From: Ondrej Mosnacek <omosnace@redhat.com>
To: selinux@vger.kernel.org
Subject: [RFC PATCH userspace 6/6] setfiles/restorecon: support parallel relabeling
Date: Tue, 23 Mar 2021 18:08:30 +0100 [thread overview]
Message-ID: <20210323170830.182553-7-omosnace@redhat.com> (raw)
In-Reply-To: <20210323170830.182553-1-omosnace@redhat.com>
Use the newly introduced selinux_restorecon_parallel(3) in
setfiles/restorecon and a -T option to both to allow enabling parallel
relabeling. The default behavior without specifying the -T option is to
use 1 thread; parallel relabeling must be requested explicitly by
passing -T 0 (which will use as many threads as there are available CPU
cores) or -T <N>, which will use <N> threads.
=== Benchmarks ===
As measured on a 32-core cloud VM with Fedora 34. Not a fully
representative environment, but still the scaling is quite good.
WITHOUT PATCHES:
$ time restorecon -rn /usr/src
real 0m23,580s
user 0m22,681s
sys 0m0,707s
WITH PATCHES:
$ time restorecon -rn -T 1 /usr/src
real 0m23,493s
user 0m22,637s
sys 0m0,668s
$ time restorecon -rn -T 2 /usr/src
real 0m13,438s
user 0m25,536s
sys 0m0,946s
$ time restorecon -rn -T 8 /usr/src
real 0m5,476s
user 0m38,440s
sys 0m3,016s
$ time restorecon -rn -T 16 /usr/src
real 0m3,868s
user 0m51,292s
sys 0m5,289s
$ time restorecon -rn -T 32 /usr/src
real 0m2,817s
user 1m0,317s
sys 0m6,157s
Note that the benchmarks were performed in read-only mode (-n), so the
labels were only read and looked up in the database, not written. When
fixing labels on a heavily mislabeled system, the scaling would likely
be event better, since a larger % of work could be done in parallel.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policycoreutils/setfiles/Makefile | 2 +-
policycoreutils/setfiles/restore.c | 7 ++++---
policycoreutils/setfiles/restore.h | 2 +-
policycoreutils/setfiles/restorecon.8 | 9 +++++++++
policycoreutils/setfiles/setfiles.8 | 9 +++++++++
policycoreutils/setfiles/setfiles.c | 28 ++++++++++++++++-----------
6 files changed, 41 insertions(+), 16 deletions(-)
diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
index a3bbbe11..82de8f2a 100644
--- a/policycoreutils/setfiles/Makefile
+++ b/policycoreutils/setfiles/Makefile
@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
CFLAGS ?= -g -Werror -Wall -W
-override LDLIBS += -lselinux -lsepol
+override LDLIBS += -lselinux -lsepol -lpthread
ifeq ($(AUDITH), y)
override CFLAGS += -DUSE_AUDIT
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index 9d688c60..74d48bb3 100644
--- a/policycoreutils/setfiles/restore.c
+++ b/policycoreutils/setfiles/restore.c
@@ -72,7 +72,7 @@ void restore_finish(void)
}
}
-int process_glob(char *name, struct restore_opts *opts)
+int process_glob(char *name, struct restore_opts *opts, size_t nthreads)
{
glob_t globbuf;
size_t i = 0;
@@ -91,8 +91,9 @@ int process_glob(char *name, struct restore_opts *opts)
continue;
if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
continue;
- rc = selinux_restorecon(globbuf.gl_pathv[i],
- opts->restorecon_flags);
+ rc = selinux_restorecon_parallel(globbuf.gl_pathv[i],
+ opts->restorecon_flags,
+ nthreads);
if (rc < 0)
errors = rc;
}
diff --git a/policycoreutils/setfiles/restore.h b/policycoreutils/setfiles/restore.h
index ac6ad680..bb35a1db 100644
--- a/policycoreutils/setfiles/restore.h
+++ b/policycoreutils/setfiles/restore.h
@@ -49,7 +49,7 @@ struct restore_opts {
void restore_init(struct restore_opts *opts);
void restore_finish(void);
void add_exclude(const char *directory);
-int process_glob(char *name, struct restore_opts *opts);
+int process_glob(char *name, struct restore_opts *opts, size_t nthreads);
extern char **exclude_list;
#endif
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index 668486f6..e07db2c8 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -33,6 +33,8 @@ restorecon \- restore file(s) default SELinux security contexts.
.RB [ \-W ]
.RB [ \-I | \-D ]
.RB [ \-x ]
+.RB [ \-T
+.IR nthreads ]
.SH "DESCRIPTION"
This manual page describes the
@@ -160,6 +162,13 @@ prevent
.B restorecon
from crossing file system boundaries.
.TP
+.BI \-T \ nthreads
+use up to
+.I nthreads
+threads. Specify 0 to create as many threads as there are available
+CPU cores; 1 to use only a single thread (default); or any positive
+number to use the given number of threads (if possible).
