Dan Čermák <dan.cermak@xxxxxxxxxxxxxxxxxx> writes: > On July 15, 2022 9:42:35 PM UTC, Ben Cotton <bcotton@xxxxxxxxxx> wrote: >>https://fedoraproject.org/wiki/Changes/SELinux_Parallel_Autorelabel >> >>This document represents a proposed Change. As part of the Changes >>process, proposals are publicly announced in order to receive >>community feedback. This proposal will only be implemented if approved >>by the Fedora Engineering Steering Committee. >> >> >>== Summary == >>After a system's SELinux mode is switched from disabled to enabled, or >>after an administrator runs `fixfiles onboot`, SELinux autorelabel >>will be run in parallel by default. >> >>== Owner == >>* Name: [[User:plautrba| Petr Lautrbach]] >>* Email: plautrba@xxxxxxxxxx >> >> >>== Detailed Description == >>SELinux tools `restorecon` and `fixfiles` recently gained the ability >>to relabel files in parallel using the `-T nthreads` option. This >>option is currently not used in the automatic relabel after reboot. >>When users want/need the parallel relabeling they have to specify the >>option explicitly (e.g. `fixfiles -T 0 onboot`). With this change `-T >>0` (0 == use all available CPU cores) will be the default for >>`fixfiles onboot` and users will have to use `fixfiles -T 1 onboot` to >>force it to use only one thread. >> >>The rationale is that when autorelabel runs, there are no other >>resource-intensive processes running on the system, so it's fine (and >>actually better) to use all available parallelism to speed up the task >>and get to a fully booted system faster. >> >> >>== Benefit to Fedora == >>Faster reboot after switching back to an SELinux enabled system or >>when triggering autorelabel explicitly. > > Just out of curiosity, how large is the speedup typically? > >> It depends on the number of threads your machine has. But you could get some data for comparison using `fixfiles -T 1 restore` and `fixfiles -T 0 restore` on a running system. The following times are reported on my workstation: [root@P1 ~]# time fixfiles -T 0 restore Relabeling / /boot /dev /dev/hugepages /dev/mqueue /dev/pts /dev/shm /home /run /run/user/1000 /sys /sys/fs/cgroup /sys/fs/pstore /sys/kernel/debug /sys/kernel/debug/tracing /sys/kernel/tracing /tmp /var / 100.0% ... real 1m8.488s user 9m24.755s sys 0m25.424s [root@P1 ~]# time fixfiles -T 1 restore Relabeling / /boot /dev /dev/hugepages /dev/mqueue /dev/pts /dev/shm /home /run /run/user/1000 /sys /sys/fs/cgroup /sys/fs/pstore /sys/kernel/debug /sys/kernel/debug/tracing /sys/kernel/tracing /tmp /var / 100.0% ... real 4m5.450s user 3m55.017s sys 0m10.088s Petr >>== Scope == >>* Proposal owners: >>** Update `/usr/libexec/selinux/selinux-autorelabel` to use `-T 0` by default. >> >>* Other developers: >>* Release engineering: >>* Policies and guidelines: N/A (not needed for this Change) >>* Trademark approval: N/A (not needed for this Change) >>* Alignment with Objectives: >> >> >>== Upgrade/compatibility impact == >> >> >>== How To Test == >># boot with SELinux disabled - add `selinux=0` to the kernel command line >># reboot >># store the time it took >># run `fixfiles -T 1 onboot` >># reboot >># the latter reboot should take longer time >> >> >>== User Experience == >>Systems should be up and running faster after SELinux autorelabel. >> >>== Dependencies == >> >> >>== Contingency Plan == >>* Contingency mechanism: (What to do? Who will do it?) N/A (not a >>System Wide Change) >>* Contingency deadline: N/A (not a System Wide Change) >>* Blocks release? N/A (not a System Wide Change), Yes/No >> >>== Documentation == >> >>N/A (not a System Wide Change) >> >> > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
