add Linux numa memory policy support

[fabbione]

Closes: #1844

Summary by Sourcery

Enable optional NUMA support in the build system and ensure libnuma is installed across documentation and test environments.

New Features:

• Add optional NUMA support with auto-detection of numa.h, numaif.h, and libnuma in configure.ac

Enhancements:

• Introduce --disable-numa flag to disable NUMA support
• Update README to include numactl-devel/libnuma-dev as a dependency for all supported platforms
• Modify various Dockerfiles in tests to install numactl-devel in CI and fuzzing environments

[sourcery-ai]

Reviewer's Guide

Introduce optional NUMA support by adding a configure flag with header/library checks and updating build dependencies across documentation and CI Dockerfiles.

File-Level Changes

Change	Details	Files
Introduce NUMA support in the configure script	Added --disable-numa configure flag Checked for numa.h and numaif.h headers and error out if missing Searched for set_mempolicy in libnuma and defined HAVE_NUMA on success	configure.ac
Update documentation to require numactl/libnuma in package lists	Added numactl-devel in Fedora and RHEL/CentOS DNF sections Added libnuma-dev in Ubuntu apt-get install line Added libnuma-dev in Alpine apk install line Added libnuma-devel in openSUSE Tumbleweed zypper section	README.md
Include NUMA development package in CI/test Dockerfiles	Injected numactl-devel or libnuma-dev into installation commands Updated a dozen Dockerfiles across fuzzing, WasmEdge, CentOS, OCI validation, clang checks, CRI-O and Podman setups	tests/fuzzing/Dockerfile tests/wasmedge-build/Dockerfile tests/centos10-build/Dockerfile tests/centos9-build/Dockerfile tests/oci-validation/Dockerfile tests/centos8-build/Dockerfile tests/clang-check/Dockerfile tests/clang-format/Dockerfile tests/cri-o/Dockerfile tests/podman/Dockerfile

Possibly linked issues

• implement Linux memory policy #1844: The PR implements Linux memory policy support by adding NUMA headers and libraries.
• implement Linux memory policy #1844: The PR adds Linux memory policy (NUMA) support, which resolves the v1 cpuset cgroup issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[giuseppe]

I don't think we need another dependency for this feature. We can call directly the set_mempolicy(2) syscall

[fabbione]

I don't think we need another dependency for this feature. We can call directly the set_mempolicy(2) syscall

@giuseppe let´s talk when you are back from vacation :) that was one of the many questions I had in the list.

[giuseppe]

Sure, but if there's anything I can answer now, feel free to ask about it :)

[fabbione]

Sure, but if there's anything I can answer now, feel free to ask about it :)

not going to bother you while you are on vacation. Get off the computer :P

[fabbione]

There are 2 commits related to tests: that will be moved on a separate PR. At the moment I am just playing around with different ideas.

[packit-as-a-service]

TMT tests failed. @containers/packit-build please check.

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[fabbione]

@giuseppe this is for when you are back from vacation.

I am not marking this PR ready to merge because there are some inconsistencies between the specs opencontainers/runtime-spec#1282 and set_mempolicy(2) documentation and I want to make sure everything is aligned.

The specs marks "nodes" as (string, REQUIRED) but that is not 100% accurate. MPOL_DEFAULT and MPOL_LOCAL in fact requires to pass NULL, 0 as nodemask and nodemask_size, making nodes an unnecessary requirement.

The implementation in opencontainers/runc#4726 in facts does not pass nodes to MPOL_DEFAULT and lacks a test for MPOL_LOCAL.

The specs also define how to pass the nodemask string, that while effective, is a bit less flexible of the implementation in libnuma. libnuma allows for the keyword "all", negations with "!" and relative allocation with "+". My 2c would be to align around libnuma implementation here as it is more flexible and probably more visible when looking for "what options can I pass to NUMA nodemask?" Same feature, same implementations for all users? It could potentially improve the end user experience.

The next bit is related on the general philosophy of crun coding, that is for me to understand. NUMA is one of the evolving kernel interfaces, as you might have noticed I did add several barriers to check for that, but then it boils down to how you want it supported.

Should the crun implementation "not care" of the OS headers and redefine internally the values (duplicating code etc), to allow people to use any random kernel regardless of the OS provided headers, or should use the OS provided headers to match build / features and OS kernel? Once built with redefined values, some of the error checking become moot and we only get set_mempolicy errors with no idea what is wrong, that would make debugging configurations more challenging.

NUMA being a rather advance setting, could potentially limit the execution of the container. In an homogeneous cluster where all nodes have same setup, this is a non-issue, but let´s take the example of real life cluster that expands over time and nodes have different NUMA properties. Would it make sense to have an extra flag in the spec for numa_strict or numa_relaxed?
This property could return -1 hard if we cannot apply set_mempolicy or return 0 with a warning that numa settings could not be applied due to hw differences.

In a similar fashion, specially for ARM cpus, that have very different NUMA implementations if any at all.

do we delegate the scheduling responsibility to upper levels or do we want to provide help to get stuff running? again goes back to the layering philosophy of containers here, where I am very much green.

Thanks.

PS: the last failures in CI are unrelated to those changes. some ssl certs expired in testing farms.