libct/seccomp: enable seccomp binary tree optimization #3405
Conversation
kolyshkin
force-pushed
the
seccomp-bintree
branch
2 times, most recently
from
534d6de to
6dd9c0e
Compare
|
Tests hung at
Investigating. |
|
OK, this is not caused by the libseccomp-golang bump (as I have suspected), but by |
|
The only test that hangs is This test does not set any seccomp rules; it also seems it is not named correctly. |
kolyshkin
force-pushed
the
seccomp-bintree
branch
from
6dd9c0e to
49dfc21
Compare
|
OK, so the key is to not enable binary tree optimization when there are no rules. Also, it makes little sense to enable binary tree optimization when there are just a few rules. I arbitrarily chose 8 as the value of "a few" here. |
This is because of seccomp/libseccomp#370 |
Opened #3415 wrt test name and purpose. |
Any benchmark? |
Some are available from seccomp/libseccomp@c9df088 |
kolyshkin
force-pushed
the
seccomp-bintree
branch
from
49dfc21 to
7c45c1f
Compare
|
Rebased. |
kolyshkin
force-pushed
the
seccomp-bintree
branch
from
7c45c1f to
f52aed0
Compare
@AkihiroSuda the above links has a short test result. If that is not enough, please see seccomp/libseccomp#116 and seccomp/libseccomp#152 I tried to do my own tests but apparently measuring syscall latency is some sort of dark art I am not very good at, and later I got carried away with the other stuff. |
kolyshkin
force-pushed
the
seccomp-bintree
branch
2 times, most recently
from
073ff66 to
8da1ba5
Compare
|
Rebased to resolve a conflict due to #3441. @AkihiroSuda @cyphar PTAL |
|
@opencontainers/runc-maintainers PTAL |
kolyshkin
force-pushed
the
seccomp-bintree
branch
from
8da1ba5 to
76af658
Compare
|
Rebased on top of merged #3465 |
perhaps defining a |
kolyshkin
force-pushed
the
seccomp-bintree
branch
from
76af658 to
1658a9a
Compare
// Enable libseccomp binary tree optimization. The number 8 is chosen
// semi-arbitrarily, considering the following:
// 1. libseccomp <= 2.5.4 misbehaves when binary tree optimization
// is enabled and there are 0 rules.
// 2. All known libseccomp versions (2.5.0 to 2.5.4) generate a binary
// tree with 4 syscalls per node.
if len(config.Syscalls) > 8 {
err = filter.SetOptimize(2)
....@drakenclimber perhaps you have a better idea of when we should use bintree optimization (without introducing a knob for it, that it). |
The binary tree should help improve performance when the filter is large. Originally I had envisioned automatically turning it on when there were greater than X syscalls in the seccomp filter, but some users preferred to control optimizations themselves. If you want to avoid a knob, then I would pick a somewhat arbitrary number, say 32, and enable the binary tree when the filter is larger than that. |
So to actually answer your question :), no I don't have a better answer than what you've done. |
kolyshkin
force-pushed
the
seccomp-bintree
branch
from
1658a9a to
46336a8
Compare
Changed 8 to 32, slightly improved the comment. |
kolyshkin
force-pushed
the
seccomp-bintree
branch
from
46336a8 to
f2bee5c
Compare
|
@cyphar LGTY? |
This makes libseccomp produce a BPF which uses a binary tree for syscalls (instead of linear set of if statements). It does not make sense to enable binary tree for small set of rules, so don't do that if we have less than 8 syscalls (the number is chosen arbitrarily). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
kolyshkin
force-pushed
the
seccomp-bintree
branch
from
f2bee5c to
b265d12
Compare
This makes libseccomp produce a BPF which uses a binary tree for
syscalls (instead of linear set of if statements).
This should speed up doing syscalls from containers that were created
from OCI spec containing lots of seccomp rules.