[Bug 689458] New: boot.apparmor needs long time to start
https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c0 Summary: boot.apparmor needs long time to start Classification: openSUSE Product: openSUSE 12.1 Version: Factory Platform: i586 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: devzero@web.de QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) apparently, loading the apparmor profiles on boot is dead slow. ok, my system is slow (800mhz via cpu), too, but there is not a singe boot script which is THAT slow like apparmor. script needs about half a minute to finish. looking at that with strace there is not shown anything suspicious, seesm the parser is just burning much cpu or whatever. room for optimization ? Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c1 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Jeff Mahoney <jeffm@novell.com> 2011-07-20 17:57:59 UTC --- Yeah, I can reproduce this. Not 30 seconds, but about 6 on a pretty fast machine. It looks like each profile load is taking quite a bit of time, as you've observed. In particular, the apache profile can take > 1s. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c2 --- Comment #2 from Jeff Mahoney <jeffm@novell.com> 2011-07-20 18:38:02 UTC --- # opreport $(which apparmor_parser) --symbols Overflow stats not available CPU: AMD64 family10, speed 800 MHz (estimated) Counted CPU_CLK_UNHALTED events (Cycles outside of halt state) with a unit mask of 0x00 (No unit mask) count 100000 samples % symbol name 83003 45.6710 __cxxabiv1::__si_class_type_info::__do_dyncast(long, __cxxabiv1::__class_type_info::__sub_kind, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info::__dyncast_result&) const 17957 9.8805 __gxx_exception_cleanup(_Unwind_Reason_Code, _Unwind_Exception*) 15586 8.5759 __cxa_call_unexpected 12571 6.9170 __dynamic_cast 8855 4.8723 __cxxabiv1::__class_type_info::__do_dyncast(long, __cxxabiv1::__class_type_info::__sub_kind, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info const*, void const*, __cxxabiv1::__class_type_info::__dyncast_result&) const 6884 3.7878 __cxa_throw 6209 3.4164 __gxx_personality_v0 5419 2.9817 simplify_tree_base(Node*, int, bool&) 3880 2.1349 operator new(unsigned long) 3209 1.7657 normalize_tree(Node*, int) 2725 1.4994 __cxa_rethrow 1629 0.8963 basic_simplify(Node*, int) 820 0.4512 std::_Rb_tree_increment(std::_Rb_tree_node_base*) 715 0.3934 regexp_parse(Node**, char const*) 693 0.3813 yylex 588 0.3235 CatNode::eq(Node*) 547 0.3010 CharNode::eq(Node*) 507 0.2790 TransitionTable::flex_table(std::ostream&, char const*) 489 0.2691 std::_Rb_tree_insert_and_rebalance(bool, std::_Rb_tree_node_base*, std::_Rb_tree_node_base*, std::_Rb_tree_node_base&) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c3 --- Comment #3 from Jeff Mahoney <jeffm@novell.com> 2011-07-20 19:36:58 UTC --- It looks like there are a ton of dynamic_cast calls in libapparmor_re. I'm worried this may take a rewrite. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c4 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de --- Comment #4 from Christian Boltz <suse-beta@cboltz.de> 2011-09-16 17:22:34 CEST --- Factory has AppArmor 2.7 beta1 since some days (and will be updated to 2.7 beta2 in some hours). Do you still see the performance problems with this version? (Testing with 2.7 beta1 is ok, there were no parser-related changes for beta2.) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c5 Jeff Mahoney <jeffm@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@suse.com --- Comment #5 from Jeff Mahoney <jeffm@suse.com> 2011-10-05 15:15:52 UTC --- *** Bug 722292 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=722292 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c6 --- Comment #6 from Christian Boltz <suse-beta@cboltz.de> 2011-10-05 22:54:34 CEST --- quote from the duplicate (bug 722292)
a) move profiles into the actual packages where the binaries are
That would cause a maintenance hell :-( I spent several evenings to push lots of openSUSE profile patches upstream. The profiles in the apparmor-profiles package are directly taken from upstream (one or two are still patched). I also unified the profile for /usr/sbin/nscd which was shipped in the nscd/unscd packages before - I merged the differences and moved it back to the apparmor-profiles package. The nscd profile(s) already showed the (IMHO usual) problem with having a profile in the same package as the binary: it gets outdated and doesn't get updates from upstream (for example /var/run vs. /run was solved upstream, but not in the *nscd package). Moving each profile to the package with the binary would mean that each of those packages would need to include updated profiles from upstream on new apparmor releases - and I'm afraid most would forget to do it and ship outdated profiles. If you have an idea how to include the latest profiles in each binary package _automatically_, please tell me ;-)
or create subpackages that supplement them.
