From 7d15576fbf741dd29aed6b5a700c9a0f5d08db8c Mon Sep 17 00:00:00 2001
From: yannic rieger <ybr@76k.io>
Date: Sat, 23 May 2026 18:24:37 +0200
Subject: [PATCH 1/2] remove WaitAfterServerInit config option

---
 Makefile                        |   2 +-
 cmd/platformd/main.go           |  56 +++++++++++++++-----------------
 internal/datapath/objects.go    |  12 ++++---
 internal/datapath/sock_bpfeb.o  | Bin 87368 -> 87368 bytes
 internal/datapath/sock_bpfel.o  | Bin 87368 -> 87368 bytes
 platformd/checkpoint/config.go  |   1 -
 platformd/checkpoint/service.go |  13 ++++----
 platformd/config.go             |   1 -
 platformd/server.go             |   2 +-
 9 files changed, 42 insertions(+), 45 deletions(-)

diff --git a/Makefile b/Makefile
index 3d3e1ab7..9642b4cb 100644
--- a/Makefile
+++ b/Makefile
@@ -131,7 +131,7 @@ functests-shared: $(TEST_IMG)
 .PHONY: ebpf
 ebpf:
 	$(RUN) $(SUDO) go generate ./internal/datapath
-	$(RUN) $(SUDO) go test ./internal/datapath -run TestVerifier -count 1
+	$(RUN) $(SUDO) go test -tags bpf ./internal/datapath -run TestVerifier -count 1
 
