It takes 10 seconds to create user account,where as without -Z option it takes less a second. I tried changing SELinux to Permissive mode or try to use tmpfs for /etc/selinux mountpoint , both didn't help.The problem is I'm re-creating 50000+ user accounts in a new server. Looks for options to speed-up this process. thanks for any pointers/help.
# time useradd --uid=20005 -Z guest_u u20005 real 0m10.194s user 0m8.866s sys 0m1.273s
# time useradd --uid=20006 u20006 real 0m0.050s user 0m0.018s sys 0m0.021s
---- Cheers, Lakshmipathi.G http://www.giis.co.in http://www.webminal.org
On Thu, 2017-04-20 at 23:14 +0530, Lakshmipathi.G wrote:
It takes 10 seconds to create user account,where as without -Z option it takes less a second. I tried changing SELinux to Permissive mode or try to use tmpfs for /etc/selinux mountpoint , both didn't help.The problem is I'm re-creating 50000+ user accounts in a new server. Looks for options to speed-up this process. thanks for any pointers/help.
# time useradd --uid=20005 -Z guest_u u20005 real 0m10.194s user 0m8.866s sys 0m1.273s
# time useradd --uid=20006 u20006 real 0m0.050s user 0m0.018s sys 0m0.021s
libsemanage version? /etc/selinux/semanage.conf contents?
Thanks. Here's the details:
# uname -a Linux li1629-137 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/redhat-release CentOS Linux release 7.3.1611 (Core)
#rpm qa | grep 'semanage' libsemanage-2.5-5.1.el7_3.x86_64 libsemanage-python-2.5-5.1.el7_3.x86_64
I didn't make any changes to /etc/selinux/semanage.conf . Here's the content. --- module-store = direct
# When generating the final linked and expanded policy, by default # semanage will set the policy version to POLICYDB_VERSION_MAX, as # given in <sepol/policydb.h>. Change this setting if a different # version is necessary. #policy-version = 19
# expand-check check neverallow rules when executing all semanage commands. # Large penalty in time if you turn this on. expand-check=0
# usepasswd check tells semanage to scan all pass word records for home directories # and setup the labeling correctly. If this is turned off, SELinux will label /home # correctly only. You will need to use semanage fcontext command. # For example, if you had home dirs in /althome directory you would have to execute # semanage fcontext -a -e /home /althome usepasswd=False bzip-small=true bzip-blocksize=5 ignoredirs=/root ---
---- Cheers, Lakshmipathi.G FOSS Programmer. http://www.giis.co.in http://www.webminal.org
On Thu, Apr 20, 2017 at 11:23 PM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Thu, 2017-04-20 at 23:14 +0530, Lakshmipathi.G wrote:
It takes 10 seconds to create user account,where as without -Z option it takes less a second. I tried changing SELinux to Permissive mode or try to use tmpfs for /etc/selinux mountpoint , both didn't help.The problem is I'm re-creating 50000+ user accounts in a new server. Looks for options to speed-up this process. thanks for any pointers/help.
# time useradd --uid=20005 -Z guest_u u20005 real 0m10.194s user 0m8.866s sys 0m1.273s
# time useradd --uid=20006 u20006 real 0m0.050s user 0m0.018s sys 0m0.021s
libsemanage version? /etc/selinux/semanage.conf contents?
On Thu, 2017-04-20 at 23:27 +0530, Lakshmipathi.G wrote:
Thanks. Here's the details:
# uname -a Linux li1629-137 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/redhat-release CentOS Linux release 7.3.1611 (Core)
#rpm qa | grep 'semanage' libsemanage-2.5-5.1.el7_3.x86_64 libsemanage-python-2.5-5.1.el7_3.x86_64
On Fedora, I see a substantial improvement in the latest libsemanage update, which was created in response to the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=1439875
There is a cloned bug for RHEL7.4.
Despite seeming unrelated, the ultimate fix for this bug improved performance for most semanage commands; the second of the two patches affected more than just booleans.
The relevant upstream commits are: https://github.com/SELinuxProject/selinux/commit/b61922f727d5643265e27654a2d... https://github.com/SELinuxProject/selinux/commit/8702a865e08b5660561e194a83e...
I didn't make any changes to /etc/selinux/semanage.conf . Here's the content.
module-store = direct
# When generating the final linked and expanded policy, by default # semanage will set the policy version to POLICYDB_VERSION_MAX, as # given in <sepol/policydb.h>. Change this setting if a different # version is necessary. #policy-version = 19
# expand-check check neverallow rules when executing all semanage commands. # Large penalty in time if you turn this on. expand-check=0
# usepasswd check tells semanage to scan all pass word records for home directories # and setup the labeling correctly. If this is turned off, SELinux will label /home # correctly only. You will need to use semanage fcontext command. # For example, if you had home dirs in /althome directory you would have to execute # semanage fcontext -a -e /home /althome usepasswd=False bzip-small=true bzip-blocksize=5 ignoredirs=/root
Your configuration looks fine; I wanted to make sure you had expand- check=0 and usepasswd=False. So the problem lies in the libsemanage code; at present, it requires a full policy module re-link when you add a seusers entry. This has been fixed in the latest libsemanage version, which will hopefully find its way to RHEL7 before too long.
