touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #85742
[Bug 1350598] Re: AppArmor policy compile improvements
Adding 'canonical-devices-system-image' for the UX improvement work:
"For Ubuntu Touch/Personal system-image based systems, investigate ways
to utilize the update tarball and compile policy before rebooting to
improve the user experience"
** Description changed:
apparmor_parser can take a long time to compile policy especially when there is a lot of policy, so we want to utilize compiled cache profile as much as possible. Cache files will have to be regenerated in the following cases:
* the kernel .features file is updated (eg, new features are added to
apparmor in the new kernel)
* apparmor itself is updated
* on devices with click packages, apparmor-easyprof-ubuntu and/or
click-apparmor is updated
As of 2014-10-02, what can be expected is:
- Systems with system-image updates (eg, Ubuntu Touch):
- First boot will use the precompiled cache files in the rootfs or custom
tarball and be fast
- Reboots will use the cache files on the device and be fast
- First boots after upgrades will use the cache files on the device if the
above conditions are not met and be fast
- Production devices will not meet any of those conditions except under
exceptional and rare circumstances (eg, major OS upgrades like 14.10 to
15.04) and be fast
- First boots after upgrades that meet one of the conditions will need to
regenerate the cache. This can happen on development releases where the
kernel features file, apparmor, apparmor-easyprof-ubuntu or
click-apparmor are still under development and getting updates
- Systems with apt updates (eg, current Ubuntu Desktop and Server):
- First boot will compile cache files
- Reboots will use the cache files on the machine and be fast
- First boots after upgrades will use the cache files on the machine if the
above conditions are not met and be fast
- Stable releases of Ubuntu will not meet any of those conditions except
under exceptional and rare circumstances (eg, major OS upgrades like
14.10 to 15.04) and be fast
- First boots after upgrades that meet one of the above conditions will
need to regenerate the cache. This can happen on development releases
where the kernel features file, apparmor, apparmor-easyprof-ubuntu or
click-apparmor are still under development and getting updates
In addition to the above, updates to only apparmor-easyprof-ubuntu will
regenerate the cache files for only the policy that is affected (eg, if
there is a change to the location policy group in policy version 1.2,
only apps using this policy version and this policy group will need to
be recompiled).
Planned improvements (in order of most likely to be done first):
1. Finetuning the checks to invalidate the cache (eg, .md5sums could only
be for /etc/apparmor.d/abstractions, ...): WONTFIX (will want an
md5sum on apparmor_parser since it could change the cache and the md5sum
will always change. Furthermore, apparmor-easyprof-ubuntu is all policy
so there is no gain there. click-apparmor could possibly benefit, but
it doesn't change often and when it does, it is typically for policy)
2. Investigate ways to utilize the custom tarball and rootfs precompiled
cache files on upgrades when apparmor, apparmor-easyprof-ubuntu and
click-apparmor are updated: DONE
3. Improve cache handling for app store apps (eg, having the app store
server precompile them so that the device can download them when it
needs to rather than having to regenerate them itself): WONTFIX
(doesn't scale)
4. For systems with apt upgrades, compile the policy either during
install or on kernel upgrade rather than on boot. For systems with
read-only fs-style upgrades, compile the policy prior to reboot
rather than on boot.
5. Support cache files per kernel .features file (or kernel version).
This will allow people to boot into a previous kernel without having
to recompile policy
6. Improve parser compile time
7. Investigate how to utilize profile composition and profile stacking to
decrease compile and load times (eg, one idea is that the policy template
is compiled once and each policy group once such that the parser need
only stitch the already compiled bits together)
+ 8. For Ubuntu Touch/Personal system-image based systems, investigate ways
+ to utilize the update tarball and compile policy before rebooting to
+ improve the user experience
Work is planned for the medium term for '1-3' with '4' and '5' coming as
needed. '6' will of course help, but it is already very optimized and
compile average ~2 seconds on armhf per profile (note: already faster
than Android's 'optimizing apps' per app on a nexus 7) -- if we cut that
in half a typical user with 300 apps would still have to wait 300
seconds so other techniques like '2' should be employed. '6' and '7'
- will be handled in the long term. '8' can be implemented now to improve
- the user experience.
+ will be handled in the long term.
+
+ '8' can be implemented now to improve the user experience:
+ "
+ > Sorry for not being clear. The idea is that when the phone says that
+ > there is an update, the user has to tap 'Install and Reboot'. The idea > is that before reboot (and therefore still in the unity8 session), we
+ > look inside what is downloaded, see if there are any policy changes. If
+ > there are, we extract them and then compile policy with a progress
+ > meter. The question I posed to you is how hard is it to look inside (or
+ > provide a manifest of changed packages) and extract what is needed to
+ > compile policy?