 $(TEST_IMG):
 	@docker build -t test-img -f $(IMG_TESTDATA_DIR)/Dockerfile $(IMG_TESTDATA_DIR)
diff --git a/cmd/platformd/main.go b/cmd/platformd/main.go
index 8492a7b7..9c4d66dc 100644
--- a/cmd/platformd/main.go
+++ b/cmd/platformd/main.go
@@ -25,34 +25,33 @@ func main() {
 		mgmtListenSock               = fs.String("management-server-listen-sock", "/run/platformd/platformd.sock", "path to the unix domain socket to listen on") //nolint:lll
 		mgmtSockUID                  = fs.Uint64("management-server-listen-sock-uid", 9012, "unix domain socket uid")
 		mgmtSockGID                  = fs.Uint64("management-server-listen-sock-gid", 9012, "unix domain socket gid")
-		criListenSock                = fs.String("cri-listen-sock", "/var/run/crio/crio.sock", "path to the unix domain socket the CRI is listening on")                           //nolint:lll
-		envoyImage                   = fs.String("envoy-image", "", "container image to use for envoy")                                                                            //nolint:lll
-		coreDNSImage                 = fs.String("coredns-image", "", "container image to use for CoreDNS")                                                                        //nolint:lll
-		getsockoptCgroup             = fs.String("getsockopt-cgroup", "", "container image to use for coredns")                                                                    //nolint:lll
-		dnsServer                    = fs.String("dns-server", "", "dns server used by the containers")                                                                            //nolint:lll
-		hostIface                    = fs.String("host-iface", "", "internet-facing network interface for ingress and egress traffic")                                             //nolint:lll
-		maxAttempts                  = fs.Uint("max-attempts", 5, "maximum number of attempts workload creation attempts")                                                         //nolint:lll
-		syncInterval                 = fs.Duration("sync-interval", 200*time.Millisecond, "i")                                                                                     //nolint:lll
-		nodeID                       = fs.String("node-id", "", "unique node id")                                                                                                  //nolint:lll
-		minPort                      = fs.Uint("min-port", 30000, "start of the port range")                                                                                       //nolint:lll
-		maxPort                      = fs.Uint("max-port", 40000, "end of the port range")                                                                                         //nolint:lll
-		workloadNamespace            = fs.String("workload-namespace", "", "namespace where the workload is deployed")                                                             //nolint:lll
-		registryEndpoint             = fs.String("registry-endpoint", "", "registry endpoint where base images will be pulled from and checkpoints pushed to")                     //nolint:lll
-		registryUser                 = fs.String("registry-user", "", "user for the registry")                                                                                     //nolint:lll
-		registryPass                 = fs.String("registry-password", "", "password for the registry")                                                                             //nolint:lll
-		controlPlaneEndpoint         = fs.String("control-plane-endpoint", "", "control plane endpoint")                                                                           //nolint:lll
-		checkCPUPeriod               = fs.Uint64("checkpoint-cpu-period", 0, "period of checking CPU period")                                                                      //nolint:lll
-		checkCPUQuota                = fs.Uint64("checkpoint-cpu-quota", 0, "quota of checking CPU quota")                                                                         //nolint:lll
-		checkMemoryLimitInBytes      = fs.Uint64("checkpoint-memory-limit-bytes", 0, "memory limit of the container that will be checkpointed")                                    //nolint:lll
-		checkLocationDir             = fs.String("checkpoint-file-dir", "/tmp/platformd", "directory where checkpoint files will be stored")                                       //nolint:lll
-		checkTimeout                 = fs.Uint64("checkpoint-timeout-seconds", 60, "timeout for checkpoint creation")                                                              //nolint:lll
-		checkListenAddr              = fs.String("checkpoint-listen-addr", "", "timeout for checkpoint creation")                                                                  //nolint:lll
-		checkStatusRetentionDuration = fs.Duration("checkpoint-status-retention-period", 1*time.Minute, "timeout for checkpoint creation")                                         //nolint:lll
-		checkContainerReadyTimeout   = fs.Duration("checkpoint-container-ready-timeout", 1*time.Minute, "maximum time to wait until the container is ready for checkpointing")     //nolint:lll
-		checkWaitAfterServerInit     = fs.Duration("checkpoint-wait-server-init", 10*time.Second, "how long to wait before performing a checkpoint after server has initialized ") //nolint:lll
-		mcServerManagementAPIToken   = fs.String("mc-server-management-api-token", "", "token to use for the minecraft server management api")                                     //nolint:lll
-		serverMonImage               = fs.String("servermon-image", "", "image to use for the servermon container")                                                                //nolint:lll
-		_                            = fs.String("config", "/etc/platformd/config.json", "path to the config file")                                                                //nolint:lll
+		criListenSock                = fs.String("cri-listen-sock", "/var/run/crio/crio.sock", "path to the unix domain socket the CRI is listening on")                       //nolint:lll
+		envoyImage                   = fs.String("envoy-image", "", "container image to use for envoy")                                                                        //nolint:lll
+		coreDNSImage                 = fs.String("coredns-image", "", "container image to use for CoreDNS")                                                                    //nolint:lll
+		getsockoptCgroup             = fs.String("getsockopt-cgroup", "", "container image to use for coredns")                                                                //nolint:lll
+		dnsServer                    = fs.String("dns-server", "", "dns server used by the containers")                                                                        //nolint:lll
+		hostIface                    = fs.String("host-iface", "", "internet-facing network interface for ingress and egress traffic")                                         //nolint:lll
+		maxAttempts                  = fs.Uint("max-attempts", 5, "maximum number of attempts workload creation attempts")                                                     //nolint:lll
+		syncInterval                 = fs.Duration("sync-interval", 200*time.Millisecond, "i")                                                                                 //nolint:lll
+		nodeID                       = fs.String("node-id", "", "unique node id")                                                                                              //nolint:lll
+		minPort                      = fs.Uint("min-port", 30000, "start of the port range")                                                                                   //nolint:lll
+		maxPort                      = fs.Uint("max-port", 40000, "end of the port range")                                                                                     //nolint:lll
+		workloadNamespace            = fs.String("workload-namespace", "", "namespace where the workload is deployed")                                                         //nolint:lll
+		registryEndpoint             = fs.String("registry-endpoint", "", "registry endpoint where base images will be pulled from and checkpoints pushed to")                 //nolint:lll
+		registryUser                 = fs.String("registry-user", "", "user for the registry")                                                                                 //nolint:lll
+		registryPass                 = fs.String("registry-password", "", "password for the registry")                                                                         //nolint:lll
+		controlPlaneEndpoint         = fs.String("control-plane-endpoint", "", "control plane endpoint")                                                                       //nolint:lll
+		checkCPUPeriod               = fs.Uint64("checkpoint-cpu-period", 0, "period of checking CPU period")                                                                  //nolint:lll
+		checkCPUQuota                = fs.Uint64("checkpoint-cpu-quota", 0, "quota of checking CPU quota")                                                                     //nolint:lll
+		checkMemoryLimitInBytes      = fs.Uint64("checkpoint-memory-limit-bytes", 0, "memory limit of the container that will be checkpointed")                                //nolint:lll
+		checkLocationDir             = fs.String("checkpoint-file-dir", "/tmp/platformd", "directory where checkpoint files will be stored")                                   //nolint:lll
+		checkTimeout                 = fs.Uint64("checkpoint-timeout-seconds", 60, "timeout for checkpoint creation")                                                          //nolint:lll
+		checkListenAddr              = fs.String("checkpoint-listen-addr", "", "timeout for checkpoint creation")                                                              //nolint:lll
+		checkStatusRetentionDuration = fs.Duration("checkpoint-status-retention-period", 1*time.Minute, "timeout for checkpoint creation")                                     //nolint:lll
+		checkContainerReadyTimeout   = fs.Duration("checkpoint-container-ready-timeout", 1*time.Minute, "maximum time to wait until the container is ready for checkpointing") //nolint:lll
+		mcServerManagementAPIToken   = fs.String("mc-server-management-api-token", "", "token to use for the minecraft server management api")                                 //nolint:lll
+		serverMonImage               = fs.String("servermon-image", "", "image to use for the servermon container")                                                            //nolint:lll
+		_                            = fs.String("config", "/etc/platformd/config.json", "path to the config file")                                                            //nolint:lll
 	)
 	if err := ff.Parse(fs, os.Args[1:],
 		ff.WithEnvVarPrefix("PLATFORMD"),
@@ -97,7 +96,6 @@ func main() {
 				ListenAddr:               *checkListenAddr,
 				StatusRetentionPeriod:    *checkStatusRetentionDuration,
 				ContainerReadyTimeout:    *checkContainerReadyTimeout,
-				WaitAfterServerInit:      *checkWaitAfterServerInit,
 			},
 			ManagementSocketUID: *mgmtSockUID,
 			ManagementSocketGID: *mgmtSockGID,
diff --git a/internal/datapath/objects.go b/internal/datapath/objects.go
index 9194794b..e112833e 100644
--- a/internal/datapath/objects.go
+++ b/internal/datapath/objects.go
@@ -127,8 +127,9 @@ func (o *Objects) BlockIP4Connections(cgroupPath string) error {
 		Attach:  ebpf.AttachCGroupInet4Connect,
 		Path:    cgroupPath,
 	}); err != nil {
-		return err
+		return fmt.Errorf("attach: %w", err)
 	}
+
 	return nil
 }
 
