build context

[franckdrion]

Hello,

I'm using sysbox with docker compose (runtime: sysbox-runc), it works perfectly fine, however I'm struggling to get good performance when I use a docker build command.
In my case the problem is the time it takes to load the build context.

I'm using a virtual machine hosted on Azure and my goal is to register few agents to run pipelines (using DinD as well).

While in a not secure approach (mounting /var/run/docker.sock from the host to the agent container), the performances are really good (1 minute to build and push images), when using sysbox-runc as runtime, the same step takes 20 minutes.

tracelog when using sysbox-runc :

#6 [internal] load build context
#6 transferring context: 12.61MB 72.6s
#6 transferring context: 14.10MB 77.6s
#6 transferring context: 16.44MB 82.7s
#6 transferring context: 17.95MB 87.7s
#6 transferring context: 19.74MB 92.7s
#6 transferring context: 23.82MB 97.8s
#6 transferring context: 24.72MB 102.8s
#6 transferring context: 26.01MB 107.9s
#6 transferring context: 28.46MB 112.9s
#6 transferring context: 29.31MB 118.0s
#6 transferring context: 30.53MB 123.0s
#6 transferring context: 31.70MB 128.1s
#6 transferring context: 33.03MB 133.1s
#6 transferring context: 34.39MB 138.2s
#6 transferring context: 35.18MB 143.2s
#6 transferring context: 36.15MB 148.2s
#6 transferring context: 37.93MB 153.3s

tracelog without (/var/run/docker.sock bind mount) :

#5 [internal] load build context
#5 transferring context: 170.93MB 4.9s
#5 transferring context: 241.75MB 6.8s done
#5 DONE 8.6s

Do you guys have any recommandation in terms of performance (I'm already using .dockerignore file to reduce the build context to the minimal size which is approx 250MB) ?
I'm a big fan of the product and I love the security it provides in my case when hosting multiple agents to run pipelines (I don't want my pipeline to be able to kill all the running container because of /var/run/docker.sock mounted on every agent...)

Thanks you for you time and I'll be glad to fill more information if needed.

regards
Franck.

[ctalledo]

Hi Franck (@franckdrion), thanks for giving Sysbox a shot.

I am pretty sure you are hitting this issue.

Basically, Sysbox intercepts the *xattr syscalls inside the container, and that's not good for some workloads (in retrospect, I think it was a mistake on our part to add that intercept).

Fortunately you can turn it off, either globally on or a per container basis, as described in that link.

Please let us know if that works.

[franckdrion]

Hello @ctalledo,

thank you for you answer, it solved my problem and everything works as expected now !
I will take a closer look to *xattr syscalls theorical concepts to get a better understanding.

Regards,
Franck D.

[ctalledo]

Glad it worked, let us know of any more questions please. Thanks again for trying Sysbox, hope you find it helpful.