Re: Better interactivity in low-memory situations
by Gordan Bobic
On Sun, Aug 11, 2019 at 10:36 AM <mcatanzaro(a)gnome.org> wrote:
> This seems like a distraction from the real goal here, which is to
> ensure Fedora remains responsive under heavy memory pressure,
I think this is an overwhelmingly important point, and as somebody
regularly working with ARM machines with tiny amounts of RAM, it is of
considerable interest to me.
I typically use CentOS because stability is important to me, but most
worthwhile things filter to there, so I hope what I'm about to say is not
_too_ deprecated.
1) Compile options
From what I can tell from rpm macro options, default on C7 seems to be -O2.
-Os seems to help in most cases.
Adding -ffunction-sections -fdata-sections to defaults can help
considerably in producing smaller binaries, and is not the default.
Linking with -Wl,--gc-sections helps a lot and is not the default
Extensive stripping seems to already be the default (--strip-unneeded,
removal of .comment and .note sections)
2) Runtime condiguration
Default stack size is 8192 (ulimit -s). This unnecessarily eats a
considerably amount of memory. I have yet to see anything that actually
experiences problems with 1M.
3) zram
This was mentioned earlier in the thread, and on most of my systems, memory
constrained or otherwise, unless I have an overwhelming reason not to, I
run with zram swap equal in size to RAM with lz4 compression and
vm.swappiness=100. I typically see compression ratios between 2:1 and 3:1
in zram, so on a system with, say, 10GB of RAM, it would provide 10GB of
very fast swap at a cost of 3-5GB of RAM. This seems like a favourable
trade off, especially on systems with extremely constrained RAM (e.g. ARM
devices with 512MB of RAM).
I'm sure there is more that can be done, but this seems like a good start
as far as the cost / benefit is concerned.
4 years, 7 months
BackupPC selinux help
by Richard Shaw
I've got a bug report[1] for BackupPC where the user is having issues with
AVC denials when browsing hosts.
This is actually from my COPR but it's the same SRPM I use for Fedora.
There are almost 50k downloads and this is the only report of a problem so
I don't think there's a fundamental issue with the package but I would
still like to help them out.
They are getting AVC denials when browsing hosts which seems to cause
BackupPC_Admin to write LOCK files in the subdirectories of
/var/lib/BackupPC/. I can find plenty of LOCK files written in my instance
of BackupPC on Centos 7 (same as the user) but NO AVC denials for me.
Here's a snippit from the bug:
$ sudo tail -f /var/log/audit/audit.log | grep avc
type=AVC msg=audit(1567181425.724:40002): avc: denied { write } for
pid=3608 comm="BackupPC_Admin" name="LOCK" dev="sda1" ino=336086870
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1567181425.730:40003): avc: denied { write } for
pid=3608 comm="BackupPC_Admin" name="LOCK" dev="sda1" ino=109977609
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
...
It happens one for every host he backs up so the inodes are different but
the error is the same for all.
Currently the selinux policy built into the package doesn't modify
/var/lib/BackupPC but in my experience it hasn't needed to.
He's already tried restorecon, changed from a symlink to a bind mount (for
the backup root)...
I'm hesitant to modify the the selinux policy when I can reproduce the
problem...
Ideas?
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1746598
4 years, 7 months
Fedora Workstation and disabled by default firewall
by Vitaly Zaitsev
Hello all.
Is it okay that firewall is completely disabled by default (opened all
ports 1025-65535) on Fedora Workstation?
I think that this is a major vulnerability and it must be fixed by
changing default zone to public.
firewall-cmd --list-all
FedoraWorkstation (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: dhcpv6-client mdns samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
--
Sincerely,
Vitaly Zaitsev (vitaly(a)easycoding.org)
4 years, 7 months
Debates/back and forths
by Danny Lee
Hi all,
I'm new to the devel list and fedora in general, but i was wondering if
these kind of back and forths between a few people is a frequent
occurrence. I came to Fedora to volunteer what little spare time I have
to help the Fedora project in some little ways. I don't feel that should
include wading through dozens of emailed back and forths between
individuals who seem to have strong, immovable opinions, I just don't
have time for that.
Is there any chance there is a moderated list or discussion group about
current project tasks and issues rather than debates about how to do
things? Or perhaps, a way to turn off certain threads or block certain
posters?
Thanks for your time and info you can provide.
4 years, 7 months
How do I remove GLIBCXX_ASSERTIONS?
by Steven A. Falco
The upstream KiCAD project has requested that I remove GLIBCXX_ASSERTIONS from the Fedora package, as described here: https://bugs.launchpad.net/kicad/+bug/1838448
What is the best way to do that? I can add "%undefine _hardened_build" (which I am testing now) but I think that will remove other hardening features that I might want to leave enabled.
Steve
4 years, 7 months
f32/rawhide, nothing provides module(platform:f31)
by Kaleb Keithley
`dnf update` on my f32/rawhide machine is giving me:
Problem 1: conflicting requests
- nothing provides module(platform:f31) needed by module
bat:latest:3120190714171319:22d7e2a5-0.x86_64
Problem 2: conflicting requests
- nothing provides module(platform:f31) needed by module
exa:latest:3120190721165838:22d7e2a5-0.x86_64
Problem 3: conflicting requests
- nothing provides module(platform:f31) needed by module
libgit2:0.28:3120190714114509:f636be4b-0.x86_64
Problem 4: conflicting requests
- nothing provides module(platform:f31) needed by module
silver:rolling:3120190728135623:22d7e2a5-0.x86_64
What do I need to do for this?
Thanks,
--
Kaleb
4 years, 7 months
[HEADS UP] Fedora 32 Python 3.8 rebuilds have started in a side tag
by Miro Hrončok
Hello, in order to deliver Python 3.8, we are running a coordinated rebuild in a
side tag.
https://fedoraproject.org/wiki/Changes/Python3.8
If you see a "Rebuild for Python 3.8" commit in your package, please don't
rebuild it in regular rawhide.
If you need to, please let me know, so we can coordinate.
If you'd like to update the package, you should be able to build it in the side
tag via:
on branch master:
$ fedpkg build --target=f32-python
Note that it will take a while before the essential packages are rebuilt, so
don't except all your dependencies to be available right away.
Thanks. Let us know if you have any questions.
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
4 years, 7 months
testing oomd, cgroupsv2, was: Better interactivity in low-memory situations
by Chris Murphy
Hi,
This is a follow-up for this thread:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.o...
Has anyone looked at oomd, or is anyone interested in testing and
comparing it to alternatives?
https://facebookmicrosites.github.io/oomd/docs/overview
https://news.ycombinator.com/item?id=17590858
The origin for oomd is servers, and the case study at Facebook is also
server centric. But oomd is also very flexible, with the option to
arrive over the medium term a cooperative approach to resource
management.
However, my more immediate interest is to make heavy memory pressure
and swap usage (versus incidental use of swap) result in a more
predictable outcome. Right now this is all over the map, maybe the
process you would have picked to kill (if you could) is killed. Maybe
something else is killed and you don't notice, but it frees up just
enough memory to prevent anything else from being killed, and now
you're stuck in swap hell. It's a lot of maybes.
And the final implosion of a system isn't really what matters because
at this point, once it happens, the system is already in some kind of
tail spin. And what that means is we can't even really iterate on any
improvements because all the outcomes right now appear to suck. So how
about avoiding tail spins in the first place?
And a quick search, Lennart mentions oomd in the 'raise fileno
limit...' thread from Oct 2018 during early discussions of cgroupsv2.
--
Chris Murphy
4 years, 7 months