@@ -138,8 +139,9 @@ func (o *Objects) BlockIP6Connections(cgroupPath string) error {
 		Attach:  ebpf.AttachCGroupInet6Connect,
 		Path:    cgroupPath,
 	}); err != nil {
-		return err
+		return fmt.Errorf("attach: %w", err)
 	}
+
 	return nil
 }
 
@@ -155,7 +157,7 @@ func (o *Objects) AttachAndPinSNAT(iface *net.Interface) error {
 
 	// pin because cni is short-lived
 	if err := l.Pin(fmt.Sprintf("%s/snat_%s", ProgPinPath, iface.Name)); err != nil {
-		return fmt.Errorf("pin link: %w", err)
+		return fmt.Errorf("pin: %w", err)
 	}
 
 	return nil
@@ -177,7 +179,7 @@ func (o *Objects) AttachAndPinDNAT(iface *net.Interface) error {
 			// TODO: update prog
 			return nil
 		}
-		return fmt.Errorf("pin link: %w", err)
+		return fmt.Errorf("pin: %w", err)
 	}
 
 	return nil
@@ -195,7 +197,7 @@ func (o *Objects) AttachAndPinARP(iface *net.Interface) error {
 
 	// pin because cni is short-lived
 	if err := l.Pin(fmt.Sprintf("%s/arp_%s", ProgPinPath, iface.Name)); err != nil {
-		return fmt.Errorf("pin link: %w", err)
+		return fmt.Errorf("pin: %w", err)
 	}
 
