support seccomp flags such as SECCOMP_FILTER_FLAG_SPEC_ALLOW (OCI Runtime Spec v1.0.2)

[AkihiroSuda]

OCI Runtime Spec v1.0.2 supports specifying three seccomp flags: SECCOMP_FILTER_FLAG_TSYNC, SECCOMP_FILTER_FLAG_LOG, and SECCOMP_FILTER_FLAG_SPEC_ALLOW (opencontainers/runtime-spec@d1ef109).
However, these flags are currently unimplemented by runc (but implemented by crun).

Notably we should support SECCOMP_FILTER_FLAG_SPEC_ALLOW (Disable Speculative Store Bypass mitigation, since Linux 4.17).
The mitigation is enabled by default when a seccomp profile is specified and has serious performance impact on bytecode interpreters including Ruby and Python.

http://mamememo.blogspot.com/2020/05/cpu-intensive-rubypython-code-runs.html

On the host:

$ ruby -ve 't = Time.now; i=0;while i<100_000_000;i+=1;end; puts "#{ Time.now - t } sec"'
ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux]
1.321703922 sec

On a Docker container:

$ docker run -it --rm ruby:2.7 ruby -ve 't = Time.now; i=0;while i<100_000_000;i+=1;end; puts "#{ Time.now - t } sec"'
ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux]
2.452876383 sec

If you specify an option "--security-opt seccomp=unconfined" for docker run command, it runs as fast as the host.

$ docker run --security-opt seccomp=unconfined -it --rm ruby:2.7 ruby -ve 't = Time.now; i=0;while i<100_000_000;i+=1;end; puts "#{ Time.now - t } sec"'
 ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux]
 1.333669449 sec

[AkihiroSuda]

cc @KentaTada

[KentaTada]

@AkihiroSuda
I think https://github.com/seccomp/libseccomp-golang needs to support SECCOMP_FILTER_FLAG_SPEC_ALLOW at first.I'll create the issue in https://github.com/seccomp/libseccomp-golang

In addition to that, we may need to consider disabling IBPB/STIBP if the goal of this issue is to improve the performance impact on bytecode interpreters.Below is the related commit from enroot.
NVIDIA/enroot@1f0c9ce#diff-0cfa9b5d3d6e047420d58d5cb1836a40R172

[KentaTada]

libseccomp v2.4.3 which is the latest release does not include SCMP_FLTATR_CTL_SSB
crun does not use libseccomp for seccomp flags but runc uses it.
We need to wait for next release of libseccomp.

[KentaTada]

FYI:

In addition to that, we may need to consider disabling IBPB/STIBP if the goal of this issue is to improve the performance impact on bytecode interpreters.Below is the related commit from enroot.
NVIDIA/enroot@1f0c9ce#diff-0cfa9b5d3d6e047420d58d5cb1836a40R172

I quickly confirmed the impact of disabling IBPB/STIBP using modified runc which added unix.Prctl() before unix.Exec() from libcontainer/standard_init_linux.go.

• runc which enabled IBPB/STIBP on my environment

docker run -it --rm ruby:2.7 ruby -ve 't = Time.now; i=0;while i<100_000_000;i+=1;end; puts "#{ Time.now - t } sec"'
ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux]
2.191031174 sec

• runc which disabled IBPB/STIBP on my environment using unix.Prctl()

$ docker run -it --rm ruby:2.7 ruby -ve 't = Time.now; i=0;while i<100_000_000;i+=1;end; puts "#{ Time.now - t } sec"'
ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux]
1.544454339 sec

We can improve the performance when disables IBPB/STIBP.
I'll create a new pull request and want to discuss this issue before the support of SECCOMP_FILTER_FLAG_SPEC_ALLOW.