+
+ Ok. The update is available as a set of tarballs, available in a fixed
+ directory. It should be straightforward to check whether any of those
+ tarballs contains files matching a particular path. If you want to know
+ whether particular packages have changed, that would be a matter of
+ extracting the dpkg database and comparing. (We don't otherwise track the
+ packagewise delta between the images.)
+
+ A partial extraction of the tarball based on particular filenames is a
+ simple matter of tar arguments."
+
Original description:
Just updated my Nexus 7 2013 from #160 to #161. It's been sat at the Google logo for 15 minutes now. It looks and feels like it's hung. As a user I'd be rebooting it thinking it had crashed by now. I shell in and find apparmor_parser using a lot of cpu for a long time.
top - 00:14:01 up 15 min, 2 users, load average: 5.12, 4.85, 3.21
Tasks: 202 total, 2 running, 200 sleeping, 0 stopped, 0 zombie
%Cpu(s): 50.5 us, 0.8 sy, 0.0 ni, 48.5 id, 0.2 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem: 1848024 total, 787400 used, 1060624 free, 54216 buffers
KiB Swap: 32764 total, 0 used, 32764 free. 579228 cached Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1970 root 20 0 4976 3652 852 R 99.8 0.2 14:31.04 apparmor_parser
2596 phablet 20 0 5996 1264 824 R 1.3 0.1 0:08.79 top
914 root 0 -20 7572 552 396 S 0.7 0.0 0:05.02 mpdecision
21 root 20 0 0 0 0 S 0.3 0.0 0:00.92 kworker/0:1
229 root 20 0 0 0 0 S 0.3 0.0 0:00.10 jbd2/mmcblk0p30
982 root 20 0 38856 1164 868 S 0.3 0.1 0:01.77 adbd
2570 phablet 20 0 10540 1456 692 S 0.3 0.1 0:02.30 sshd
1 root 20 0 3884 2648 1068 S 0.0 0.1 0:05.98 init
2 root -2 0 0 0 0 S 0.0 0.0 0:00.01 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:00.04 ksoftirqd/0
... it eventually finished after 18 minutes.
** Also affects: canonical-devices-system-image
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1350598
Title:
AppArmor policy compile improvements
Status in AppArmor Linux application security framework:
Triaged
Status in the base for Ubuntu mobile products:
New
Status in apparmor package in Ubuntu:
Triaged
Bug description:
apparmor_parser can take a long time to compile policy especially when there is a lot of policy, so we want to utilize compiled cache profile as much as possible. Cache files will have to be regenerated in the following cases:
* the kernel .features file is updated (eg, new features are added to
apparmor in the new kernel)
* apparmor itself is updated
* on devices with click packages, apparmor-easyprof-ubuntu and/or
click-apparmor is updated
As of 2014-10-02, what can be expected is:
- Systems with system-image updates (eg, Ubuntu Touch):
- First boot will use the precompiled cache files in the rootfs or custom
tarball and be fast
- Reboots will use the cache files on the device and be fast
- First boots after upgrades will use the cache files on the device if the
above conditions are not met and be fast
- Production devices will not meet any of those conditions except under
exceptional and rare circumstances (eg, major OS upgrades like 14.10 to
15.04) and be fast
- First boots after upgrades that meet one of the conditions will need to
regenerate the cache. This can happen on development releases where the
kernel features file, apparmor, apparmor-easyprof-ubuntu or
click-apparmor are still under development and getting updates
- Systems with apt updates (eg, current Ubuntu Desktop and Server):
- First boot will compile cache files
- Reboots will use the cache files on the machine and be fast
- First boots after upgrades will use the cache files on the machine if the
above conditions are not met and be fast
- Stable releases of Ubuntu will not meet any of those conditions except
under exceptional and rare circumstances (eg, major OS upgrades like
14.10 to 15.04) and be fast
- First boots after upgrades that meet one of the above conditions will
need to regenerate the cache. This can happen on development releases
where the kernel features file, apparmor, apparmor-easyprof-ubuntu or
click-apparmor are still under development and getting updates
In addition to the above, updates to only apparmor-easyprof-ubuntu
will regenerate the cache files for only the policy that is affected
(eg, if there is a change to the location policy group in policy
version 1.2, only apps using this policy version and this policy group
will need to be recompiled).
