
 | Build Tag     | Feature                               | Enabled by Default | Dependencies        |
 |---------------|---------------------------------------|--------------------|---------------------|
 | `seccomp`     | Syscall filtering using `libseccomp`. | yes                | `libseccomp`        |
+| `runc_nocriu` | **Disables** runc checkpoint/restore. | no                 | `criu`              |
 
 The following build tags were used earlier, but are now obsoleted:
  - **runc_nodmz** (since runc v1.2.1 runc dmz binary is dropped)

diff --git a/libcontainer/criu_disabled_linux.go b/libcontainer/criu_disabled_linux.go
@@ -0,0 +1,15 @@
+//go:build runc_nocriu
+
+package libcontainer
+
+import "errors"
+
+var ErrNoCR = errors.New("this runc binary has not been compiled with checkpoint/restore support enabled (runc_nocriu)")
+
+func (c *Container) Restore(process *Process, criuOpts *CriuOpts) error {
+	return ErrNoCR
+}
+
+func (c *Container) Checkpoint(criuOpts *CriuOpts) error {
+	return ErrNoCR
+}
diff --git a/libcontainer/criu_linux.go b/libcontainer/criu_linux.go
@@ -1,3 +1,5 @@
+//go:build !runc_nocriu
+
 package libcontainer
 
 import (