 	return nil
diff --git a/internal/datapath/sock_bpfeb.o b/internal/datapath/sock_bpfeb.o
index 10843cc07bc4f1f39a7c4d9208ba5646c8e251e6..f309b7ba64bbf3e6a54058d120896443f36cc5e8 100644
GIT binary patch
delta 3597
zcmYk9eQXp(7{+HPr3fvyqLxESj~)V10Z|YPG@c=9OM!w#Afi$=Rs<nfR0v#ex7=Ot
zA{sGEJR}iXO!%V_X)RDbsy!66DhgN#2of*>f(eL#28C*T-rJRVCf%LiJoC=i`_63V
zIvO)O8Z(<5tuM8#(JyZHJ)EsnH>EOmC?o(<#%`rTlbqZwBlT=2i1%D)@s@k7Dp+dN
zwxf1OccpFzAA|WS$k);hRp<+7c>19j`UbCJa1eYLJP>SyPhp(p;Ck>m=tICw;LB+H
zB{&7X4!u+<AF>*m)PqV{K0gXQ+=6cyxR1y8gYWQo92f&h178q~&eL21hNgN!uLMu<
z*aklaMjKx}cnT)57n}k=2i~Vte^l30Dd&Tx5v2>jemqDui}3Q}$;IP&uKQ-_ufaDm
z=haH}{RCZnE%nfCFnpp@;E0pk99Z}clnzt{p}dD24V4XEha3}C_2~QxS{wkUpf@1L
z3=jlW(}))qq<exfns`)WCKInhZv*?GV|1CJ76-LD_00jj&)M4?u)f2%cqG*v1^?jj
z32>*!r!W}=T#2JEAeZ?d)kvg;{Yr&pmBK-=cp(E%C3paGakdQ}>Tv=*+GR^z6ModI
zSPPyCmd5qqIml(=DR32X(NBXz!2MVZis4n5oB$RdM*EEK!ARi^5G36N-UJ)`DcKRU
z;IjLabN16aixH^|_*L65ZO(K}VIJNM{h;&#-UB}5u|!ce7E<_tGp=PpPAANJpg3Cw
zaGF{I#m7;CO}8Lyy#BjYg3l;)1l<N-L909rCwv1k#*kzwCwFVUCEkSR3jNr2)nMd>
z5<M@Hg+W-#Ru_F5SUfFU2@YU{BCrh}j-HQzQ{eHg4l`v<1_S&-@YAq42DZU)bOvTW
z(4RtK3EXmBDfFc*R7!}8L|^Uf-FnpO)&~;If5uBA#=UNJV<Fm3sd1B?NBT)m#M*6N
z*8e8T9%^_*mSOuL;zx+5WGScr_CeMx(q1w=XMkb*RpRA_U-;9o9U*?3_<iE_#G74~
zs4Kh8No~)!_EGgA;*-R`5??c1tBCs$4>Ig~({Sxb;$oMbnXP%HC8W<FewjE-yqcJn
zTHD|>wdR*Ln%bOohHKl2e<c2e_#$zale;6|$~H>DQo}0?h({AYL0myRpV%UPm$-r0
z3za3ITG>Vw-xB{se1`Zk@jr$mImEP&BST0ZLtK{S+`Y5Nnn@DHB(j9`mBbG5hlZzC
z8jetuA}yq+441EQIqieUep3-SL42P0FT>GH;@-r4iRrvWX>(SPKcc~`3W-5FMJH3^
zXNg}SUPhcC_EsYuMb|rPcLl7iR7<-vN+FIOC7ZK`%il5_{e$>l!?B*kwCwVFS5Nyj
zRzyZ43{P8SI5wV`4r{EO^tr?fiRsY9=zA4&veM(H{Tkb78f4xu9P>_r7{#`ePG7AU
zc_?<y*z}@Z6}xEk*v(CXuX$ZhXF^-Ws9aNBM+bWbeLm`jlg$_>)fVtgB;`rsXPmCK
zfb|9`HN<gZI{bC?ov!<sY_<{aA*S<Ccbs(ZV||<Wtd9O!#50_x&+@GtV;c7p)3J{~
zPWn^CRm8N*<Fps!8_1@Kc$drgr>#`HlPc)*8~=^;F2e~r%L&@Zy{pNl$f^H4@caX$
zP<#?|jGnXGaAH33a$?&3i6rR_&fxaIDB6|@?(HkGJVJcBWm)^+Q0w~f`fzsg^%6Zx
zSGVpj(S5a5pi~ELZ)!1~ZTR6ZR;h!ym4xK-l!Hf-=qr>uKL{)rL@9ry)P-BXez)BH
zZ`@^saa)x7doC%REx$g3RF(@-iCeZd;pXkfok-ypCJoZUFfeX|H#@*BOjWw&6(^MT
z%YgITvW0R`%HG6pmY2Epp#r6+$-)v|d92d2u`v0yp+_Niy^}mSNiWjX$;oB9Fi)=O
slKSB$h96wk#$>2W&()pD>C^S#)~+&rHA`Pj{$8P%>cz=<GxX{I05<{3sQ>@~

