From 86079d33f7b8ea001713498bab85b26955ba2c0e Mon Sep 17 00:00:00 2001 From: Kenta Tada Date: Thu, 28 May 2020 12:59:15 +0900 Subject: [PATCH] config: Add DisableSpeculationMitigations It disables speculative execution mitigations in the container. For more information about that, please refer to: https://github.com/opencontainers/runc/issues/2430 Signed-off-by: Kenta Tada --- config.md | 3 +++ schema/config-schema.json | 3 +++ schema/test/config/good/spec-example.json | 3 ++- specs-go/config.go | 2 ++ 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/config.md b/config.md index 667bbba58..08e97e3ba 100644 --- a/config.md +++ b/config.md @@ -208,6 +208,9 @@ For Linux-based systems, the `process` object supports the following process-spe For more information on how these two settings work together, see [the memory cgroup documentation section 10. OOM Contol][cgroup-v1-memory_2]. * **`selinuxLabel`** (string, OPTIONAL) specifies the SELinux label for the process. For more information about SELinux, see [SELinux documentation][selinux]. +* **`disableSpeculationMitigations`** (bool, OPTIONAL) specifies whether CPU speculative execution mitigations should be disabled for the process. Several mitigations are auto-enabled under Linux, and can cause a noticeable performance impact (depending on your workload). Note that enabling this option may reduce the security properties of containers created with this configuration. See [the kernel documentation][speculative-control] for more information. + +[speculative-control]: https://www.kernel.org/doc/html/latest/userspace-api/spec_ctrl.html ### User diff --git a/schema/config-schema.json b/schema/config-schema.json index 94923b35a..cfff83bb6 100644 --- a/schema/config-schema.json +++ b/schema/config-schema.json @@ -166,6 +166,9 @@ } } } + }, + "disableSpeculationMitigations": { + "type": "boolean" } } }, diff --git a/schema/test/config/good/spec-example.json b/schema/test/config/good/spec-example.json index a784d1d74..bab418504 100644 --- a/schema/test/config/good/spec-example.json +++ b/schema/test/config/good/spec-example.json @@ -56,7 +56,8 @@ ], "apparmorProfile": "acme_secure_profile", "selinuxLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675", - "noNewPrivileges": true + "noNewPrivileges": true, + "disableSpeculationMitigations": false }, "root": { "path": "rootfs", diff --git a/specs-go/config.go b/specs-go/config.go index 08af67798..309c65d98 100644 --- a/specs-go/config.go +++ b/specs-go/config.go @@ -58,6 +58,8 @@ type Process struct { OOMScoreAdj *int `json:"oomScoreAdj,omitempty" platform:"linux"` // SelinuxLabel specifies the selinux context that the container process is run as. SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"` + // DisableSpeculationMitigations disables speculative execution mitigations + DisableSpeculationMitigations bool `json:"disableSpeculationMitigations,omitempty" platform:"linux"` } // LinuxCapabilities specifies the whitelist of capabilities that are kept for a process.