Marek

If I read it right, it is square - number-of-guest-pids * number-of-host-golang-threads Host golang can have pretty much unlimited number of threads (I think 10k is the default max). Then...

(1) you are right, let me revise what I said: > So in worst case each host thread will have at least one (at most two) threads per each guest...

I will push back. Gvisor is a security isolation layer. Fork bomb is a usual problem. Right now the only way to solve the fork bomb is to put gvisor...

I must be missing something larger here. KVM was experimental till not very recent. People built products on ptrace. ARM kvm support is not finished (https://github.com/google/gvisor/issues/63). Are you saying that...

> But it's unclear to me: do you want the n^2 to go be limited to n ... asking about the use case I'm running untrusted workloads. Many of them....

@avagin This change is awesome, The runsc thread count falls down nicely after guest processes exit. On my box a new process in guest (cat) is creating 8-9 golang threads...

Benchmark time! Unless I did something wrong with my benchmark, the patched branch seems 2x slower than master. Code is here: https://gist.github.com/majek/6ffba6d70b56a95eb36258be11955b97 It creates 100 threads, and each does mmap/munmap...

Repeating my tests from above: ``` $ runsc-patched --version runsc version release-20201019.0-70-g8176f6431ec8 spec: 1.0.1-dev root@patched:/# time /root/thread real 3m30.277s user 1m29.110s sys 347m4.160s ``` This looks like improvement over the...

@hbhasker I keep coming back to this. >Fix PACKET_RX_RING bug for versions TPACKET_V1 and TPACKET_V2 which casues the ring to get corrupted by allowing multiple kernel threads to claim ownership...

Interesting. I'm currently investigating vhost-net, and this might be an option as well. It allows for very fast tap device read/write, however, undeniably exposes larger host attack surface.