79 lines
3.2 KiB
Diff
79 lines
3.2 KiB
Diff
From 3046af080baad9935627ebb671950448cfd0fa7b Mon Sep 17 00:00:00 2001
|
|
From: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
|
|
Date: Wed, 26 Apr 2023 15:59:46 +0300
|
|
Subject: [PATCH] daemon/selinux-relabel: run setfiles with "-T 0", if
|
|
supported
|
|
|
|
Since SELinux userspace v3.4 [1], setfiles command supports "-T nthreads"
|
|
option, which allows parallel execution. "-T 0" allows using as many
|
|
threads as there're available CPU cores. This might speed up the process
|
|
of filesystem relabeling in case the appliance is being run with multiple
|
|
vCPUs. The latter is true for at least v2v starting from d2b64ecc67
|
|
("v2v: Set the number of vCPUs to same as host number of pCPUs.").
|
|
|
|
For instance, when running virt-v2v-in-place on my 12-core Xeon host
|
|
with SSD, with appliance being run with 8 vCPUs (the upper limit specified
|
|
in d2b64ecc67), and on the ~150GiB disk VM (physical size on the host),
|
|
I get the following results:
|
|
|
|
./in-place/virt-v2v-in-place -i libvirt fedora37-vm -v -x
|
|
|
|
Without this patch:
|
|
...
|
|
commandrvf: setfiles -F -e /sysroot/dev -e /sysroot/proc -e /sysroot/sys -m -C -r /sysroot -v /sysroot/etc/selinux/targeted/contexts/files/file_contexts /sysroot/^M
|
|
libguestfs: trace: v2v: selinux_relabel = 0
|
|
libguestfs: trace: v2v: rm_f "/.autorelabel"
|
|
guestfsd: => selinux_relabel (0x1d3) took 17.94 secs
|
|
...
|
|
|
|
With this patch:
|
|
...
|
|
commandrvf: setfiles -F -e /sysroot/dev -e /sysroot/proc -e /sysroot/sys -m -C -T 0 -r /sysroot -v /sysroot/etc/selinux/targeted/contexts/files/file_contexts /sysroot/^M
|
|
libguestfs: trace: v2v: selinux_relabel = 0
|
|
libguestfs: trace: v2v: rm_f "/.autorelabel"
|
|
guestfsd: => selinux_relabel (0x1d3) took 5.88 secs
|
|
...
|
|
|
|
So in my scenario it's getting 3 times faster.
|
|
|
|
[1] https://github.com/SELinuxProject/selinux/releases/tag/3.4
|
|
|
|
Signed-off-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
|
|
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
|
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
|
|
(cherry picked from commit d0d8e6738477148a7b752348f9364a3b8faed67f)
|
|
---
|
|
daemon/selinux-relabel.c | 12 ++++++++++++
|
|
1 file changed, 12 insertions(+)
|
|
|
|
diff --git a/daemon/selinux-relabel.c b/daemon/selinux-relabel.c
|
|
index 60a6f48a..cfc5a31d 100644
|
|
--- a/daemon/selinux-relabel.c
|
|
+++ b/daemon/selinux-relabel.c
|
|
@@ -73,6 +73,7 @@ do_selinux_relabel (const char *specfile, const char *path,
|
|
{
|
|
static int flag_m = -1;
|
|
static int flag_C = -1;
|
|
+ static int flag_T = -1;
|
|
const char *argv[MAX_ARGS];
|
|
CLEANUP_FREE char *s_dev = NULL, *s_proc = NULL, *s_selinux = NULL,
|
|
*s_sys = NULL, *s_specfile = NULL, *s_path = NULL;
|
|
@@ -131,6 +132,17 @@ do_selinux_relabel (const char *specfile, const char *path,
|
|
if (setfiles_has_option (&flag_C, 'C'))
|
|
ADD_ARG (argv, i, "-C");
|
|
|
|
+ /* If the appliance is being run with multiple vCPUs, running setfiles
|
|
+ * in multithreading mode might speeds up the process. Option "-T" was
|
|
+ * introduced in SELinux userspace v3.4, and we need to check whether it's
|
|
+ * supported. Passing "-T 0" creates as many threads as there're available
|
|
+ * vCPU cores.
|
|
+ * https://github.com/SELinuxProject/selinux/releases/tag/3.4
|
|
+ */
|
|
+ if (setfiles_has_option (&flag_T, 'T')) {
|
|
+ ADD_ARG (argv, i, "-T"); ADD_ARG (argv, i, "0");
|
|
+ }
|
|
+
|
|
/* Relabelling in a chroot. */
|
|
if (STRNEQ (sysroot, "/")) {
|
|
ADD_ARG (argv, i, "-r");
|