Issue #1702 has been updated by seanmil. File 0001-Refactoring-of-SELinux-functions-to-use-native-Ruby.patch added
After recalling a brief exchange with dlutter a little while ago I decided to try the native Ruby SELinux bindings to see what sort of a speed improvement I could get before diving into caching. I was expecting a big boost, but not near what it turned out to be. For 1000 files I saw a local puppet runtime go from ~7+ minutes to ~10 seconds. There is one gotcha for the system calls: the only platform I know of which has the Ruby bindings packages is Fedora 9+. dlutter said he would be willing to make the libselinux-ruby package a dependency in his RPMs, but I am not certain that offer extended to packaging and maintaining the libselinux-ruby package itself :). In any case, this feels like a more correct approach than caching, given the option. I want to talk with dlutter (and maybe Dan Walsh who wrote the Ruby bindings) and get their thoughts on how feasible it would be to package the just the Ruby portion of the libselinux bindings on systems like RHEL/CentOS which already have libselinux for other languages. This will also probably solve bug #1687, if we can solve the Ruby SELinux bindings problem on RHEL/CentOS 4 too. Anyone interested in trying the patch should pull commit aac30b8ee900722b08dc55184bc176c3d7eb86e4 from my 0.24.x/bug/1702 branch at github or the attached patch. I have tested it on my Fedora 9 laptop with and without the libselinux-ruby package installed and it seems to work correctly in both cases, but hasn't received any other testing yet. I hope to try some wider testing tomorrow. ---------------------------------------- Bug #1702: SELinux code inefficiently makes syscalls to stat and matchpathcon http://projects.reductivelabs.com/issues/show/1702 Author: ohookins Status: Accepted Priority: Normal Assigned to: seanmil Category: file Target version: 0.24.7 Complexity: Unknown Affected version: 0.24.6 Keywords: <pre> debug: /File[/var/lib/puppet/clientbucket]/seluser: Executing '/usr/sbin/matchpathcon /var/lib/puppet/clientbucket' debug: /File[/var/lib/puppet/clientbucket]/seluser: Found seluser default 'system_u' for /var/lib/puppet/clientbucket debug: /File[/var/lib/puppet/clientbucket]/selrole: Executing '/usr/sbin/matchpathcon /var/lib/puppet/clientbucket' debug: /File[/var/lib/puppet/clientbucket]/selrole: Found selrole default 'object_r' for /var/lib/puppet/clientbucket debug: /File[/var/lib/puppet/clientbucket]/seltype: Executing '/usr/sbin/matchpathcon /var/lib/puppet/clientbucket' debug: /File[/var/lib/puppet/clientbucket]/seltype: Found seltype default 'var_lib_t' for /var/lib/puppet/clientbucket debug: /File[/var/lib/puppet/clientbucket]/selrange: Executing '/usr/sbin/matchpathcon /var/lib/puppet/clientbucket' debug: /File[/var/lib/puppet/clientbucket]/selrange: Found selrange default '' for /var/lib/puppet/clientbucket debug: /File[/var/lib/puppet/clientbucket]/seluser: Executing '/usr/bin/stat -c %C /var/lib/puppet/clientbucket' debug: /File[/var/lib/puppet/clientbucket]/selrole: Executing '/usr/bin/stat -c %C /var/lib/puppet/clientbucket' debug: /File[/var/lib/puppet/clientbucket]/seltype: Executing '/usr/bin/stat -c %C /var/lib/puppet/clientbucket' </pre> The SELinux user, role and type is outputted from one invocation of either stat or matchpathcon: <pre> [EMAIL PROTECTED] ~]# /usr/bin/stat -c %C /var/lib/puppet/clientbucket system_u:object_r:var_lib_t [EMAIL PROTECTED] ~]# /usr/sbin/matchpathcon /var/lib/puppet/clientbucket /var/lib/puppet/clientbucket system_u:object_r:var_lib_t </pre> When the number of files that puppet has to touch grows significantly, the amount of syscalls it is making on behalf of SELinux operations is growing a lot more (albeit, only linearly). These are only two examples but I think given the number of larger installations it is wise to think about the performance impact of running Puppet. I have noticed a significant increase in load on my clients after upgrading to 0.24.6 which has a lot more SELinux support. ---------------------------------------- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