delta 3600
zcmYk<du$X%90%~3K0K@~6i~~7(xX=h_y8J}N3eQ|#+E9Dv?3tLp?_GzLxLa(cemSK
z?|O>(V8H?*@klWt1n5D5@+fdT3^gK3Xa$5u(1=8hpcM&-=yz@x<~zyWe&#o`yYt%Z
zv~@#f>xRsPCFLJY%jIjE+@rFENE0G`r$7Rb()S1vc;3ow93m%MKKxF%<}^NNRH3Fs
z>3)>%&Jf~m_!O!yLHKIwLJ>HO*g+wBAshG-KgF;Q{ub^FoA7x&XAvBSFCsnwPQabG
z_7I$eZy;VOgd3+I9wi<T!f<<#>0)Qx1L0i9L*YEfBVg217r1>e>ZM!)KL%$Z?uVan
zY{JjMXq-C^m!lErggXiQ;m?KWjpAUHuvR4om(GGcIFN#K@Z-Uun&FIG#wNtyLW9*n
zek4TC&A7!8RgQQK`~}7;2}i8lE#6rlBGQT?A0igcs;4Hr24^%>#BuXKamCkg67dF{
zXQU=U1UJIyr0jyYdLTwrq9vm{5pRJ#h$mp2<xqH+72o2ON36qJyvA2}u9_XB;A!}n
z;|}<Q<MX&FCR|_ugTLdf+Jh9lh96~*5FyoGWgpxF=X4x?7=x+Wruq^Z<TwTovu&uM
z35|9NR>I?8b#WY?iZg~ybvRUovx=XCL*P+#2HDV3JXryq53NQV9a1T@76Fy|!0S;*
zHBhYx>TuaZ!uo0Jy~T~V4C5+IRBg(%tD<^nFXG>*d%%a_<Bl<NYLTcEI&O_<nvv6v
z>USVJQ9Zy)G<l29B8NI@KGbpUpXP@z2;2y96aEWVb;skB|3&zKNF^i9%H5V{s1e7=
z<$JK~=E6AVtJzC9_TfEHOI^h=XohN$vLEh`CltUYJOp=chm&xz9Y-}`jD-P@51xWL
zr(hGtK&O9)#(R>;%*U`?7XtSZMh$*2#RV$9%sRa7q><4TAyikLm6+q~ZuVTL*e+FK
zC$lHTJDec;ZuW8Asv^um+Jjx%<_Pjr<Z_p=dhh6GOrqH9+ArUyZO$eKv|qiVZAQo+
zkXMr9<VM?S)`hvxO76%rj!^Ll^7rIl$=9^2)5y7GueSSb?dl@(leVo1&D~4KP<#UU
z4YEmIMy9S-H&}`0ywZ)jG-tJT^#O7l`A704@=YsuXP(hjNA6#sU6W59MlL14NS;Zq
zCVxzBAUjiKsHv*iM+Ha8XUG@Go#g+t!`;ZVj>7{fKAil5%j&<Yz?euOnv?K+ir11?
zkU!NP>(>s`EQPmI{GfLEa@(mf2p`i0;STaI<m=kC^gh<+Q2ZWpUotJuiUAaV+Et<E
zAeCyzQo%Ix4DurKd*n~Zackvnud#z7v^r~Pifd0(ou9SK`Obgqctnu1$kgp}=aY~c
z*GM5%8mc{RiFTxzJcc};Je~X|`5iKSuOcg4spqH0HL^}u%KS$=;=Bc_Qe-E^>8ll?
z5sF;Yb+VeYBbUgx7YV-R(JbrnmWrYtx;RQNb|rm2qC=?8a4Xs3bw5jyO7bh#jTWy#
zAB(6#rSFpI<&Qd(qPiO0Om&*chsg9kM9)&(`B<y{jEG*<1$CKLVsD<&jUokPdhP2<
zDE<<;icG7#?tO}{C2u9S*q*GKRo6}h^!cs3O!1rAF?yF{w2<$bOLYpZ_&)FSM=3({
z6Pv2zIeWBYGs*N<Hnx=FtH=#j;eKxsEz8(mDs3g7B>&K~aDQPS&9k_9%_!NHT|c`-
zPLlJQTT5h5Y2*uW6dO1(2gi2&?=Vt`Hf&4+^N`QMp^}ORh4`%>toDd1|Ctb%?}R;e
zKI58@8Oqo&s`3XeVMFbPeUw*wq7plAtQRudgKd$(Moe9h3Jip?A-sKqhhe{+UwlT$
zLiIpwwo>&wgnUNjorW8?@(b<qK)#Tbs$(%HKT^mk=$QJ4Ll)s|4^aK-F><z?S6@;l
v^Si5^x=OvU8EZq6*3~a8lhb5-{rK_H(|n^$cDm%1`pXq^0j{X3l;{2jNHNTf

