new large seccomp filter greatly regresses sandbox setup speed #461

Closed
opened 2024-08-05 00:52:02 +00:00 by pennae · 1 comment
Owner

127ee1a101 made the seccomp filter large. while this is not a problem at builder runtime it is a problem at daemon runtime, because this large filter takes an inordinate amount of time to load. in a very simple test (runCommand "x" {} "echo > $out") we've seen per-drv build time increase by 50% (from 25ms to 35ms on the test setup). reverting that commit restores performance to non-seccomp'd levels.

ideally we'd keep a zygote process around with the filter fully loaded and ready to go and fork sandboxes off of that, but the current worker architecture is so far removed from making this easy that should just revert the better sandbox for now. 😭

cc @alois31

127ee1a101e3f5ebab39ad98cbe58fefcd52eca5 made the seccomp filter *large*. while this is not a problem at *builder* runtime it *is* a problem at *daemon* runtime, because this large filter takes an inordinate amount of time to load. in a very simple test (`runCommand "x" {} "echo > $out"`) we've seen per-drv build time increase by 50% (from 25ms to 35ms on the test setup). reverting that commit restores performance to non-seccomp'd levels. ideally we'd keep a zygote process around with the filter fully loaded and ready to go and fork sandboxes off of *that*, but the current worker architecture is so far removed from making this easy that should just revert the better sandbox for now. 😭 cc @alois31
pennae added this to the v2.91 milestone 2024-08-05 00:52:02 +00:00
pennae added the
bug
label 2024-08-05 00:52:02 +00:00
Member

This issue was mentioned on Gerrit on the following CLs:

  • commit message in cl/1719 ("libstore/linux: precompile and cache the seccomp BPF")
<!-- GERRIT_LINKBOT: {"cls": [{"backlink": "https://gerrit.lix.systems/c/lix/+/1719", "number": 1719, "kind": "commit message"}], "cl_meta": {"1719": {"change_title": "libstore/linux: precompile and cache the seccomp BPF"}}} --> This issue was mentioned on Gerrit on the following CLs: * commit message in [cl/1719](https://gerrit.lix.systems/c/lix/+/1719) ("libstore/linux: precompile and cache the seccomp BPF")
Sign in to join this conversation.
No milestone
No project
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: lix-project/lix#461
No description provided.