Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: opencontainers/runtime-spec
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 27747c59a9e7aa9baadc5c5e5ec2ce054f5778a0
Choose a base ref
...
head repository: opencontainers/runtime-spec
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: df667500fe09f8b4be9ef58cb673737f095b10fc
Choose a head ref
  • 1 commit
  • 4 files changed
  • 1 contributor

Commits on Jun 1, 2020

  1. config: Add DisableSpeculationMitigations 

    It disables speculative execution mitigations
in the container.
For more information about that, please refer to:
opencontainers/runc#2430

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
    Kenta Tada authored and Kenta Tada committed Jun 1, 2020
    Copy the full SHA
    df66750 View commit details
Showing with 8 additions and 1 deletion.
  1. +1 −0 config.md
  2. +3 −0 schema/config-schema.json
  3. +2 −1 schema/test/config/good/spec-example.json
  4. +2 −0 specs-go/config.go
1 change: 1 addition & 0 deletions config.md
View file
Original file line number Diff line number Diff line change
@@ -208,6 +208,7 @@ For Linux-based systems, the `process` object supports the following process-spe
For more information on how these two settings work together, see [the memory cgroup documentation section 10. OOM Contol][cgroup-v1-memory_2].
* **`selinuxLabel`** (string, OPTIONAL) specifies the SELinux label for the process.
For more information about SELinux, see [SELinux documentation][selinux].
* **`disableSpeculationMitigations`** (bool, OPTIONAL) setting `disableSpeculationMitigations` to true disable speculative execution mitigations to improve the performance.

### <a name="configUser" />User

3 changes: 3 additions & 0 deletions schema/config-schema.json
View file
Original file line number Diff line number Diff line change
@@ -166,6 +166,9 @@
}
}
}
},
"disableSpeculationMitigations": {
"type": "boolean"
}
}
},
3 changes: 2 additions & 1 deletion schema/test/config/good/spec-example.json
View file
Original file line number Diff line number Diff line change
@@ -56,7 +56,8 @@
],
"apparmorProfile": "acme_secure_profile",
"selinuxLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675",
"noNewPrivileges": true
"noNewPrivileges": true,
"disableSpeculationMitigations": false
},
"root": {
"path": "rootfs",
2 changes: 2 additions & 0 deletions specs-go/config.go
View file
Original file line number Diff line number Diff line change
@@ -58,6 +58,8 @@ type Process struct {
OOMScoreAdj *int `json:"oomScoreAdj,omitempty" platform:"linux"`
// SelinuxLabel specifies the selinux context that the container process is run as.
SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
// DisableSpeculationMitigations disables speculative execution mitigations
DisableSpeculationMitigations bool `json:"disableSpeculationMitigations,omitempty" platform:"linux"`
}

// LinuxCapabilities specifies the whitelist of capabilities that are kept for a process.