[Bug 689458] New: boot.apparmor needs long time to start
https://bugzilla.novell.com/show_bug.cgi?id=689458 https://bugzilla.novell.com/show_bug.cgi?id=689458#c0 Summary: boot.apparmor needs long time to start Classification: openSUSE Product: openSUSE 12.1 Version: Factory Platform: i586 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: devzero@web.de QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) apparently, loading the apparmor profiles on boot is dead slow. ok, my system is slow (800mhz via cpu), too, but there is not a singe boot script which is THAT slow like apparmor. script needs about half a minute to finish. looking at that with strace there is not shown anything suspicious, seesm the parser is just burning much cpu or whatever. room for optimization ? Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458
https://bugzilla.novell.com/show_bug.cgi?id=689458#c1
Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=689458
https://bugzilla.novell.com/show_bug.cgi?id=689458#c2
--- Comment #2 from Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=689458
https://bugzilla.novell.com/show_bug.cgi?id=689458#c3
--- Comment #3 from Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=689458
https://bugzilla.novell.com/show_bug.cgi?id=689458#c4
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=689458
https://bugzilla.novell.com/show_bug.cgi?id=689458#c5
Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=689458
https://bugzilla.novell.com/show_bug.cgi?id=689458#c6
--- Comment #6 from Christian Boltz
a) move profiles into the actual packages where the binaries are
That would cause a maintenance hell :-( I spent several evenings to push lots of openSUSE profile patches upstream. The profiles in the apparmor-profiles package are directly taken from upstream (one or two are still patched). I also unified the profile for /usr/sbin/nscd which was shipped in the nscd/unscd packages before - I merged the differences and moved it back to the apparmor-profiles package. The nscd profile(s) already showed the (IMHO usual) problem with having a profile in the same package as the binary: it gets outdated and doesn't get updates from upstream (for example /var/run vs. /run was solved upstream, but not in the *nscd package). Moving each profile to the package with the binary would mean that each of those packages would need to include updated profiles from upstream on new apparmor releases - and I'm afraid most would forget to do it and ship outdated profiles. If you have an idea how to include the latest profiles in each binary package _automatically_, please tell me ;-)
or create subpackages that supplement them.
This would result in about 20 subpackages for /etc/apparmor.d/*, most of them with only one file. I'd guess those packages would need more space in the rpm database than in /etc/ ;-)
b) speed up apparmor_parser
That's an ongoing task upstream, and there were big improvements since the 2.3 release. But yes, there's still lots of room for optimization ;-) John just told me in #apparmor that several patches are in the works (including a rewrite of the code where most dynamic casts are), but they won't make it into apparmor 2.7. He'll probably add a comment with more details soon. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458
https://bugzilla.novell.com/show_bug.cgi?id=689458#c7
John Johansen
https://bugzilla.novell.com/show_bug.cgi?id=689458
https://bugzilla.novell.com/show_bug.cgi?id=689458#c8
--- Comment #8 from John Johansen
https://bugzilla.novell.com/show_bug.cgi?id=689458
https://bugzilla.novell.com/show_bug.cgi?id=689458#c9
--- Comment #9 from John Johansen
https://bugzilla.novell.com/show_bug.cgi?id=689458
https://bugzilla.novell.com/show_bug.cgi?id=689458#c10
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=689458
https://bugzilla.novell.com/show_bug.cgi?id=689458#c11
--- Comment #11 from Ludwig Nussel
If you have an idea how to include the latest profiles in each binary package _automatically_, please tell me ;-)
You could introduce a noarch package that is only used for building. BuildRequire that in each package and copy the profile from there in %build. Another alternative would be to just skip profiles that refer to non existing binaries during startup. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458
https://bugzilla.novell.com/show_bug.cgi?id=689458#c12
--- Comment #12 from Ludwig Nussel
Currently precompiled policy is stored in /etc/apparmor.d/cache (Not the ideal place I know)
Certainly the wrong place. What about using /var/cache/apparmor? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458
https://bugzilla.novell.com/show_bug.cgi?id=689458#c13
--- Comment #13 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=689458
https://bugzilla.novell.com/show_bug.cgi?id=689458#c14
--- Comment #14 from Christian Boltz
(In reply to comment #7)
Currently precompiled policy is stored in /etc/apparmor.d/cache (Not the ideal place I know)
Certainly the wrong place. What about using /var/cache/apparmor?
That's what I use now. Upstream will probably also change the path to /var/cache/apparmor - but not in AppArmor 2.7. For 11.2 I'm using a symlink /etc/apparmor.d/cache -> /var/cache/apparmor. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=689458
https://bugzilla.novell.com/show_bug.cgi?id=689458#c15
Christian Boltz
That's what I use now. Upstream will probably also change the path to /var/cache/apparmor - but not in AppArmor 2.7. For 11.2 I'm using a symlink /etc/apparmor.d/cache -> /var/cache/apparmor.
s/11.2/12.1/ of course ;-) That said: Caching is enabled by default since a week in 12.1 Factory, which speeds up loading the AppArmor profiles extremely (see comment #10). I just forgot to close this bugreport ;-) There is of course still room for more improvements to save another 0.1 second, but that's well-known upstream and probably nothing that I can fix in openSUSE. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com