From b24d646dc180f4550354d6bf7dda7318c78f5bdd Mon Sep 17 00:00:00 2001 From: Kenta Tada Date: Thu, 28 May 2020 12:59:15 +0900 Subject: [PATCH] config: Add AllowSpeculation AllowSpeculation disables spectre mitigations for container. For more information about that, please refer to: https://github.com/opencontainers/runc/issues/2430 Signed-off-by: Kenta Tada --- config.md | 1 + schema/config-schema.json | 3 +++ schema/test/config/good/spec-example.json | 3 ++- specs-go/config.go | 2 ++ 4 files changed, 8 insertions(+), 1 deletion(-) diff --git a/config.md b/config.md index 667bbba58..144d63a2c 100644 --- a/config.md +++ b/config.md @@ -208,6 +208,7 @@ For Linux-based systems, the `process` object supports the following process-spe For more information on how these two settings work together, see [the memory cgroup documentation section 10. OOM Contol][cgroup-v1-memory_2]. * **`selinuxLabel`** (string, OPTIONAL) specifies the SELinux label for the process. For more information about SELinux, see [SELinux documentation][selinux]. +* **`allowSpeculation`** (bool, OPTIONAL) setting `allowSpeculation` to true disable spectre mitigations to improve the performance. ### User diff --git a/schema/config-schema.json b/schema/config-schema.json index 94923b35a..8791858a6 100644 --- a/schema/config-schema.json +++ b/schema/config-schema.json @@ -166,6 +166,9 @@ } } } + }, + "allowSpeculation": { + "type": "boolean" } } }, diff --git a/schema/test/config/good/spec-example.json b/schema/test/config/good/spec-example.json index a784d1d74..1f4d5620f 100644 --- a/schema/test/config/good/spec-example.json +++ b/schema/test/config/good/spec-example.json @@ -56,7 +56,8 @@ ], "apparmorProfile": "acme_secure_profile", "selinuxLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675", - "noNewPrivileges": true + "noNewPrivileges": true, + "allowSpeculation": false }, "root": { "path": "rootfs", diff --git a/specs-go/config.go b/specs-go/config.go index 08af67798..0b2194a7d 100644 --- a/specs-go/config.go +++ b/specs-go/config.go @@ -58,6 +58,8 @@ type Process struct { OOMScoreAdj *int `json:"oomScoreAdj,omitempty" platform:"linux"` // SelinuxLabel specifies the selinux context that the container process is run as. SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"` + // AllowSpeculation disables spectre mitigations + AllowSpeculation bool `json:"allowSpeculation,omitempty" platform:"linux"` } // LinuxCapabilities specifies the whitelist of capabilities that are kept for a process.