https://fedoraproject.org/wiki/Changes/SELinux_Parallel_Autorelabel This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == After a system's SELinux mode is switched from disabled to enabled, or after an administrator runs `fixfiles onboot`, SELinux autorelabel will be run in parallel by default. == Owner == * Name: [[User:plautrba| Petr Lautrbach]] * Email: plautrba(a)redhat.com == Detailed Description == SELinux tools `restorecon` and `fixfiles` recently gained the ability to relabel files in parallel using the `-T nthreads` option. This option is currently not used in the automatic relabel after reboot. When users want/need the parallel relabeling they have to specify the option explicitly (e.g. `fixfiles -T 0 onboot`). With this change `-T 0` (0 == use all available CPU cores) will be the default for `fixfiles onboot` and users will have to use `fixfiles -T 1 onboot` to force it to use only one thread. The rationale is that when autorelabel runs, there are no other resource-intensive processes running on the system, so it's fine (and actually better) to use all available parallelism to speed up the task and get to a fully booted system faster. == Benefit to Fedora == Faster reboot after switching back to an SELinux enabled system or when triggering autorelabel explicitly.

Dan Čermák <dan.cermak(a)cgc-instruments.de&gt; writes: > On July 15, 2022 9:42:35 PM UTC, Ben Cotton <bcotton(a)redhat.com&gt; wrote: >>https://fedoraproject.org/wiki/Changes/SELinux_Parallel_Autorelabel >> >>This document represents a proposed Change. As part of the Changes >>process, proposals are publicly announced in order to receive >>community feedback. This proposal will only be implemented if approved >>by the Fedora Engineering Steering Committee. >> >> >>== Summary == >>After a system's SELinux mode is switched from disabled to enabled, or >>after an administrator runs `fixfiles onboot`, SELinux autorelabel >>will be run in parallel by default. >> >>== Owner == >>* Name: [[User:plautrba| Petr Lautrbach]] >>* Email: plautrba(a)redhat.com >> >> >>== Detailed Description == >>SELinux tools `restorecon` and `fixfiles` recently gained the ability >>to relabel files in parallel using the `-T nthreads` option. This >>option is currently not used in the automatic relabel after reboot. >>When users want/need the parallel relabeling they have to specify the >>option explicitly (e.g. `fixfiles -T 0 onboot`). With this change `-T >>0` (0 == use all available CPU cores) will be the default for >>`fixfiles onboot` and users will have to use `fixfiles -T 1 onboot` to >>force it to use only one thread. >> >>The rationale is that when autorelabel runs, there are no other >>resource-intensive processes running on the system, so it's fine (and >>actually better) to use all available parallelism to speed up the task >>and get to a fully booted system faster. >> >> >>== Benefit to Fedora == >>Faster reboot after switching back to an SELinux enabled system or >>when triggering autorelabel explicitly. > > Just out of curiosity, how large is the speedup typically? > >> It depends on the number of threads your machine has. But you could get some data for comparison using `fixfiles -T 1 restore` and `fixfiles -T 0 restore` on a running system. The following times are reported on my workstation: [root@P1 ~]# time fixfiles -T 0 restore Relabeling / /boot /dev /dev/hugepages /dev/mqueue /dev/pts /dev/shm /home /run /run/user/1000 /sys /sys/fs/cgroup /sys/fs/pstore /sys/kernel/debug /sys/kernel/debug/tracing /sys/kernel/tracing /tmp /var / 100.0% ... real 1m8.488s user 9m24.755s sys 0m25.424s [root@P1 ~]# time fixfiles -T 1 restore Relabeling / /boot /dev /dev/hugepages /dev/mqueue /dev/pts /dev/shm /home /run /run/user/1000 /sys /sys/fs/cgroup /sys/fs/pstore /sys/kernel/debug /sys/kernel/debug/tracing /sys/kernel/tracing /tmp /var / 100.0% ... real 4m5.450s user 3m55.017s sys 0m10.088s

On Mon, Jul 18, 2022 at 6:44 AM Petr Lautrbach <plautrba(a)redhat.com&gt; wrote: > > Dan Čermák <dan.cermak(a)cgc-instruments.de&gt; writes: > > > > Just out of curiosity, how large is the speedup typically? > > > > It depends on the number of threads your machine has. But you could get some > data for comparison using `fixfiles -T 1 restore` and `fixfiles -T 0 > restore` on a running system. The following times are reported on my workstation: > Has anyone run such a test on a system using classic ("spinning rust") HDDs? It is sometimes the case that parallelizing activities that are I/O intensive can result in excessive seek activity that can result in rather elongated elapsed times (much worse than single threaded operation).

On Mon, Jul 18, 2022 at 6:44 AM Petr Lautrbach <plautrba(a)redhat.com&gt; wrote: > > Dan Čermák <dan.cermak(a)cgc-instruments.de&gt; writes: > > > > Just out of curiosity, how large is the speedup typically? > > > > It depends on the number of threads your machine has. But you could get some > data for comparison using `fixfiles -T 1 restore` and `fixfiles -T 0 > restore` on a running system. The following times are reported on my workstation: > Has anyone run such a test on a system using classic ("spinning rust") HDDs? It is sometimes the case that parallelizing activities that are I/O intensive can result in excessive seek activity that can result in rather elongated elapsed times (much worse than single threaded operation).

