Dan Čermák <dan.cermak(a)cgc-instruments.de> writes:
On July 15, 2022 9:42:35 PM UTC, Ben Cotton
<bcotton(a)redhat.com> wrote:
>https://fedoraproject.org/wiki/Changes/SELinux_Parallel_Autorelabel
>
>This document represents a proposed Change. As part of the Changes
>process, proposals are publicly announced in order to receive
>community feedback. This proposal will only be implemented if approved
>by the Fedora Engineering Steering Committee.
>
>
>== Summary ==
>After a system's SELinux mode is switched from disabled to enabled, or
>after an administrator runs `fixfiles onboot`, SELinux autorelabel
>will be run in parallel by default.
>
>== Owner ==
>* Name: [[User:plautrba| Petr Lautrbach]]
>* Email: plautrba(a)redhat.com
>
>
>== Detailed Description ==
>SELinux tools `restorecon` and `fixfiles` recently gained the ability
>to relabel files in parallel using the `-T nthreads` option. This
>option is currently not used in the automatic relabel after reboot.
>When users want/need the parallel relabeling they have to specify the
>option explicitly (e.g. `fixfiles -T 0 onboot`). With this change `-T
>0` (0 == use all available CPU cores) will be the default for
>`fixfiles onboot` and users will have to use `fixfiles -T 1 onboot` to
>force it to use only one thread.
>
>The rationale is that when autorelabel runs, there are no other
>resource-intensive processes running on the system, so it's fine (and
>actually better) to use all available parallelism to speed up the task
>and get to a fully booted system faster.
>
>
>== Benefit to Fedora ==
>Faster reboot after switching back to an SELinux enabled system or
>when triggering autorelabel explicitly.
Just out of curiosity, how large is the speedup typically?
>
It depends on the number of threads your machine has. But you could get some
data for comparison using `fixfiles -T 1 restore` and `fixfiles -T 0
restore` on a running system. The following times are reported on my workstation:
[root@P1 ~]# time fixfiles -T 0 restore
Relabeling / /boot /dev /dev/hugepages /dev/mqueue /dev/pts /dev/shm /home /run
/run/user/1000 /sys /sys/fs/cgroup /sys/fs/pstore /sys/kernel/debug
/sys/kernel/debug/tracing /sys/kernel/tracing /tmp /var
/ 100.0%
...
real 1m8.488s
user 9m24.755s
sys 0m25.424s
[root@P1 ~]# time fixfiles -T 1 restore
Relabeling / /boot /dev /dev/hugepages /dev/mqueue /dev/pts /dev/shm /home /run
/run/user/1000 /sys /sys/fs/cgroup /sys/fs/pstore /sys/kernel/debug
/sys/kernel/debug/tracing /sys/kernel/tracing /tmp /var
/ 100.0%
...
real 4m5.450s
user 3m55.017s
sys 0m10.088s
Petr
>== Scope ==
>* Proposal owners:
>** Update `/usr/libexec/selinux/selinux-autorelabel` to use `-T 0` by default.
>
>* Other developers:
>* Release engineering:
>* Policies and guidelines: N/A (not needed for this Change)
>* Trademark approval: N/A (not needed for this Change)
>* Alignment with Objectives:
>
>
>== Upgrade/compatibility impact ==
>
>
>== How To Test ==
># boot with SELinux disabled - add `selinux=0` to the kernel command line
># reboot
># store the time it took
># run `fixfiles -T 1 onboot`
># reboot
># the latter reboot should take longer time
>
>
>== User Experience ==
>Systems should be up and running faster after SELinux autorelabel.
>
>== Dependencies ==
>
>
>== Contingency Plan ==
>* Contingency mechanism: (What to do? Who will do it?) N/A (not a
>System Wide Change)
>* Contingency deadline: N/A (not a System Wide Change)
>* Blocks release? N/A (not a System Wide Change), Yes/No
>
>== Documentation ==
>
>N/A (not a System Wide Change)
>
>
_______________________________________________
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure