-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
runc exec is 5x slower than crun exec #3181
Comments
One thing This needs to be fixed. |
Is this a recent performance regression? |
Good question. I don't believe it is, but let's check.... I compared with rc10, compiled by go 1.10.8, and the performance seems to be similar. Choosing the best run among 10, here are the numbers. git tip:
rc10:
|
i think this is because runc supports passing username/groupname so we need to read the 2 files to get correct ids out. Does crun support that as well ? |
No, we (at least in CLI) only accept numeric IDs. [kir@kir-rhat runc]$ runc exec --help | grep user
--user value, -u value UID (format: <uid>[:<gid>]) |
Docker supports passing username/groupname, but it reads them from inside the container, not from host which IMHO makes that feature useless (only reason I can think of for using names is matching host IDs for things that correspond to host, like device files). |
We fetch the supplementary group IDs from the container even if the user ID specified is numeric, which Docker doesn't do for us IIRC. This is also something we do with the regular config so I'm not sure we can change the behaviour at this late stage. The whole stringification logic is a quirk from when libcontainer used by use directly by Docker, but we probably can't change that either because it's saved to the on-disk state format and changing that leads to very bad issues when upgrading runc. I'm surprised that crun doesn't do this at all, because it's something AFAIK they need to do in order to have parity with what Docker expects of runc.
It's not useless -- how else would you run a program as a non-root user that is configured inside the container (note: this is the mechanism by which the |
The point of using name for host mapping is that you do not know what are the numeric IDs, because those differ between distributions & individual host machines, and container orchestration systems are not in control of them. Whereas names for few common groups (e.g. render) and users (e.g. nobody) are fairly standard between distributions. Unlike with hosts (which are "randomly" assigned by container orchestration), container users have full control of the container contents, they specify what is being run and can check (and often also override) them as needed, so using correct numeric values for container contents is trivial. Expecting that to be the case with hosts, is hopeless without full control of the hosts. |
use " github.com/syndtr/gocapability" will call "os.Open("/proc/sys/kernel/cap_last_cap")" (it will run in init() ) even though we don't need it. I find we need it just run runc init. |
Need to
The text was updated successfully, but these errors were encountered: