libct/int: add exec benchmark #4432
Open
+57
−6
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
...so that they can be used for benchmarks, too. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This is a benchmark which checks how fast we can execute /bin/true inside a container. Results from my machine are below. As you can see, in default setup about 70% of exec time is spent for CVE-2019-5736 (copying runc binary), and using either RUNC_DMZ=true or memfd-bind helps a lot. This can also be used for profiling (using -test.cpuprofile option). === Default setup === [kir@kir-tp1 integration]$ sudo ./integration.test -test.run xxx -test.v -test.benchtime 5s -test.count 5 -test.bench . . goos: linux goarch: amd64 pkg: github.com/opencontainers/runc/libcontainer/integration cpu: 12th Gen Intel(R) Core(TM) i7-12800H BenchmarkExecTrue BenchmarkExecTrue-20 327 24475677 ns/op BenchmarkExecTrue-20 244 25242718 ns/op BenchmarkExecTrue-20 232 26187174 ns/op BenchmarkExecTrue-20 237 26780030 ns/op BenchmarkExecTrue-20 318 18487219 ns/op PASS === With DMZ enabled === [kir@kir-tp1 integration]$ sudo -E RUNC_DMZ=true ./integration.test -test.run xxx -test.v -test.benchtime 5s -test.count 5 -test.bench . . goos: linux goarch: amd64 pkg: github.com/opencontainers/runc/libcontainer/integration cpu: 12th Gen Intel(R) Core(TM) i7-12800H BenchmarkExecTrue BenchmarkExecTrue-20 694 8263744 ns/op BenchmarkExecTrue-20 778 8483228 ns/op BenchmarkExecTrue-20 784 8456018 ns/op BenchmarkExecTrue-20 732 8160239 ns/op BenchmarkExecTrue-20 769 8236972 ns/op PASS === With memfd-bind === [kir@kir-tp1 integration]$ sudo systemctl start memfd-bind@$(systemd-escape -p $PWD/integration.test) [kir@kir-tp1 integration]$ sudo ./integration.test -test.run xxx -test.v -test.benchtime 5s -test.count 5 -test.bench . . goos: linux goarch: amd64 pkg: github.com/opencontainers/runc/libcontainer/integration cpu: 12th Gen Intel(R) Core(TM) i7-12800H BenchmarkExecTrue BenchmarkExecTrue-20 800 7538839 ns/op BenchmarkExecTrue-20 717 7424755 ns/op BenchmarkExecTrue-20 848 7747787 ns/op BenchmarkExecTrue-20 800 7668740 ns/op BenchmarkExecTrue-20 751 7304373 ns/op PASS Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related to: #3181
This is a benchmark which checks how fast we can execute /bin/true
inside a container.
Results from my machine are below. As you can see, in default setup
about 70% of exec time is spent for CVE-2019-5736 (copying runc binary),
and using either
RUNC_DMZ=trueormemfd-bindhelps a lot.This can also be used for profiling (using -test.cpuprofile option).
Default setup
With DMZ enabled
With memfd-bind
Signed-off-by: Kir Kolyshkin kolyshkin@gmail.com