On Fri, Jul 15, 2022 at 05:42:35PM -0400, Ben Cotton wrote: > https://fedoraproject.org/wiki/Changes/SELinux_Parallel_Autorelabel > > This document represents a proposed Change. As part of the Changes > process, proposals are publicly announced in order to receive > community feedback. This proposal will only be implemented if approved > by the Fedora Engineering Steering Committee. > > > == Summary == > After a system's SELinux mode is switched from disabled to enabled, or > after an administrator runs `fixfiles onboot`, SELinux autorelabel > will be run in parallel by default. > > == Owner == > * Name: [[User:plautrba| Petr Lautrbach]] > * Email: plautrba(a)redhat.com > > > == Detailed Description == > SELinux tools `restorecon` and `fixfiles` recently gained the ability > to relabel files in parallel using the `-T nthreads` option. This > option is currently not used in the automatic relabel after reboot. > When users want/need the parallel relabeling they have to specify the > option explicitly (e.g. `fixfiles -T 0 onboot`). With this change `-T > 0` (0 == use all available CPU cores) will be the default for > `fixfiles onboot` and users will have to use `fixfiles -T 1 onboot` to > force it to use only one thread. > > The rationale is that when autorelabel runs, there are no other > resource-intensive processes running on the system, so it's fine (and > actually better) to use all available parallelism to speed up the task > and get to a fully booted system faster. > > > == Benefit to Fedora == > Faster reboot after switching back to an SELinux enabled system or > when triggering autorelabel explicitly. [...] > == Upgrade/compatibility impact == > > > == How To Test == > # boot with SELinux disabled - add `selinux=0` to the kernel command line > # reboot > # store the time it took > # run `fixfiles -T 1 onboot` > # reboot > # the latter reboot should take longer time [...] I wonder if we can use this in virt tools & virt-v2v: https://github.com/libguestfs/libguestfs/blob/master/daemon/selinux-relab... We actually use setfiles instead of fixfiles. setfiles appears to have no -T option unfortunately. Is there a reason why setfiles doesn't have / need this option?

On Fri, Jul 15, 2022 at 05:42:35PM -0400, Ben Cotton wrote: > https://fedoraproject.org/wiki/Changes/SELinux_Parallel_Autorelabel > > This document represents a proposed Change. As part of the Changes > process, proposals are publicly announced in order to receive > community feedback. This proposal will only be implemented if approved > by the Fedora Engineering Steering Committee. > > > == Summary == > After a system's SELinux mode is switched from disabled to enabled, or > after an administrator runs `fixfiles onboot`, SELinux autorelabel > will be run in parallel by default. > > == Owner == > * Name: [[User:plautrba| Petr Lautrbach]] > * Email: plautrba(a)redhat.com > > > == Detailed Description == > SELinux tools `restorecon` and `fixfiles` recently gained the ability > to relabel files in parallel using the `-T nthreads` option. This > option is currently not used in the automatic relabel after reboot. > When users want/need the parallel relabeling they have to specify the > option explicitly (e.g. `fixfiles -T 0 onboot`). With this change `-T > 0` (0 == use all available CPU cores) will be the default for > `fixfiles onboot` and users will have to use `fixfiles -T 1 onboot` to > force it to use only one thread. > > The rationale is that when autorelabel runs, there are no other > resource-intensive processes running on the system, so it's fine (and > actually better) to use all available parallelism to speed up the task > and get to a fully booted system faster. > > > == Benefit to Fedora == > Faster reboot after switching back to an SELinux enabled system or > when triggering autorelabel explicitly. [...] > == Upgrade/compatibility impact == > > > == How To Test == > # boot with SELinux disabled - add `selinux=0` to the kernel command line > # reboot > # store the time it took > # run `fixfiles -T 1 onboot` > # reboot > # the latter reboot should take longer time [...] I wonder if we can use this in virt tools & virt-v2v: https://github.com/libguestfs/libguestfs/blob/master/daemon/selinux-relab... We actually use setfiles instead of fixfiles. setfiles appears to have no -T option unfortunately. Is there a reason why setfiles doesn't have / need this option?

On Wed, Jul 20, 2022 at 11:23:14AM +0200, Laszlo Ersek wrote: > I think we could modify libguestfs to test "setfiles" for the "-T" > option -- with setfiles_has_option() --, and if it's present, pass "-T > 0". However, for that to be actually useful, we'd need to start up the > appliance with multiple VCPUs -- using guestfs_set_smp(). For virt-v2v we actually do this already: https://github.com/libguestfs/virt-v2v/blob/2fbd578b4e6884a23063ad67ee36f... It's pretty much required for dracut to finish in a reasonable time. > ... Apparently, virt-customize already exposes an "--smp" option for > that, so we might get away with modifying libguestfs only. Right, for the other tools users would need to add --smp to get the benefits, but AIUI there's no drawback to using -T 0 even if running on a single core?