crio: inject gomaxprocs by default

[haircommander]

- What I did
Go processes run on nodes with many CPUs suffer a problem where the go runtime creates runtime threads per CPUs it can see, assuming there isn't a CPU limit on the process. However, the kubernetes scheduler is binpacking pods based on CPU request, which means go processes actually have access to less CPU time than the go runtime is expecting. This causes scheduling and GC latency.

min_injected_gomaxprocs is a feature in CRI-O that injects the GOMAXPROCS environment variable into all pods based on their CPU request. if the pod has a limit, GOMAXPROCS isn't set. Otherwise, it is set to 2requested CPUs. The 2 figure was found from perf testing, allowing the go runtime to burst up to capacity, while mitigating the latency.

Turn this on by default.

- How to verify it

- Description for the changelog

Summary by CodeRabbit

• Chores
  • Updated container runtime configuration to ensure the Go runtime inside containers receives a minimum processor allocation (min injected GOMAXPROCS = 1) across master, worker, and arbiter nodes. This improves concurrency predictability and process parallelism handling within containerized workloads.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e0c04fc8-6781-44c6-baa2-8df0c8d9e07f

📥 Commits

Reviewing files that changed from the base of the PR and between aaf7e82 and 6e3fda7.

📒 Files selected for processing (3)

• templates/arbiter/01-arbiter-container-runtime/_base/files/crio.yaml
• templates/master/01-master-container-runtime/_base/files/crio.yaml
• templates/worker/01-worker-container-runtime/_base/files/crio.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• templates/worker/01-worker-container-runtime/_base/files/crio.yaml
• templates/master/01-master-container-runtime/_base/files/crio.yaml

---

Walkthrough

The pull request adds the min_injected_gomaxprocs = 1 setting to CRI-O container runtime drop-in files for master, worker, and arbiter node templates (line 36 in each crio.yaml).

Changes

CRI-O gomaxprocs configuration

Layer / File(s)	Summary
Add min_injected_gomaxprocs setting to master, worker, and arbiter CRI-O configurations templates/master/01-master-container-runtime/_base/files/crio.yaml, templates/worker/01-worker-container-runtime/_base/files/crio.yaml, templates/arbiter/01-arbiter-container-runtime/_base/files/crio.yaml	Adds the min_injected_gomaxprocs = 1 configuration line to the CRI-O runtime drop-in files in master, worker, and arbiter templates.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'crio: inject gomaxprocs by default' accurately describes the main change: enabling CRI-O's min_injected_gomaxprocs feature by default across three configuration files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains only YAML configuration files (crio.yaml), not Go test files. No Ginkgo tests (It/Describe/Context) found in the repository outside vendor directory. Check is not applicable.
Test Structure And Quality	✅ Passed	PR contains only configuration file changes (CRI-O YAML files), no Ginkgo test code to review. Check is not applicable to this PR.
Microshift Test Compatibility	✅ Passed	This PR contains only YAML configuration file changes to CRI-O runtime settings, with no new Ginkgo e2e tests added. The check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes are limited to CRI-O configuration files and standard Go unit tests, making this check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR adds min_injected_gomaxprocs=1 to CRI-O config files (runtime environment variable injection), not Kubernetes scheduling constraints. This is topology-agnostic and doesn't affect pod affinit...
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML configuration files (crio.yaml) with no Go source code, binaries, or executable processes. OTE Binary Stdout Contract check is inapplicable to configuration-only changes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It only modifies YAML configuration files for CRI-O container runtime. The check is not applicable to this PR.
No-Weak-Crypto	✅ Passed	PR adds only Go runtime GOMAXPROCS configuration settings to YAML files with no weak cryptographic algorithms, custom crypto implementations, or secret comparisons.
Container-Privileges	✅ Passed	PR modifies only CRI-O daemon config files with a single parameter addition (min_injected_gomaxprocs=1). No privileged container settings, hostPID/Network/IPC, SYS_ADMIN capabilities, or allowPrivi...
No-Sensitive-Data-In-Logs	✅ Passed	The PR only adds the configuration parameter min_injected_gomaxprocs = 1 to three CRI-O configuration files. This is a simple performance optimization setting that does not involve logging, loggi...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[haircommander]

/payload-job release-informing

[openshift-ci]

@haircommander: trigger 0 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

[haircommander]

/payload-job informing

[openshift-ci]

@haircommander: trigger 0 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@templates/master/01-master-container-runtime/_base/files/crio.yaml`:
- Line 36: The arbiter CRI-O runtime config is missing the crio.runtime tuning
present elsewhere; add the line min_injected_gomaxprocs = 1 under the
[crio.runtime] section in the arbiter CRI-O config template (to mirror the
master/worker templates) and ensure any template logic or templating variables
that render the CRI-O config include crio.runtime.min_injected_gomaxprocs so
arbiter nodes receive the same setting; also ensure deployment
logic/environments only apply this when the deployed CRI-O version is >= 1.33.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2b562d0d-60e3-490b-a0c7-e5a12f15a662

📥 Commits

Reviewing files that changed from the base of the PR and between 1b26733 and aaf7e82.

