snapd icon indicating copy to clipboard operation
snapd copied to clipboard

Published 20 hours ago verified publisher icon snapcore

snap-confine: ground work for homedirs support

Open mardy opened this issue 2 years ago • 2 comments

I ran some benchmarks for measuring if we would incur in some performance degradation due to the bigger number of mount operations performed (from about 7 to 12, depending on the base snap). In all tests I changed should_discard_current_ns() to unconditionally return true, in order to avoid reusing the mount namespace, otherwise the performance would have been different only for the first execution of the program. The test:

time for i in $(seq 1 <iterations>); do hello-world; done

Results:

Iterations without this branch with this branch
1000 real 0m59,558s real 0m59,441s
user 0m22,969s user 0m22,395s
sys 0m41,064s sys 0m42,292s
10000 real 9m53,376s real 9m58,876s
user 3m47,491s user 3m45,534s
sys 6m51,871s sys 6m56,666s

I'm not sure how trustworthy these results are. But if it turns out that this branch imposes an undesired performance penalty, we can always decide to cache the mount namespace created with the base snap container, so, assuming that most snaps use the same base, the performance penalty would affect only the first one.

mardy avatar Feb 09 '22 11:02 mardy

Codecov Report

Merging #11367 (950094e) into master (2950172) will decrease coverage by 0.00%. The diff coverage is 0.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master   #11367      +/-   ##
==========================================
- Coverage   78.34%   78.34%   -0.01%     
==========================================
  Files         931      931              
  Lines      107020   107024       +4     
==========================================
  Hits        83850    83850              
- Misses      17955    17959       +4     
  Partials     5215     5215
Flag Coverage Δ
unittests 78.34% <0.00%> (-0.01%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
cmd/snap-update-ns/change.go 90.83% <0.00%> (-0.72%) :arrow_down:
store/cache.go 69.23% <0.00%> (-1.93%) :arrow_down:
boot/boot.go 85.34% <0.00%> (ø)
boot/flags.go 82.24% <0.00%> (ø)
boot/model.go 68.18% <0.00%> (ø)
boot/systems.go 80.18% <0.00%> (ø)
overlord/snapstate/policy/os.go 87.50% <0.00%> (ø)
overlord/snapstate/policy/base.go 80.95% <0.00%> (ø)
overlord/snapstate/policy/snapd.go 69.56% <0.00%> (ø)
overlord/snapstate/policy/gadget.go 75.00% <0.00%> (ø)
... and 2 more

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 2950172...950094e. Read the comment docs.

codecov-commenter avatar Feb 11 '22 10:02 codecov-commenter

The google:ubuntu-20.04-64:tests/main/nfs-support test failure does not seem related, at least I tried running the test 10 times in QEMU and it never failed.

mardy avatar Apr 01 '22 10:04 mardy

Hm, I wonder if the selinux erorrs here are real?

...
Error: 2023-01-05 11:52:40 Error executing google:centos-9-64:tests/main/selinux-clean (jan051137-225688) : 
...
 ausearch -i --checkpoint stamp --start checkpoint -m AVC
grep error: pattern not found, got:
----
type=PROCTITLE msg=audit(01/05/23 11:52:03.232:1249) : proctitle=/usr/libexec/snapd/snap-confine snap.test-snapd-service.test-snapd-sigterm-all-service /usr/lib/snapd/snap-exec test-snapd-servi 
type=SYSCALL msg=audit(01/05/23 11:52:03.232:1249) : arch=x86_64 syscall=seccomp success=yes exit=0 a0=0x1 a1=0x2 a2=0x7fff658ed550 a3=0xffffffe0 items=0 ppid=1 pid=45694 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snap-confine exe=/usr/libexec/snapd/snap-confine subj=system_u:system_r:snappy_confine_t:s0 key=(null) 
type=AVC msg=audit(01/05/23 11:52:03.232:1249) : avc:  denied  { bpf } for  pid=45694 comm=snap-confine capability=bpf  scontext=system_u:system_r:snappy_confine_t:s0 tcontext=system_u:system_r:snappy_confine_t:s0 tclass=capability2 permissive=1 
----
type=PROCTITLE msg=audit(01/05/23 11:52:37.760:1303) : proctitle=/usr/libexec/snapd/snap-confine snap.test-snapd-service.test-snapd-service /usr/lib/snapd/snap-exec --command=stop test-snapd-se 
type=SYSCALL msg=audit(01/05/23 11:52:37.760:1303) : arch=x86_64 syscall=seccomp success=yes exit=0 a0=0x1 a1=0x2 a2=0x7ffcd2620740 a3=0xffffffe0 items=0 ppid=1 pid=46760 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snap-confine exe=/usr/libexec/snapd/snap-confine subj=system_u:system_r:snappy_confine_t:s0 key=(null) 
type=AVC msg=audit(01/05/23 11:52:37.760:1303) : avc:  denied  { bpf } for  pid=46760 comm=snap-confine capability=bpf  scontext=system_u:system_r:snappy_confine_t:s0 tcontext=system_u:system_r:snappy_confine_t:s0 tclass=capability2 permissive=1

mvo5 avatar Jan 09 '23 16:01 mvo5