diff --git a/internal/datapath/sock_bpfel.o b/internal/datapath/sock_bpfel.o
index 7a9f5a9e63b72aca86868f228d4a6d218016f8c9..ed48eb3a021c8fd3eb11a003bd7e6ba1306f34e5 100644
GIT binary patch
delta 3528
zcmYk<3s6*500!W5U=dW-AhLA}bY&;Bhp&{<v7NTD48&(pnOb5^SelMurun+7<YS}~
z=alO>BZAF16Vob$iU`K8MWRw_=ul9jHfB15IckoNtm!{{?{@z)b9cY<pT|At-reQW
zQkBqBl~7$K<(1k^@{N#t)N&!>gh<{WFJdLG0UoEEyNAfB%7@pPYToWgjUx1v=-GtU
z{qTK4IDUdlG43WBbUB3lke;cJ5JzAi=!Z|iec=Fn240F&R=^kFEacVjRrni>4a0Zf
zT;#%y)vXX>xDbZ$pwi8(h=Fh~%R}MbmPf*UE&Jgt%Q^6HxCiDegrBk;fS-f);ws<?
z@V9yq@N00h-pm6+6s=I3s|P#hBJv>7WxhID?Rw~4B-o6j49TuEAr9*SC;{Y0^hCHa
zCCXXjH9khtg2a#3O|V1v!m$<B%c{U}Ek%gq7!igmk<Z1uzUWmju7OB`_4Ux#F9p6n
zMu<k_9(WgW4?GmEgI|IDaO<-|j1@xdu1S^6DuR_9L+deXo$c@smOJ4#%V*$ZEOH=b
z>4NnNb-8KT1IMj2b3dE{>!F1>(qX;Y0FD8c*TW-B8$w^KXRL-T@I+V-uD~%J-i7xt
zjv^~R3onOTbti186vmq)3Dqs|_c}+}4x=PJh?ku(F0o@I%o~0zPyP1Q{k{;Ik7HN>
z^VFDK6VP2Wz$dKfBJfGehvB|x*X6j%uAS>_L(&Z=n2O|>3e|dj9abMd?oMp}Lijv#
zJxu_<2B%_F04Mt!j#%>x<=o>kdKl)F^Yjy<7#}+iMh%5y_tp>hMjxF|hSMz<!d^HN
zX9&Q9;M15n43D;QJ!m}aK_5Rn4c6b^09*uj#AAbDR2HIgM+(e_Mp)naFkGf0d)gn4
z3!sWG-!B-dJM{=e-|x|3eQYyus*3D&`P^tlNz^X`0{Yc-;$YiP1Z+P|o}hZ~^BONx
z@+LWbx;^S0%9oOFyl(d?q5LEAW^y?>WV%~)>5b~(K9|u<%_qsfk}r{OlEo^aOLVqg
z<o@LM@uL&#GlX)VX_a4>nwvv;0eLogCAo~enOvztb*|hhO13)fvo}%xBl#TpGWo7@
z?spl<tL+&UXV}i5d<6M<az1$u*&uHuSCT`f4f9q}!%_0j<n!dK<bTM{5_<z~auzw8
zoL8bU>oa{XQ8b&pki43#$lKJadY8M3l3H?D)zrI;R!Ta_7s<EC2_M?q=t)i^r;~?}
zv-0h+elwpKy~g9I)2rmS$xF!V$)A$T)n^C1#vV$V$VbWT<lo5~CfQ5;i}HWTNo(vr
zY2*rXtogCYq=v!d(#iJV(Uj+qCy{58=aCnaOUP<XPx}NrRHVT*D@4uv$j#(-@&$6O
z`FA>cmo8I&i=3oJHRcaXS!<s+gS@rC&IeJRtqwMN-D4<ufjmRqZuA<9C|N;XN8U&-
zCx1!aOOB9R$sOcNrtghz`vx_{tI$E0;aq2L$wSU2k0rlIE+Q`>Zy;|cSCbEzo|dRj
z-$o7R$bXXWk`we3ll2E9ja*EhmrS+oYwxVbsdWr_I=O*<+~-iflw3*<k}FmJChxEi
zB@N{7$fwC?YZo;QSYB5?TAoS{zLz5lWO3b*9GNDK3_RQ?v<R^P+uMudNz~;DJn-P%
zT&9^XL%sh+JkDADK1aQKm-+Cc$K7^lOQE0ebp6UB_<tc;3P05|QO~jJJMk>zNs@-p
zUuiu+2Ltg)t)Jjx6AZ$DLaW}n3@7wR@m8#k{@wlZ|Alv2^(9t&bYqjHSZ~#%8=ERc
z3hKk8buUG*W1O5Xi-Wm&vR`T!9szafgX2`Z5Ice&<jI+FZANg)6q!|bH&1pY#$O*R
U)hA!LgN_0@LoNu;Dv*Et2RgFTp8x;=

