So yes that does appear to be part of it. I pulled your profile and
tested just a compile
time apparmor_parser -QT -D dfa-stats /tmp/layouts-test-1.txt
Created dfa: states 16780 proto { cache: size=16780 dups=36386 longest=1244
avg=6 }, nnodes { cache: size=16761 dups=36405 longest=1243 avg=5 }, anodes {
cache: size=11 dups=35437 longest=2 avg=1 }
Minimized dfa: final partitions 699 (accept 73) init 8 (accept 7)
Created dfa: states 34473 proto { cache: size=34473 dups=21674 longest=598
avg=7 }, nnodes { cache: size=34468 dups=21679 longest=598 avg=7 }, anodes {
cache: size=6 dups=4992 longest=2 avg=1 }
Minimized dfa: final partitions 27273 (accept 2095) init 4 (accept 3)
real 0m27.084s
user 0m26.735s
sys 0m0.348s
which is quite slow, but can happen for big profiles. With Valgrind
--tool=massif reporting a peak heap usage of 884.5MB
However Ubuntu defaults to using -O no-expr-simplify because it can
speed up small profiles. With that I get
time apparmor_parser -QT -D dfa-stats -O no-expr-simplify
/tmp/layouts-test-1.txt
Created dfa: states 40915 proto { cache: size=40915 dups=83997 longest=4870
avg=9 }, nnodes { cache: size=40633 dups=84279 longest=4869 avg=8 }, anodes {
cache: size=11 dups=82787 longest=2 avg=1 }
Minimized dfa: final partitions 699 (accept 73) init 8 (accept 7)
Created dfa: states 44769 proto { cache: size=44769 dups=28309 longest=33583
avg=226 }, nnodes { cache: size=44495 dups=28583 longest=33583 avg=226 },
anodes { cache: size=6 dups=8500 longest=2 avg=1 }
Minimized dfa: final partitions 27273 (accept 2095) init 4 (accept 3)
real 0m45.947s
user 0m39.770s
sys 0m6.166s
with valgrind --tool=massif reporting a peak usage of 15.4 GB
ouch
and that isn't the worst of it, because the initscripts run multiple
compiles in parallel. Mind you most compiles only take a few MB, but
still all of that happening at the same time puts a lot of pressure on
the system.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1830502
Title:
apparmor fails to start with no parser errors
Status in apparmor package in Ubuntu:
New
Bug description:
On Ubuntu 18.04.2 LTS Desktop, after running out of space on my disk,
my system was unable to finish booting and I had to go into recovery
mode and remove a number of files before the system would boot. After
doing so I discovered that now the apparmor.service systemd unit
always fails to start. I see this in dmesg:
[ 1066.975360] Out of memory: Kill process 6799 (apparmor_parser) score 796
or sacrifice child
[ 1066.975364] Killed process 6799 (apparmor_parser) total-vm:15057348kB,
anon-rss:15046148kB, file-rss:0kB, shmem-rss:0kB
[ 1067.406595] oom_reaper: reaped process 6799 (apparmor_parser), now
anon-rss:0kB, file-rss:0kB, shmem-rss:0kB
Whenever apparmor.service is attempted to be started by systemd, i.e.
either on boot, or later with `systemctl start apparmor`.
The log from journalctl doesn't show any actual issues with any
profiles just this:
-- Reboot --
May 25 17:00:58 systemd[1]: Starting AppArmor initialization...
May 25 17:00:58 apparmor[1521]: * Starting AppArmor profiles
May 25 17:00:58 apparmor[1521]: Skipping profile in /etc/apparmor.d/disable:
usr.bin.firefox
May 25 17:00:58 apparmor[1521]: Skipping profile in /etc/apparmor.d/disable:
usr.sbin.rsyslogd
May 25 17:01:40 apparmor[1521]: ...fail!
May 25 17:01:40 systemd[1]: apparmor.service: Main process exited,
code=exited, status=123/n/a
May 25 17:01:40 systemd[1]: apparmor.service: Failed with result 'exit-code'.
May 25 17:01:40 systemd[1]: Failed to start AppArmor initialization.
May 25 17:04:53 systemd[1]: Starting AppArmor initialization...
May 25 17:04:53 apparmor[4747]: * Starting AppArmor profiles
May 25 17:04:53 apparmor[4747]: Skipping profile in /etc/apparmor.d/disable:
usr.bin.firefox
May 25 17:04:53 apparmor[4747]: Skipping profile in /etc/apparmor.d/disable:
usr.sbin.rsyslogd
May 25 17:05:25 apparmor[4747]: ...fail!
May 25 17:05:25 systemd[1]: apparmor.service: Main process exited,
code=exited, status=123/n/a
May 25 17:05:25 systemd[1]: apparmor.service: Failed with result 'exit-code'.
May 25 17:05:25 systemd[1]: Failed to start AppArmor initialization.
I can see that apparmor profiles are active after doing this (using
aa-status), but it's still troubling that apparmor runs into an issue
without actually saying what the error is.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1830502/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
