Merge pull request #17797 from mpirvu/ssl_restore

Initialize JITServer SSL context post CRIU restore

runtime/compiler/control/CompilationRuntime.hpp

@@ -1283,6 +1283,7 @@ class CompilationInfo
    void  addJITServerSslCert(const std::string &cert) { _sslCerts.push_back(cert); }
    const std::string &getJITServerSslRootCerts() const { return _sslRootCerts; }
    void  setJITServerSslRootCerts(const std::string &cert) { _sslRootCerts = cert; }
+   void  freeClientSslCertificates() { _sslRootCerts.clear(); }
    const PersistentVector<std::string> &getJITServerMetricsSslKeys() const { return _metricsSslKeys; }
    void  addJITServerMetricsSslKey(const std::string &key) { _metricsSslKeys.push_back(key); }
    const PersistentVector<std::string> &getJITServerMetricsSslCerts() const { return _metricsSslCerts; }

runtime/compiler/control/CompilationThread.cpp

@@ -2935,6 +2935,18 @@ void TR::CompilationInfo::prepareForCheckpoint()
    if (!suspendCompThreadsForCheckpoint(vmThread))
       return;
 
+#if defined(J9VM_OPT_JITSERVER)
+   // If this is a JITServer client that has an SSL context, free that context now
+   if (getPersistentInfo()->getRemoteCompilationMode() == JITServer::CLIENT)
+      {
+      if (JITServer::CommunicationStream::useSSL())
+         {
+         freeClientSslCertificates();
+         JITServer::ClientStream::freeSSLContext();
+         }
+      }
+#endif
+
    setReadyForCheckpointRestore();
    }
 

runtime/compiler/control/OptionsPostRestore.cpp

@@ -45,6 +45,9 @@
 #include "env/VerboseLog.hpp"
 #include "env/TRMemory.hpp"
 #include "env/VMJ9.h"
+#if defined(J9VM_OPT_JITSERVER)
+#include "net/ClientStream.hpp"
+#endif
 #include "runtime/CodeRuntime.hpp"
 
 #define FIND_AND_CONSUME_RESTORE_ARG(match, optionName, optionValue) FIND_AND_CONSUME_ARG(vm->checkpointState.restoreArgsList, match, optionName, optionValue)
@@ -325,6 +328,16 @@ J9::OptionsPostRestore::processJitServerOptions()
       _compInfo->getPersistentInfo()->setClientUID(clientUID);
       _compInfo->getPersistentInfo()->setServerUID(0);
       _compInfo->setCanPerformRemoteCompilationInCRIUMode(true);
+
+      // If encryption is desired, load and initialize the SSL
+      if (_compInfo->useSSL())
+         {
+         bool loaded = JITServer::loadLibsslAndFindSymbols();
+         TR_ASSERT_FATAL(loaded, "Terminating the JVM because it failed to load the SSL library");
+
+         int rc = JITServer::ClientStream::static_init(_compInfo);
+         TR_ASSERT_FATAL(rc == 0, "Terminating the JVM because it failed to initialize the SSL library");
+         }
       }
    else
       {

runtime/compiler/net/ClientStream.cpp

@@ -55,6 +55,8 @@ int ClientStream::static_init(TR::CompilationInfo *compInfo)
    if (!CommunicationStream::useSSL())
       return 0;
 
+   TR_ASSERT_FATAL(_sslCtx == NULL, "SSL context already initialized");
+
    CommunicationStream::initSSL();
 
    SSL_CTX *ctx = (*OSSL_CTX_new)((*OSSLv23_client_method)());
@@ -124,6 +126,15 @@ int ClientStream::static_init(TR::CompilationInfo *compInfo)
    return 0;
    }
 
+void ClientStream::freeSSLContext()
+   {
+   if (_sslCtx)
+      {
+      (*OSSL_CTX_free)(_sslCtx);
+      _sslCtx = NULL;
+      }
+   }
+
 SSL_CTX *ClientStream::_sslCtx = NULL;
 
 static int
@@ -149,7 +160,7 @@ openConnection(const std::string &address, uint32_t port, uint32_t timeoutMs)
 
    struct addrinfo *pAddr;
    int sockfd = -1;
-   for (pAddr = addrList; pAddr; pAddr = pAddr->ai_next) 
+   for (pAddr = addrList; pAddr; pAddr = pAddr->ai_next)
       {
       sockfd = socket(pAddr->ai_family, pAddr->ai_socktype, pAddr->ai_protocol);
       if (sockfd >= 0)

runtime/compiler/net/ClientStream.hpp

@@ -66,6 +66,7 @@ class ClientStream : public CommunicationStream
        Returns 0 if successful;; Otherwise, returns -1.
    */
    static int static_init(TR::CompilationInfo *compInfo);
+   static void freeSSLContext();
 
    explicit ClientStream(TR::PersistentInfo *info);
    virtual ~ClientStream()