support seccomp flags such as SECCOMP_FILTER_FLAG_SPEC_ALLOW (OCI Runtime Spec v1.0.2)

[AkihiroSuda]

OCI Runtime Spec v1.0.2 supports specifying three seccomp flags: SECCOMP_FILTER_FLAG_TSYNC, SECCOMP_FILTER_FLAG_LOG, and SECCOMP_FILTER_FLAG_SPEC_ALLOW (opencontainers/runtime-spec@d1ef109).
However, these flags are currently unimplemented by runc (but implemented by crun).

Notably we should support SECCOMP_FILTER_FLAG_SPEC_ALLOW (Disable Speculative Store Bypass mitigation, since Linux 4.17).
The mitigation is enabled by default when a seccomp profile is specified and has serious performance impact on bytecode interpreters including Ruby and Python.

http://mamememo.blogspot.com/2020/05/cpu-intensive-rubypython-code-runs.html

On the host:

$ ruby -ve 't = Time.now; i=0;while i<100_000_000;i+=1;end; puts "#{ Time.now - t } sec"'
ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux]
1.321703922 sec

On a Docker container:

$ docker run -it --rm ruby:2.7 ruby -ve 't = Time.now; i=0;while i<100_000_000;i+=1;end; puts "#{ Time.now - t } sec"'
ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux]
2.452876383 sec

If you specify an option "--security-opt seccomp=unconfined" for docker run command, it runs as fast as the host.

$ docker run --security-opt seccomp=unconfined -it --rm ruby:2.7 ruby -ve 't = Time.now; i=0;while i<100_000_000;i+=1;end; puts "#{ Time.now - t } sec"'
 ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux]
 1.333669449 sec

[AkihiroSuda]

cc @KentaTada

[KentaTada]

@AkihiroSuda
I think https://github.com/seccomp/libseccomp-golang needs to support SECCOMP_FILTER_FLAG_SPEC_ALLOW at first.I'll create the issue in https://github.com/seccomp/libseccomp-golang

In addition to that, we may need to consider disabling IBPB/STIBP if the goal of this issue is to improve the performance impact on bytecode interpreters.Below is the related commit from enroot.
NVIDIA/enroot@1f0c9ce#diff-0cfa9b5d3d6e047420d58d5cb1836a40R172

[KentaTada]

libseccomp v2.4.3 which is the latest release does not include SCMP_FLTATR_CTL_SSB
crun does not use libseccomp for seccomp flags but runc uses it.
We need to wait for next release of libseccomp.

[KentaTada]

FYI:

In addition to that, we may need to consider disabling IBPB/STIBP if the goal of this issue is to improve the performance impact on bytecode interpreters.Below is the related commit from enroot.
NVIDIA/enroot@1f0c9ce#diff-0cfa9b5d3d6e047420d58d5cb1836a40R172

I quickly confirmed the impact of disabling IBPB/STIBP using modified runc which added unix.Prctl() before unix.Exec() from libcontainer/standard_init_linux.go.

• runc which enabled IBPB/STIBP on my environment

docker run -it --rm ruby:2.7 ruby -ve 't = Time.now; i=0;while i<100_000_000;i+=1;end; puts "#{ Time.now - t } sec"'
ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux]
2.191031174 sec

• runc which disabled IBPB/STIBP on my environment using unix.Prctl()

$ docker run -it --rm ruby:2.7 ruby -ve 't = Time.now; i=0;while i<100_000_000;i+=1;end; puts "#{ Time.now - t } sec"'
ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux]
1.544454339 sec

We can improve the performance when disables IBPB/STIBP.
I'll create a new pull request and want to discuss this issue before the support of SECCOMP_FILTER_FLAG_SPEC_ALLOW.

[KentaTada]

libseccomp 2.5.0 was released.
Currently, I'm tackling with the SCMP_FLTATR_CTL_SSB support of libseccomp-golang
seccomp/libseccomp-golang#51

[sporksmith]

I came here to file an issue to support seccomp flags specified in the seccomp profile (particulary SECCOMP_FILTER_FLAG_SPEC_ALLOW). Support for these flags in the profiles was just added to moby in response to moby/moby#42619.

Is this the right issue, or should I make a new one?

[KentaTada]

Is this the right issue, or should I make a new one?

Yes. I have already implemented SCMP_FLTATR_CTL_SSB support of libseccomp-golang.
But opencontainers/runtime-spec#1047 is still ongoing.
After that, we can implement this flag in runc actually.

[danishprakash]

@KentaTada since you're working on other issues which are prerequisites for this, does this issue (for runc) look like a candidate for community contributions once you're done? I'd like to work on this. Thanks cc/ @AkihiroSuda

[KentaTada]

@danishprakash
Thank you for having interest in my activity.
I have already created the PR to implement this feature for runc.
#2433

In addition to that, SCMP_FLTATR_CTL_SSB support of libseccomp-golang was merged.
I'm sorry for the late response but I'll take a look at the remained issue opencontainers/runtime-spec#1047 before long.

[danishprakash]

@KentaTada thanks for clearing it up :) I wasn't able to find a linked PR and hence thought I'd ping here.