Planned improvements (in order of most likely to be done first):
1. Finetuning the checks to invalidate the cache (eg, .md5sums could only
be for /etc/apparmor.d/abstractions, ...): WONTFIX (will want an
md5sum on apparmor_parser since it could change the cache and the md5sum
will always change. Furthermore, apparmor-easyprof-ubuntu is all policy
so there is no gain there. click-apparmor could possibly benefit, but
it doesn't change often and when it does, it is typically for policy)
2. Investigate ways to utilize the custom tarball and rootfs precompiled
cache files on upgrades when apparmor, apparmor-easyprof-ubuntu and
click-apparmor are updated: DONE
3. Improve cache handling for app store apps (eg, having the app store
server precompile them so that the device can download them when it
needs to rather than having to regenerate them itself): WONTFIX
(doesn't scale)
4. For systems with apt upgrades, compile the policy either during
install or on kernel upgrade rather than on boot. For systems with
read-only fs-style upgrades, compile the policy prior to reboot
rather than on boot.
5. Support cache files per kernel .features file (or kernel version).
This will allow people to boot into a previous kernel without having
to recompile policy
6. Improve parser compile time
7. Investigate how to utilize profile composition and profile stacking to
decrease compile and load times (eg, one idea is that the policy template
is compiled once and each policy group once such that the parser need
only stitch the already compiled bits together)
8. For Ubuntu Touch/Personal system-image based systems, investigate ways
to utilize the update tarball and compile policy before rebooting to
improve the user experience
Work is planned for the medium term for '1-3' with '4' and '5' coming
as needed. '6' will of course help, but it is already very optimized
and compile average ~2 seconds on armhf per profile (note: already
faster than Android's 'optimizing apps' per app on a nexus 7) -- if we
cut that in half a typical user with 300 apps would still have to wait
300 seconds so other techniques like '2' should be employed. '6' and
'7' will be handled in the long term.
'8' can be implemented now to improve the user experience:
"
> Sorry for not being clear. The idea is that when the phone says that
> there is an update, the user has to tap 'Install and Reboot'. The idea > is that before reboot (and therefore still in the unity8 session), we
> look inside what is downloaded, see if there are any policy changes. If
> there are, we extract them and then compile policy with a progress
> meter. The question I posed to you is how hard is it to look inside (or
> provide a manifest of changed packages) and extract what is needed to
> compile policy?
Ok. The update is available as a set of tarballs, available in a fixed
directory. It should be straightforward to check whether any of those
tarballs contains files matching a particular path. If you want to know
whether particular packages have changed, that would be a matter of
extracting the dpkg database and comparing. (We don't otherwise track the
packagewise delta between the images.)
A partial extraction of the tarball based on particular filenames is a
simple matter of tar arguments."
Original description:
Just updated my Nexus 7 2013 from #160 to #161. It's been sat at the Google logo for 15 minutes now. It looks and feels like it's hung. As a user I'd be rebooting it thinking it had crashed by now. I shell in and find apparmor_parser using a lot of cpu for a long time.
top - 00:14:01 up 15 min, 2 users, load average: 5.12, 4.85, 3.21
Tasks: 202 total, 2 running, 200 sleeping, 0 stopped, 0 zombie
%Cpu(s): 50.5 us, 0.8 sy, 0.0 ni, 48.5 id, 0.2 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem: 1848024 total, 787400 used, 1060624 free, 54216 buffers
KiB Swap: 32764 total, 0 used, 32764 free. 579228 cached Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1970 root 20 0 4976 3652 852 R 99.8 0.2 14:31.04 apparmor_parser
2596 phablet 20 0 5996 1264 824 R 1.3 0.1 0:08.79 top
914 root 0 -20 7572 552 396 S 0.7 0.0 0:05.02 mpdecision
21 root 20 0 0 0 0 S 0.3 0.0 0:00.92 kworker/0:1
229 root 20 0 0 0 0 S 0.3 0.0 0:00.10 jbd2/mmcblk0p30
982 root 20 0 38856 1164 868 S 0.3 0.1 0:01.77 adbd
2570 phablet 20 0 10540 1456 692 S 0.3 0.1 0:02.30 sshd
1 root 20 0 3884 2648 1068 S 0.0 0.1 0:05.98 init
2 root -2 0 0 0 0 S 0.0 0.0 0:00.01 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:00.04 ksoftirqd/0
... it eventually finished after 18 minutes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1350598/+subscriptions
References
