[jandrewrogers]

The container runtime intercepts some syscalls, altering the observable behaviors of the kernel in ways that can adversely impact software that is otherwise perfectly designed to operate outside the container runtime. Normal processes don’t have their syscalls intercepted and this is material difference to the extent it is not transparent.

If running the same properly designed software exhibits material differences in behavior between a bare metal process and a containerized process, then they aren’t the same as a matter of practical semantics. Ironically, virtualized processes have much closer equivalence to a bare metal process than containerized processes in practice.

Saying a container is “just a process” is like saying a virtual machine is “just a process”, both are true in some sense depending on how you define “process”. But as a matter of practical engineering, they are different kinds of things.

[kodah]

Are you talking about SecComp and namespacing?

[jandrewrogers]

The root cause is likely SecComp. The notoriously poor I/O performance of containerized code, regardless of configuration, is largely a side effect of syscall interception.

In particular it breaks software that does I/O scheduling in user space, which is idiomatic and explicitly supported by the Linux kernel, even on virtual machines, but this use case conflicts with the container abstraction so runtimes offer an ersatz version that allows the code to run albeit poorly.

[yencabulator]

More likely you're running your containers using overlay or some FUSE thing, and that's causing the I/O slowdown.

What syscalls do you think are intercepted, how? Speaking as someone who can write kernel code, I'm not aware of any such thing specific to containers. (As far as the linux kernel is concerned, there's no such thing as a container.)

If you're talking about BPF, that can be used outside of containers, e.g. systemd can limit any unit, and using it is not part of a definition of what a container is.

[jandrewrogers]

I have decades of experience writing this type of low-level high-performance data infrastructure code directly against the Linux kernel, deployed in diverse environments. I’ve seen almost every rare edge case in practice.

You can find many examples in the wild of reputable software that loses significant performance once containerized no matter how configured. Literally no one has demonstrated state-of-the-art data infrastructure software that works around this phenomenon, and at this point you’d think someone would be able to if it was trivially possible. I test database kernels in a diverse set of environments and currently popular containers aren’t remotely competitive with VMs, never mind bare metal. The reasons for the performance loss are actually pretty well understood at a technical level, albeit esoteric.

Every popular container system has runtimes that intercept syscalls. Whether or not Linux requires containers to intercept syscalls is immaterial because in practice they all do in a manner destructive to I/O performance.

There used to be a similar phenomenon with virtual machines for many years, such that no one deployed databases on them. Then clever people learned how to trick the VM into letting them punch a hole through the hypervisor, and we’ve been using that trick ever since. It isn’t as fast as bare metal, but it is usually within 10%. No such trick exists for containers and as a consequence performance in containers is quite poor.

[kodah]

How can an unprivileged runtime intercept syscalls of an application talking directly to a kernel? I'll go browse through the containerd code to see if I can find such a thing because I know Go pretty well, but I have never heard of a runtime intercepting syscalls. That's why application kernels like gvisor exist.

[rajmann]

>Then clever people learned how to trick the VM into letting them punch a hole through the hypervisor, and we’ve been using that trick ever since

Can you say more on this trick. Is it available by default on the cloud VMs, or is it something that has to done in the user's code. I have seen tweets from DirectIO developers saying AWS Nitro machines are better for kernel-bypass-IO compared the Google cloud VMs. but my understanding of it was something done by Amazon Nitro card engineers/developers, and Google was working on something similar to improve the performance.

[yencabulator]

Lots of words, very little said. How do you think e.g. docker "intercepts syscalls"?

[jandrewrogers]

No idea, don’t really care. That these performance disparities exist isn’t controversial, several well-known companies have written about it e.g. nginx[0]. I deploy on Kubernetes, but all of our I/O intensive infrastructure is deployed on virtual machines for performance reasons — we still lose ~10% on a virtual machine compared to bare metal but a container on bare metal is significantly worse.

All high-performance data infrastructure bypasses the operating system for most things, taking total control of the physical hardware it uses. Cores, memory, storage, network. Linux happily grants that control, with caveats. It doesn’t work the same inside Kubernetes and Docker, and no one can figure out how to turn it off. Maybe you don’t work on I/O intensive applications, but for people that do this is a well-documented phenomenon. My teams have wasted far too many hours trying to coax good performance out of code in containers that works just fine on bare metal and virtual machines.

[0] https://www.nginx.com/blog/comparing-nginx-performance-bare-...