Docker Performance With KPTI Page Table Isolation Patches

Overall most of our benchmarks this week of the new Linux Kernel Page Table Isolation (KPTI) patches coming as a result of the Meltdown vulnerability have showed minimal impact overall on system performance. The exceptions have obviously been with workloads having high kernel interactions like demanding I/O cases and in terms of real-world impact, databases. But when testing VMs there's been some minor impact more broadly than bare metal testing and also Wine performance has been impacted. The latest having been benchmarked is seeing if the Docker performance has been impacted by the KPTI patches to see if it's any significant impact since overall the patched system overhead certainly isn't anything close to how it was initially hyped by some other media outlets.

Using a few different common Linux distributions running within Docker, the performance was compared on the same system and using the Linux 4.15 kernel. The sole difference between testing these different Docker containers was booting the kernel with/without KPTI being enabled.

The benchmarking happened from an Intel Core i7 8700K "Coffee Lake" system running Ubuntu 16.04 LTS. Docker was obtained from the Ubuntu package archive as version 1.13.1.

A variety of benchmarks were run from databases to compilation tasks to machine learning with Caffe and SciKit-Learn.

Tested on Docker were the latest Arch Linux, Clear Linux, Debian, Fedora, and Ubuntu versions. Each Docker container was tested out-of-the-box in the above-mentioned configuration for looking at any performance impact from having Kernel Page Table Isolation enabled. All of these benchmarks were automated and made reproducible using the Phoronix Test Suite.