Major 1.Proposed title of this feature request
Add futex_waitv syscall to cri-o seccomp runtime default profile
2. What is the nature and description of the request?
To have the ability to modify CRI-O or to include it in the default seccomp profile
Telco application design teams have identified a capacity improvement by using a new broadcast syscall futex_waitv. Some references of futex_waitv:
- https://lwn.net/Articles/870229/
- https://lwn.net/Articles/868473/
futex2: Add wait on multiple futexes syscall However CRI-O by default blocks futex_waitv.
https://github.com/cri-o/cri-o/blob/main/internal/config/seccomp/seccomp.go#L15
https://github.com/containers/common/blob/main/pkg/seccomp/seccomp.json#L61
The expectation would be that this should be added to the default CRI-O seccomp profile. e.g. Containerd by default allows futex_waitv:
https://github.com/containerd/containerd/blob/main/contrib/seccomp/seccomp_default.go#L140
Workaround: To create a custom seccomp profile but it would be better if it was part of the default.
3. Why does the customer need this? (List the business requirements here)
Application can use the futex syscall to exchange signals among several threads; when a condition is met, several sequential futex syscalls will be made sequentially.
Using futex_waitv may theoretically save up to 20% of thread time spent doing futex syscalls one by one.
Telco workloads typically deal with large numbers of lightweight threads (like for packet processing or event handlers). Without futex_waitv, each thread may wait on a separate futex and consume kernel resources/ performance under heavy load.
4. List any affected packages or components.
- CRI-O
- The containers/common seccomp policy (CRI-O policy )