📒 Files selected for processing (2)

• templates/master/01-master-container-runtime/_base/files/crio.yaml
• templates/worker/01-worker-container-runtime/_base/files/crio.yaml

[haircommander]

/payload 5.0 nightly informing

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• templates/arbiter/01-arbiter-container-runtime/OWNERS [haircommander]
• templates/master/01-master-container-runtime/OWNERS [haircommander]
• templates/worker/01-worker-container-runtime/OWNERS [haircommander]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@haircommander: trigger 68 job(s) of type informing for the nightly release of OCP 5.0

• periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-azure-aks-ovn-conformance
• periodic-ci-openshift-release-main-nightly-5.0-console-aws
• periodic-ci-openshift-cluster-control-plane-machine-set-operator-release-5.0-periodics-e2e-aws
• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-csi
• periodic-ci-openshift-release-main-ci-5.0-e2e-aws-ovn
• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-cgroupsv2
• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-fips
• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-single-node
• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-single-node-csi
• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-single-node-serial
• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-single-node-techpreview
• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-single-node-techpreview-serial
• periodic-ci-openshift-release-main-nightly-5.0-upgrade-from-stable-4.22-e2e-aws-upgrade-ovn-single-node
• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-upgrade-fips-no-nat-instance
• periodic-ci-openshift-release-main-ci-5.0-e2e-aws-ovn-upgrade-out-of-change
• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-upi
• periodic-ci-openshift-cluster-control-plane-machine-set-operator-release-5.0-periodics-e2e-azure
• periodic-ci-openshift-release-main-nightly-5.0-e2e-azure-csi
• periodic-ci-openshift-release-main-ci-5.0-e2e-azure-ovn
• periodic-ci-openshift-release-main-ci-5.0-e2e-azure-ovn-serial
• periodic-ci-openshift-release-main-ci-5.0-e2e-azure-ovn-techpreview
• periodic-ci-openshift-release-main-ci-5.0-e2e-azure-ovn-techpreview-serial-1of2
• periodic-ci-openshift-release-main-ci-5.0-e2e-azure-ovn-techpreview-serial-2of2
• periodic-ci-openshift-release-main-ci-5.0-e2e-azure-ovn-upgrade-out-of-change
• periodic-ci-openshift-release-main-cnv-nightly-5.0-deploy-azure-kubevirt-ovn
• periodic-ci-openshift-cluster-control-plane-machine-set-operator-release-5.0-periodics-e2e-gcp
• periodic-ci-openshift-release-main-ci-5.0-e2e-gcp-ovn
• periodic-ci-openshift-release-main-nightly-5.0-e2e-gcp-ovn-csi
• periodic-ci-openshift-release-main-nightly-5.0-e2e-gcp-ovn-rt
• periodic-ci-openshift-release-main-nightly-5.0-e2e-gcp-ovn-serial
• periodic-ci-openshift-release-main-ci-5.0-e2e-gcp-ovn-techpreview
• periodic-ci-openshift-release-main-ci-5.0-e2e-gcp-ovn-techpreview-serial-1of2
• periodic-ci-openshift-release-main-ci-5.0-e2e-gcp-ovn-techpreview-serial-2of2
• periodic-ci-openshift-release-main-ci-5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade
• periodic-ci-openshift-release-main-ci-5.0-e2e-gcp-ovn-upgrade
• periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-azure-kubevirt-ovn
• periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-ovn-dualstack
• periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-ovn-dualstack-techpreview
• periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-ovn-ipv6-techpreview
• periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-ovn-serial-ipv4
• periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-ovn-serial-virtualmedia-1of2
• periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-ovn-serial-virtualmedia-2of2
• periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-ovn-techpreview
• periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-ovn-upgrade
• periodic-ci-openshift-release-main-nightly-5.0-upgrade-from-stable-4.22-e2e-metal-ipi-ovn-upgrade
• periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-serial-ovn-ipv6
• periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-serial-ovn-dualstack
• periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ipi-upgrade-ovn-ipv6
• periodic-ci-openshift-release-main-nightly-5.0-upgrade-from-stable-4.22-e2e-metal-ipi-upgrade-ovn-ipv6
• periodic-ci-openshift-release-main-nightly-5.0-metal-ovn-single-node-recert-cluster-rename
• periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-ovn-ocp-conformance
• periodic-ci-openshift-microshift-release-5.0-periodics-e2e-aws-ovn-ocp-conformance-serial
• periodic-ci-openshift-release-main-nightly-5.0-e2e-osd-ccs-gcp
• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-ovn-proxy
• periodic-ci-openshift-release-main-nightly-5.0-e2e-metal-ovn-single-node-live-iso
• periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-5.0-nightly-x86-payload-control-plane-6nodes
• periodic-ci-openshift-release-main-nightly-5.0-e2e-telco5g
• periodic-ci-openshift-release-main-nightly-5.0-tls-scan
• periodic-ci-openshift-release-main-nightly-5.0-e2e-vsphere-ovn
• periodic-ci-openshift-release-main-nightly-5.0-e2e-vsphere-ovn-csi
• periodic-ci-openshift-release-main-nightly-5.0-e2e-vsphere-ovn-serial
• periodic-ci-openshift-release-main-nightly-5.0-e2e-vsphere-ovn-techpreview
• periodic-ci-openshift-release-main-nightly-5.0-e2e-vsphere-ovn-techpreview-serial
• periodic-ci-openshift-release-main-ci-5.0-upgrade-from-stable-4.22-e2e-vsphere-ovn-upgrade
• periodic-ci-openshift-release-main-ci-5.0-e2e-vsphere-ovn-upgrade
• periodic-ci-openshift-release-main-nightly-5.0-e2e-vsphere-ovn-upi
• periodic-ci-openshift-release-main-nightly-5.0-e2e-vsphere-ovn-upi-serial
• periodic-ci-openshift-release-main-nightly-5.0-e2e-vsphere-static-ovn

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/e5484aa0-65a7-11f1-80f2-1501213eb556-0