From Fedora Project Wiki
(Created page with "= SELinux Parallel Autorelabel <!-- The name of your change proposal --> = == Summary == <!-- A sentence or two summarizing what this change is and what it will do. This info...")
 
m (Add trackers)
 
(12 intermediate revisions by 3 users not shown)
Line 3: Line 3:
== Summary ==
== Summary ==
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". -->
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". -->
After a system's SELinux mode is switched from disabled to enabled, or after an administrator runs `fixfiles onboot`, SELinux autorelabel will be run in parallel by default.


== Owner ==
== Owner ==
Line 18: Line 19:


== Current status ==
== Current status ==
[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF37]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
Line 28: Line 29:
<!-- [[Category:SystemWideChange]] -->
<!-- [[Category:SystemWideChange]] -->


* Targeted release: [[Releases/<number> | Fedora Linux <number> ]]  
* Targeted release: [[Releases/37 | Fedora Linux 37 ]]  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Line 36: Line 37:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* FESCo issue: <will be assigned by the Wrangler>
* [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/W7CO55STPHPDHT6PEWPQAQXAOZPKOIYD/ devel thread]
* Tracker bug: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/2841 #2841]
* Release notes tracker: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2114341 #2114341]
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/871 #871]


== Detailed Description ==
== Detailed Description ==
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
restorecon and fixfiles support '-T nthreads' so lets make it default.
SELinux tools `restorecon` and `fixfiles` recently gained the ability to relabel files in parallel using the `-T nthreads` option. This option is currently not used in the automatic relabel after reboot. When users want/need the parallel relabeling they have to specify the option explicitly (e.g. `fixfiles -T 0 onboot`). With this change `-T 0` (0 == use all available CPU cores) will be the default for `fixfiles onboot` and users will have to use `fixfiles -T 1 onboot` to force it to use only one thread.
 
The rationale is that when autorelabel runs, there are no other resource-intensive processes running on the system, so it's fine (and actually better) to use all available parallelism to speed up the task and get to a fully booted system faster.


== Feedback ==
== Feedback ==
Line 75: Line 79:
     https://fedoraproject.org/wiki/Changes/perl5.26 (major upgrade to a popular software stack, visible to users of that stack)
     https://fedoraproject.org/wiki/Changes/perl5.26 (major upgrade to a popular software stack, visible to users of that stack)
-->
-->
Faster reboot after switch back to SELinux enabled system
Faster reboot after switching back to an SELinux enabled system or when triggering autorelabel explicitly. The relabelling time can be reduced up to ~18 times, depending on the number of cores (the upper limit for the speed-up is the number of cores, naturally). To get an idea of the scaling see [https://github.com/SELinuxProject/selinux/commit/93902fc8340f8a6ee5ba69ccb150d47918aad226 the upstream commit message introducing the parallel relabelling support].


== Scope ==
== Scope ==
* Proposal owners:
* Proposal owners:
** Update selinux-*.service to drop '-T nthread' into /.autorelabel
** Update `/usr/libexec/selinux/selinux-autorelabel` to use `-T 0` by default.
 
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


Line 119: Line 122:
3. What are the expected results of those actions?
3. What are the expected results of those actions?
-->
-->
1. boot with SELinux disabled - add selinux=0 to kernel command line
# boot with SELinux disabled - add `selinux=0` to the kernel command line
2. check /.autorebale
# reboot
3. compare times for reboot after 1.,2. and if you put '-T 1' into /.autorelabel
# store the time it took
# run `fixfiles -T 1 onboot`
# reboot
# the latter reboot should take longer time


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Line 138: Line 144:
-->
-->


Systems should be sooner available for work after autorelabel
Systems should be up and running faster after SELinux autorelabel.


== Dependencies ==
== Dependencies ==

Latest revision as of 16:42, 2 August 2022

SELinux Parallel Autorelabel

Summary

After a system's SELinux mode is switched from disabled to enabled, or after an administrator runs fixfiles onboot, SELinux autorelabel will be run in parallel by default.

Owner


Current status

Detailed Description

SELinux tools restorecon and fixfiles recently gained the ability to relabel files in parallel using the -T nthreads option. This option is currently not used in the automatic relabel after reboot. When users want/need the parallel relabeling they have to specify the option explicitly (e.g. fixfiles -T 0 onboot). With this change -T 0 (0 == use all available CPU cores) will be the default for fixfiles onboot and users will have to use fixfiles -T 1 onboot to force it to use only one thread.

The rationale is that when autorelabel runs, there are no other resource-intensive processes running on the system, so it's fine (and actually better) to use all available parallelism to speed up the task and get to a fully booted system faster.

Feedback

Benefit to Fedora

Faster reboot after switching back to an SELinux enabled system or when triggering autorelabel explicitly. The relabelling time can be reduced up to ~18 times, depending on the number of cores (the upper limit for the speed-up is the number of cores, naturally). To get an idea of the scaling see the upstream commit message introducing the parallel relabelling support.

Scope

  • Proposal owners:
    • Update /usr/libexec/selinux/selinux-autorelabel to use -T 0 by default.
  • Other developers:
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

How To Test

  1. boot with SELinux disabled - add selinux=0 to the kernel command line
  2. reboot
  3. store the time it took
  4. run fixfiles -T 1 onboot
  5. reboot
  6. the latter reboot should take longer time


User Experience

Systems should be up and running faster after SELinux autorelabel.

Dependencies

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No


Documentation

N/A (not a System Wide Change)

Release Notes