Hello Sam, or anyone else affected, Accepted libseccomp into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libseccomp/2.4.3-1ubuntu3.20.04.3 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: libseccomp (Ubuntu Focal) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1861177 Title: seccomp_rule_add is very slow Status in snapd: Invalid Status in libseccomp package in Ubuntu: In Progress Status in libseccomp source package in Xenial: In Progress Status in libseccomp source package in Bionic: Fix Committed Status in libseccomp source package in Eoan: Fix Committed Status in libseccomp source package in Focal: Fix Committed Status in libseccomp source package in Groovy: In Progress Bug description: [IMPACT] There is a known and patched issue with version 2.4 of libseccomp where certain operations have a large performance regression. This is causing some packages that use libseccomp such as container orchestration systems to occasionally time out or otherwise fail under certain workloads. Please consider porting the patch into the various Ubuntu versions that have version 2.4 of libseccomp and into the backports. The performance patch from version 2.5 (yet to be released) applies cleanly on top of the 2.4 branch of libseccomp. For more information, and for a copy of the patch (which can also be cherry picked from the upstream libseccomp repos) see the similar Debian issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943913 Upstream issue : https://github.com/seccomp/libseccomp/issues/153 Upstream fix : https://github.com/seccomp/libseccomp/pull/180/ [Test Case] For this test case we use Docker on Ubuntu Groovy (20.10) : --> Current libseccomp version #dpkg -l | grep libseccomp ii libseccomp2:amd64 2.4.3-1ubuntu3 amd64 high level interface to Linux seccomp filter ## pull ubuntu image # docker pull ubuntu ## create a container # docker run --name test_seccomp -it 74435f89ab78 /bin/bash ## run test case # for i in `seq 1 40`; do (time sudo docker exec test_seccomp true &); done ... MAX TIME : real 0m10,319s user 0m0,018s sys 0m0,033s --> Patched libseccomp version # dpkg -l | grep libseccomp ii libseccomp2:amd64 2.4.3-1ubuntu4 amd64 high level interface to Linux seccomp filter # docker start test_seccomp ## run test case # for i in `seq 1 40`; do (time sudo docker exec test_seccomp true &); done ... MAX TIME : real 0m3,650s user 0m0,025s sys 0m0,028s [Regression Potential] The first of the 2 patches cleans up the code that adds rules to a single filter without changing the logic of the code. The second patch introduces the idea of shadow transactions. On a successful transaction commit the old transaction checkpoint is preserved and is brought up to date with the current filter. The next time a new transaction starts, it checks is the a shadow transaction exist and if so the shadow is used instead of creating a new checkpoint from scratch [1]. This is the patch that mitigates the performance regression. Any potential regression will involve the parts of the code that add rules to filters and/or the code that creates and checks the shadow transactions. [Other] Affected releases : Groovy, Focal, Eoan, Bionic, Xenial. [1] https://github.com/seccomp/libseccomp/pull/180/commits/bc3a6c0453b0350ee43e4925482f705a2fbf5a4d To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1861177/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
