sts-sponsors team mailing list archive
-
sts-sponsors team
-
Mailing list archive
-
Message #01979
[Bug 1861177] Re: seccomp_rule_add is very slow
As discussed on IRC, I have reviewed all the SRUs. They looked correct
from my POV (although I guess I'd appreciate a second opinion from the
security team).
Since we want to include those in the -security pockets as well, I have
uploaded all of them to a security-only Bileto PPA. I have confirmed via
the build logs that only -security is enabled. The PPA can be found
here:
https://launchpad.net/~ci-train-ppa-
service/+archive/ubuntu/4143/+packages
Once the packages build correctly, I will bin-copy them to -proposed and
remove the source uploads from the upload queues.
--
You received this bug notification because you are a member of STS
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1861177
Title:
seccomp_rule_add is very slow
Status in snapd:
Invalid
Status in libseccomp package in Ubuntu:
In Progress
Status in libseccomp source package in Xenial:
In Progress
Status in libseccomp source package in Bionic:
In Progress
Status in libseccomp source package in Eoan:
In Progress
Status in libseccomp source package in Focal:
In Progress
Status in libseccomp source package in Groovy:
In Progress
Bug description:
[IMPACT]
There is a known and patched issue with version 2.4 of libseccomp where certain operations have a large performance regression. This is causing some packages that use libseccomp such as container orchestration systems to occasionally time out or otherwise fail under certain workloads.
Please consider porting the patch into the various Ubuntu versions
that have version 2.4 of libseccomp and into the backports. The
performance patch from version 2.5 (yet to be released) applies
cleanly on top of the 2.4 branch of libseccomp.
For more information, and for a copy of the patch (which can also be
cherry picked from the upstream libseccomp repos) see the similar
Debian issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943913
Upstream issue : https://github.com/seccomp/libseccomp/issues/153
Upstream fix : https://github.com/seccomp/libseccomp/pull/180/
[Test Case]
For this test case we use Docker on Ubuntu Groovy (20.10) :
--> Current libseccomp version
#dpkg -l | grep libseccomp
ii libseccomp2:amd64 2.4.3-1ubuntu3 amd64 high level interface to Linux seccomp filter
## pull ubuntu image
# docker pull ubuntu
## create a container
# docker run --name test_seccomp -it 74435f89ab78 /bin/bash
## run test case
# for i in `seq 1 40`; do (time sudo docker exec test_seccomp true &); done
...
MAX TIME :
real 0m10,319s
user 0m0,018s
sys 0m0,033s
--> Patched libseccomp version
# dpkg -l | grep libseccomp
ii libseccomp2:amd64 2.4.3-1ubuntu4 amd64 high level interface to Linux seccomp filter
# docker start test_seccomp
## run test case
# for i in `seq 1 40`; do (time sudo docker exec test_seccomp true &); done
...
MAX TIME :
real 0m3,650s
user 0m0,025s
sys 0m0,028s
[Regression Potential]
The first of the 2 patches cleans up the code that adds rules to a
single filter without changing the logic of the code. The second patch
introduces the idea of shadow transactions. On a successful
transaction commit the old transaction checkpoint is preserved and is
brought up to date with the current filter. The next time a new
transaction starts, it checks is the a shadow transaction exist and if
so the shadow is used instead of creating a new checkpoint from
scratch [1]. This is the patch that mitigates the performance
regression. Any potential regression will involve the parts of the
code that add rules to filters and/or the code that creates and checks
the shadow transactions.
[Other]
Affected releases : Groovy, Focal, Eoan, Bionic, Xenial.
[1]
https://github.com/seccomp/libseccomp/pull/180/commits/bc3a6c0453b0350ee43e4925482f705a2fbf5a4d
To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/1861177/+subscriptions