This would result in about 20 subpackages for /etc/apparmor.d/*, most of them with only one file. I'd guess those packages would need more space in the rpm database than in /etc/ ;-)
b) speed up apparmor_parser
That's an ongoing task upstream, and there were big improvements since the 2.3 release. But yes, there's still lots of room for optimization ;-) John just told me in #apparmor that several patches are in the works (including a rewrite of the code where most dynamic casts are), but they won't make it into apparmor 2.7. He'll probably add a comment with more details soon. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c7 John Johansen <jrjohansen@verizon.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jrjohansen@verizon.net --- Comment #7 from John Johansen <jrjohansen@verizon.net> 2011-10-05 21:15:50 UTC --- Jeff is right that a rewrite of that portion of the code is needed, and is in fact already underway. Depending on your policy this may or may not speed up your compile. There are also other compiler improvements that are being worked on. If anyone is interested in specifics they can ask on #apparmor on oftc.net or on the apparmor mailing list (apparmor@lists.ubuntu.com). But future improvements won't help the current situation. What can immediately is turning on of compiled policy caching. AppArmor will then use the precompiled policy, unless it detects it is out of date (using time stamps, and a few other cues much like make does). Currently caching is only done for the profiles it has been specified for. Ubuntu sets up caching as part of a package install, so if a profile is installed the precompiled profile is generated at that time. Currently precompiled policy is stored in /etc/apparmor.d/cache (Not the ideal place I know) For each compiled profile there will be a corresponding file in /etc/apparmor.d/cache/ eg. If there is a profile /etc/apparmor/bin.ping there will be a cache file /etc/apparmor/cache/bin.ping To generate a cache entry for a profile use apparmor_parser -QW <profile> The -W specifies to write out to the cache, -Q specifies not to load the profile at this time. You can drop the -Q if you want the profile to be loaded. Once the cache file has been generated, apparmor will that until it is detected as stale. When this happens it will recompile the profile, but not update the cache by default. It will be possible to set updating the cache as default behavior in apparmor 2.7, and SUSE may want to consider doing that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c8 --- Comment #8 from John Johansen <jrjohansen@verizon.net> 2011-10-05 21:18:15 UTC --- To turn profile caching on by default in AppArmor 2.7 (this does not work in earlier versions) Add the line write-cache to /etc/apparmor/parser.conf See man apparmor_parser for more details -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c9 --- Comment #9 from John Johansen <jrjohansen@verizon.net> 2011-10-05 21:35:13 UTC --- Oh and a further note. The /etc/apparmor.d/cache directory must exist before the parser will create cache file entries. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c10 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jeffm@suse.com |suse-beta@cboltz.de --- Comment #10 from Christian Boltz <suse-beta@cboltz.de> 2011-10-06 01:14:56 CEST --- .. and funnily the parser doesn't warn if the cache directory doesn't exist (will be fixed soon, John promised to send a patch). So make sure to run mkdir /etc/apparmor/cache ;-) I just tested caching on my factory system, which has only the upstream profiles. Time needed for "rcapparmor reload": - without caching: 7.5s - caching enabled, first run (= write the cache files): 10s - caching enabled, next runs: 0.3 to 0.4s :-) In other words: if the profiles are unchanged, caching makes loading the profiles 20 times faster :-) Needless to say that I will enable caching by default in the apparmor package. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c11 --- Comment #11 from Ludwig Nussel <lnussel@suse.com> 2011-10-06 13:38:01 CEST --- (In reply to comment #6)
If you have an idea how to include the latest profiles in each binary package _automatically_, please tell me ;-)
You could introduce a noarch package that is only used for building. BuildRequire that in each package and copy the profile from there in %build. Another alternative would be to just skip profiles that refer to non existing binaries during startup. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c12 --- Comment #12 from Ludwig Nussel <lnussel@suse.com> 2011-10-06 13:38:57 CEST --- (In reply to comment #7)
Currently precompiled policy is stored in /etc/apparmor.d/cache (Not the ideal place I know)
Certainly the wrong place. What about using /var/cache/apparmor? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c13 --- Comment #13 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-10-10 02:00:10 CEST --- This is an autogenerated message for OBS integration: This bug (689458) was mentioned in https://build.opensuse.org/request/show/87208 Factory / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c14 --- Comment #14 from Christian Boltz <suse-beta@cboltz.de> 2011-10-10 12:25:15 CEST --- (In reply to comment #12)
(In reply to comment #7)
Currently precompiled policy is stored in /etc/apparmor.d/cache (Not the ideal place I know)
Certainly the wrong place. What about using /var/cache/apparmor?
That's what I use now. Upstream will probably also change the path to /var/cache/apparmor - but not in AppArmor 2.7. For 11.2 I'm using a symlink /etc/apparmor.d/cache -> /var/cache/apparmor. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c15 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #15 from Christian Boltz <suse-beta@cboltz.de> 2011-10-19 14:17:41 CEST --- (In reply to comment #14)
That's what I use now. Upstream will probably also change the path to /var/cache/apparmor - but not in AppArmor 2.7. For 11.2 I'm using a symlink /etc/apparmor.d/cache -> /var/cache/apparmor.
s/11.2/12.1/ of course ;-) That said: Caching is enabled by default since a week in 12.1 Factory, which speeds up loading the AppArmor profiles extremely (see comment #10). I just forgot to close this bugreport ;-) There is of course still room for more improvements to save another 0.1 second, but that's well-known upstream and probably nothing that I can fix in openSUSE. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com