+.TP
.SH "ARGUMENTS"
.IR pathname \ ...
The pathname for the file(s) to be relabeled.
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index 4d28bc9a..15f939d1 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -19,6 +19,8 @@ setfiles \- set SELinux file security contexts.
.RB [ \-W ]
.RB [ \-F ]
.RB [ \-I | \-D ]
+.RB [ \-T
+.IR nthreads ]
.I spec_file
.IR pathname \ ...
@@ -161,6 +163,13 @@ quote marks or backslashes. The
option of GNU
.B find
produces input suitable for this mode.
+.TP
+.BI \-T \ nthreads
+use up to
+.I nthreads
+threads. Specify 0 to create as many threads as there are available
+CPU cores; 1 to use only a single thread (default); or any positive
+number to use the given number of threads (if possible).
.SH "ARGUMENTS"
.TP
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index f018d161..2313a21f 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -1,4 +1,5 @@
#include "restore.h"
+#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio_ext.h>
@@ -34,14 +35,14 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
{
if (iamrestorecon) {
fprintf(stderr,
- "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n"
- "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n",
+ "usage: %s [-iIDFmnprRv0xT] [-e excludedir] pathname...\n"
+ "usage: %s [-iIDFmnprRv0xT] [-e excludedir] -f filename\n",
name, name);
} else {
fprintf(stderr,
- "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
- "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
- "usage: %s -s [-diIDlmnpqvFW] spec_file\n",
+ "usage: %s [-diIDlmnpqvEFWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
+ "usage: %s [-diIDlmnpqvEFWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
+ "usage: %s -s [-diIDlmnpqvFWT] spec_file\n",
name, name, name);
}
exit(-1);
@@ -144,12 +145,12 @@ int main(int argc, char **argv)
int opt, i = 0;
const char *input_filename = NULL;
int use_input_file = 0;
- char *buf = NULL;
- size_t buf_len;
+ char *buf = NULL, *endptr;
+ size_t buf_len, nthreads = 1;
const char *base;
int errors = 0;
- const char *ropts = "e:f:hiIDlmno:pqrsvFRW0x";
- const char *sopts = "c:de:f:hiIDlmno:pqr:svEFR:W0";
+ const char *ropts = "e:f:hiIDlmno:pqrsvFRW0xT:";
+ const char *sopts = "c:de:f:hiIDlmno:pqr:svEFR:W0T:";
const char *opts;
union selinux_callback cb;
@@ -370,6 +371,11 @@ int main(int argc, char **argv)
usage(argv[0]);
}
break;
+ case 'T':
+ nthreads = strtoull(optarg, &endptr, 10);
+ if (*optarg == '\0' || *endptr != '\0')
+ usage(argv[0]);
+ break;
case 'h':
case '?':
usage(argv[0]);
@@ -448,13 +454,13 @@ int main(int argc, char **argv)
buf[len - 1] = 0;
if (!strcmp(buf, "/"))
r_opts.mass_relabel = SELINUX_RESTORECON_MASS_RELABEL;
- errors |= process_glob(buf, &r_opts) < 0;
+ errors |= process_glob(buf, &r_opts, nthreads) < 0;
}
if (strcmp(input_filename, "-") != 0)
fclose(f);
} else {
for (i = optind; i < argc; i++)
- errors |= process_glob(argv[i], &r_opts) < 0;
+ errors |= process_glob(argv[i], &r_opts, nthreads) < 0;
}
maybe_audit_mass_relabel(r_opts.mass_relabel, errors);
--
2.30.2
next prev parent reply other threads:[~2021-03-23 17:09 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-23 17:08 [RFC PATCH userspace 0/6] Parallel setfiles/restorecon Ondrej Mosnacek
2021-03-23 17:08 ` [RFC PATCH userspace 1/6] selinux_restorecon: simplify fl_head allocation by using calloc() Ondrej Mosnacek
2021-03-23 17:08 ` [RFC PATCH userspace 2/6] selinux_restorecon: protect file_spec list with a mutex Ondrej Mosnacek
2021-03-23 17:08 ` [RFC PATCH userspace 3/6] selinux_restorecon: introduce selinux_log_sync() Ondrej Mosnacek
2021-03-23 17:08 ` [RFC PATCH userspace 4/6] selinux_restorecon: add a global mutex to synchronize progress output Ondrej Mosnacek
2021-03-23 17:08 ` [RFC PATCH userspace 5/6] selinux_restorecon: introduce selinux_restorecon_parallel(3) Ondrej Mosnacek
2021-03-23 17:08 ` Ondrej Mosnacek [this message]
2021-03-24 9:58 ` [RFC PATCH userspace 0/6] Parallel setfiles/restorecon peter enderborg
2021-03-24 11:04 ` Ondrej Mosnacek
2021-04-28 21:11 ` Nicolas Iooss
2021-04-30 12:49 ` Ondrej Mosnacek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210323170830.182553-7-omosnace@redhat.com \
--to=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.