Bugzilla – Bug 1213631
MMTests/gitsource: Performance impact of seccomp confinement of container is about 6.8%
Last modified: 2023-07-25 09:58:30 UTC
x86, kernel 5.14.21-150400.24.66-default podman version 4.4.4 runc version 1.1.5 commit: v1.1.5-0-gf19387a6bec4 spec: 1.0.2-dev go: go1.19.9 libseccomp: 2.5.3 Tests with MMTests/gitsource benchmark showed that for elapsed time of this benchmark overhead of seccomp confinement is almost 7%: ----------------------podman------------------------- no_scaafps aa fips sccmp Amean User 433.58 433.60 -0.00% 446.64 -3.01% 461.13 -6.35% Amean Syst 179.52 188.84 -5.19% 178.48 0.58% 194.38 -8.28% Amean Elap 632.58 642.21 -1.52% 645.78 -2.09% 675.62 -6.80% Amean CPU 96.00 96.00 0.00% 96.00 0.00% 96.67 -0.69% no_scaafps - no seccomp/apparmor confinement, no FIPS sccmp - seccomp confinement on aa - apparmor confinement on fips - FIPS packages installed in container image See also bug #1212272.
If this performance impact is an issue for a workload seccomp confinement can be turned off using '--security-opt seccomp=unconfined' when the container is started. Note that this overhead is caused by security vulnerability mitigations for seccomp threads. Those mitigations can be switched off adding 'spectre_v2_user=prctl spec_store_bypass_disable=prctl' to the kernel command line. In this case the overhead of the seccomp confinement is not significant. To check whether 'spec store bypass' mitigation is enabled for seccomp threads, you can use the command 'lscpu | grep bypass' This shows "Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp" in case mitigation is enabled for seccomp thread and if not it shows "Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl"
Closing as 'wontfix'.