delta 3531
zcmYk<dr(wW00!`LU=g%k0gYC&U}e>?hr*PvakjP;11TRPnVKflAL00@G09T&ULW+(
zH1&*Pj!o-eGv<hkq9O{)`WSFT%@H(Hr_>pB(oxII!7=MQdoSJZ&fLAf^PTs-3tXDE
z#5HY+t6C}LAJwbm`<1CfN`;6K!o4R}v>!41;5U>f+)qwa0elvz8R6%QVziWKc>uM0
z;m3t={R}Tdzx$}r$6@3L^+?@>I0gs6AbbW+gH8AnJQq`j;OlU2<W=xp_z?Owzz^X(
z<RTT5%opNCAq?R|A;Bt$OgPDQ7VNb>2=>_y!kM;n;r?(Zj9Cc3Y}<rihxOt@@F@7O
zUIbhSAJLn6Qi$UDYHd|t&kRI9B>MPBovQNo`WOi|<64PiTUQ|(bq5@akRR0p;m(vP
z&vw7@4U#4#LDVYPg{z5k1FV-7!ue;C5GT>20j@wk4Oe~Bx5BswA_3O-L*Kt7`0h|4
z>X7^3D&#&m3$BGHz(Kfqm=MD;Wq5nCY*Z1f<Tz@N+3P$9pRj!qK5hFF?8ao7808kM
zSE!FR+dkN}z{-Pg7g%>K#F+-`)tWf_*!~h8VA&A*W(~C~*1@A;-8qDFGQ17f2Asuq
z{u{giZq|*krR6X#t^^d<!^d@wV<U_sp*ub{!??w+K`?Ll`FwSG#}k1ts!yVuiE*l}
zrg3O4>fxX4;SRy4Y#)WwP_K_us(<w~Pb-oRm|#4T<EpaSAGlz*3F7Irk6#F1MXrZ2
z;lJQy^fEEoKXAkzKSp_WdJVT>-8o;n5VP>L^PyK3-2QBXuorD~J{nH5T?qGrGcbb*
z_k&w8aswQ&bKPkq>_eL%JPFo6zb0G^{}PK0HlR>~!UHKV8otJ`e)J9SY8BaewvWq1
zQHahL&{a2bo6&2c4r}erXm?eSUEV-<Q(MIAk3OdUv>e~p@gURjtK?BCWw+m$K*<N>
zr`~aT&7{1PeD6J{O&R4Y$m_@<a@cZ*=+gJA`rTfmk*ZIVe<j}_w~=EO3VlRJOCtNp
zpWv5Hdz);^U$Lyl)+FbRpnM#8D%m8jCa)t`sLC2|-d0N1dz{%Ll(&$tkZ+S8DbF6S
z(Rq<G!kniar&B(FoJW3(Je|Cdyoy{w4qG;?M@1FQ<n!dK<h$g5$%%`d4Rj}Gk_VFC
zT&yx`GXmo&no2GqFCniXf3FtSdQ-PjvWt9BZLjqjCn&i{{+;}Q9KXcbhKHO&P9tZN
zdyjSczGmekqxX0uHJU=6MxIMvN?uD2sWp53#%@X?<Yw|Y@-_0(QO*+ord*Ucc_(rT
zIb`*<zBWCnB8$9iv@=kE@)6`Q<RbEi<j=@u<TYiFITLJBk$v8xFjem%H<Hhhuam2-
zzthpDber-A<W6dE-Pr6dpF8uWlh+qGc|Xbrs`@&AY7Qj@<abqDo!^*4i9!B~yowwm
zZzI=`50OuhFOY9o?h@VheX594mGxdD@e5~58RUWFT=LuGV)9(_*W``l9ppO86XW&t
ztyFP^e24sq9IxM)>^~SO<XQB6>8ZZk?=O0ZYIDew$@}P+`*g}n$;-*#k}Fh?1ODtV
zCH3Sc@>%lb>XHM`l*ahx)od6dTioR{bLBWWyXHu)>?)0Pyx+$);~g41+=X*6%Cbd>
z*|=IOwetBW_qd5SI=kHuD0jSLz5nQbZ7$d)g?`D?<=fBVUk1Dw2dSKaa;{z8jMo{T
zTN*<DRO=2p$aG7gU*g&acmW*>?eh6~n6Rf5#di53+IJi#|6h1}`BS?-y0HQ&^o`Kt
zMK?A{iX=E&+K*F|pBW)%%Gu>P`7%BE7TyB&(G6!ytPq>ZOY-HEm{y~F%ov$b^DtlD
YjE}uHT&fj6rk1-3<Ro+~Dv;Oy11Q4Pg8%>k