Cheers, Lakshmipathi.G FOSS Programmer. http://www.giis.co.in http://www.webminal.org
On Thu, Apr 20, 2017 at 11:23 PM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Thu, 2017-04-20 at 23:14 +0530, Lakshmipathi.G wrote:
It takes 10 seconds to create user account,where as without -Z option it takes less a second. I tried changing SELinux to Permissive mode or try to use tmpfs for /etc/selinux mountpoint , both didn't help.The problem is I'm re-creating 50000+ user accounts in a new server. Looks for options to speed-up this process. thanks for any pointers/help.
# time useradd --uid=20005 -Z guest_u u20005 real 0m10.194s user 0m8.866s sys 0m1.273s
# time useradd --uid=20006 u20006 real 0m0.050s user 0m0.018s sys 0m0.021s
libsemanage version? /etc/selinux/semanage.conf contents?
On Thu, 2017-04-20 at 23:14 +0530, Lakshmipathi.G wrote:
It takes 10 seconds to create user account,where as without -Z option it takes less a second. I tried changing SELinux to Permissive mode or try to use tmpfs for /etc/selinux mountpoint , both didn't help.The problem is I'm re-creating 50000+ user accounts in a new server. Looks for options to speed-up this process. thanks for any pointers/help.
# time useradd --uid=20005 -Z guest_u u20005 real 0m10.194s user 0m8.866s sys 0m1.273s
# time useradd --uid=20006 u20006 real 0m0.050s user 0m0.018s sys 0m0.021s
Maybe an alternative until you get an updated libsemanage would be to transfer the SELinux configuration via semanage export/import and just run useradd without -Z. That way you can do all of the additions to seusers in a single transaction.
On Thu, 2017-04-20 at 14:39 -0400, Stephen Smalley wrote:
On Thu, 2017-04-20 at 23:14 +0530, Lakshmipathi.G wrote:
It takes 10 seconds to create user account,where as without -Z option it takes less a second. I tried changing SELinux to Permissive mode or try to use tmpfs for /etc/selinux mountpoint , both didn't help.The problem is I'm re-creating 50000+ user accounts in a new server. Looks for options to speed-up this process. thanks for any pointers/help.
# time useradd --uid=20005 -Z guest_u u20005 real 0m10.194s user 0m8.866s sys 0m1.273s
# time useradd --uid=20006 u20006 real 0m0.050s user 0m0.018s sys 0m0.021s
Maybe an alternative until you get an updated libsemanage would be to transfer the SELinux configuration via semanage export/import and just run useradd without -Z. That way you can do all of the additions to seusers in a single transaction.
That assumes you already have these users configured on a different server from which you can run semanage export (I assumed that because you said you were re-creating 50000+ user accounts). If not, then you could essentially write a script to generate the input expected by semanage import to add all the users. It would look something like this: $ cat userlist login -a -s guest_u -r 's0' u20005 login -a -s guest_u -r 's0' u20006 ...
$ <add all of the users with useradd first, without -Z> $ sudo semanage import -f userlist
If you are instead using semanage export from an existing system with the users already defined, be careful since it always starts with commands to delete all local customizations before adding the new ones, so you might not want to do that on your system. You can always delete those lines from its output before feeding to semanage import.
Hi Stephen,
Thanks for the detailed information. I didn't know there exists semanage export/import, nice option. I tested with new server(centos7), both export/import worked. But unfortunately our old server is really old! (fedora-14/2.6.35.14-106.fc14.i686) semanage export option is missing there.
Scripting way is nice idea.I tested with sample 6 accounts, it worked well. Overall, it took 15 seconds for 6 accounts with semanage import. This script method should work fine in our case. We will create script to write data into userlist file in above format then use it with centos7/semanage import. Thanks a lot of the help.
---- Cheers, Lakshmipathi.G FOSS Programmer. http://www.giis.co.in http://www.webminal.org
On Fri, Apr 21, 2017 at 12:26 AM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Thu, 2017-04-20 at 14:39 -0400, Stephen Smalley wrote:
On Thu, 2017-04-20 at 23:14 +0530, Lakshmipathi.G wrote:
It takes 10 seconds to create user account,where as without -Z option it takes less a second. I tried changing SELinux to Permissive mode or try to use tmpfs for /etc/selinux mountpoint , both didn't help.The problem is I'm re-creating 50000+ user accounts in a new server. Looks for options to speed-up this process. thanks for any pointers/help.
# time useradd --uid=20005 -Z guest_u u20005 real 0m10.194s user 0m8.866s sys 0m1.273s
# time useradd --uid=20006 u20006 real 0m0.050s user 0m0.018s sys 0m0.021s
Maybe an alternative until you get an updated libsemanage would be to transfer the SELinux configuration via semanage export/import and just run useradd without -Z. That way you can do all of the additions to seusers in a single transaction.
That assumes you already have these users configured on a different server from which you can run semanage export (I assumed that because you said you were re-creating 50000+ user accounts). If not, then you could essentially write a script to generate the input expected by semanage import to add all the users. It would look something like this: $ cat userlist login -a -s guest_u -r 's0' u20005 login -a -s guest_u -r 's0' u20006 ...
$ <add all of the users with useradd first, without -Z> $ sudo semanage import -f userlist
If you are instead using semanage export from an existing system with the users already defined, be careful since it always starts with commands to delete all local customizations before adding the new ones, so you might not want to do that on your system. You can always delete those lines from its output before feeding to semanage import.
selinux@lists.fedoraproject.org
-
Lakshmipathi.G -
Stephen Smalley