config: Add AllowSpeculation

AllowSpeculation disables spectre mitigations for container. For more information about that, please refer to: opencontainers/runc#2430 Signed-off-by: Kenta Tada <[email protected]>
opencontainers · May 28, 2020 · b24d646 · b24d646
1 parent 44341cd
commit b24d646
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 1 deletion.
diff --git a/config.md b/config.md
@@ -208,6 +208,7 @@ For Linux-based systems, the `process` object supports the following process-spe
  For more information on how these two settings work together, see [the memory cgroup documentation section 10. OOM Contol][cgroup-v1-memory_2].
 * **`selinuxLabel`** (string, OPTIONAL) specifies the SELinux label for the process.
  For more information about SELinux, see [SELinux documentation][selinux].
+* **`allowSpeculation`** (bool, OPTIONAL) setting `allowSpeculation` to true disable spectre mitigations to improve the performance.
 
 ### <a name="configUser" />User
 

diff --git a/schema/config-schema.json b/schema/config-schema.json
@@ -166,6 +166,9 @@
  }
  }
  }
+ },
+ "allowSpeculation": {
+ "type": "boolean"
  }
  }
  },

diff --git a/schema/test/config/good/spec-example.json b/schema/test/config/good/spec-example.json
@@ -56,7 +56,8 @@
  ],
  "apparmorProfile": "acme_secure_profile",
  "selinuxLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675",
- "noNewPrivileges": true
+ "noNewPrivileges": true,
+ "allowSpeculation": false
  },
  "root": {
  "path": "rootfs",

diff --git a/specs-go/config.go b/specs-go/config.go
@@ -58,6 +58,8 @@ type Process struct {
  OOMScoreAdj *int `json:"oomScoreAdj,omitempty" platform:"linux"`
  // SelinuxLabel specifies the selinux context that the container process is run as.
  SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
+ // AllowSpeculation disables spectre mitigations
+ AllowSpeculation bool `json:"allowSpeculation,omitempty" platform:"linux"`
 }
 
 // LinuxCapabilities specifies the whitelist of capabilities that are kept for a process.