diff --git a/platformd/checkpoint/config.go b/platformd/checkpoint/config.go
index 751ed676..d6f47d3e 100644
--- a/platformd/checkpoint/config.go
+++ b/platformd/checkpoint/config.go
@@ -33,5 +33,4 @@ type Config struct {
 	ListenAddr               string
 	StatusRetentionPeriod    time.Duration
 	ContainerReadyTimeout    time.Duration
-	WaitAfterServerInit      time.Duration
 }
diff --git a/platformd/checkpoint/service.go b/platformd/checkpoint/service.go
index 0a932acd..f49e6906 100644
--- a/platformd/checkpoint/service.go
+++ b/platformd/checkpoint/service.go
@@ -274,17 +274,16 @@ func (s *ServiceImpl) checkpoint(ctx context.Context, id string, baseRef name.Re
 		return fmt.Errorf("find netns: %w", err)
 	}
 
+	// sockets in state TCP_TIME_WAIT and TCP_CLOSE_WAIT, will be a left-over
+	// because our ebpf programs will not be able to close them.
+	//
+	// in order to make restoring the checkpoint work, we have to specify
+	// the --tcp-close option in /etc/criu/crun.conf to make it work.
+	// see https://criu.org/CLI/opt/--tcp-close for reference.
 	if err := s.sockHandler.DestroySocks(netnsPath); err != nil {
 		return fmt.Errorf("kill sockets: %w", err)
 	}
 
-	// wait a little after closing all sockets, as it seems that if we directly checkpoint we still get:
-	//
-	//		Error (criu/sk-inet.c:191): inet: Connected TCP socket, consider using --tcp-established option.
-	//
-	// linux might take some time to close all sockets eventually.
-	time.Sleep(s.cfg.WaitAfterServerInit)
-
 	logger.InfoContext(ctx, "checkpointing container", "container_id", ctrID)
 
 	if _, err := s.criService.CheckpointContainer(ctx, &runtimev1.CheckpointContainerRequest{
diff --git a/platformd/config.go b/platformd/config.go
index 4d72970f..7f3361c6 100644
--- a/platformd/config.go
+++ b/platformd/config.go
@@ -34,7 +34,6 @@ type Config struct {
 		ListenAddr               string
 		StatusRetentionPeriod    time.Duration
 		ContainerReadyTimeout    time.Duration
-		WaitAfterServerInit      time.Duration
 	}
 	ManagementSocketUID uint64
 	ManagementSocketGID uint64
diff --git a/platformd/server.go b/platformd/server.go
index 082497de..7a9aff18 100644
--- a/platformd/server.go
+++ b/platformd/server.go
@@ -145,7 +145,7 @@ func (s *Server) Run(ctx context.Context, cfg Config) error {
 				ListenAddr:               cfg.CheckpointConfig.ListenAddr,
 				StatusRetentionPeriod:    cfg.CheckpointConfig.StatusRetentionPeriod,
 				ContainerReadyTimeout:    cfg.CheckpointConfig.ContainerReadyTimeout,
-				WaitAfterServerInit:      cfg.CheckpointConfig.WaitAfterServerInit,
+				SocketDestructionTimeout: cfg.CheckpointConfig.SocketDestructionTimeout,
 			},
 			criSvc,
 			image.NewService(checkSvcLogger, cfg.RegistryUser, cfg.RegistryPass, "/tmp"),

From 5ee53fd21b420b4816b6c73504c32b2a8ee3db22 Mon Sep 17 00:00:00 2001
From: yannic rieger <ybr@76k.io>
Date: Sat, 23 May 2026 18:26:18 +0200
Subject: [PATCH 2/2] forgot

---
 platformd/server.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/platformd/server.go b/platformd/server.go
index 7a9aff18..fd6529b1 100644
--- a/platformd/server.go
+++ b/platformd/server.go
@@ -145,7 +145,6 @@ func (s *Server) Run(ctx context.Context, cfg Config) error {
 				ListenAddr:               cfg.CheckpointConfig.ListenAddr,
 				StatusRetentionPeriod:    cfg.CheckpointConfig.StatusRetentionPeriod,
 				ContainerReadyTimeout:    cfg.CheckpointConfig.ContainerReadyTimeout,
-				SocketDestructionTimeout: cfg.CheckpointConfig.SocketDestructionTimeout,
 			},
 			criSvc,
 			image.NewService(checkSvcLogger, cfg.RegistryUser, cfg.RegistryPass, "/tmp"),