new large seccomp filter greatly regresses sandbox setup speed #461
Labels
No labels
Area/build-packaging
Area/cli
Area/evaluator
Area/fetching
Area/flakes
Area/language
Area/profiles
Area/protocol
Area/releng
Area/remote-builds
Area/repl
Area/store
bug
crash 💥
Cross Compilation
devx
docs
Downstream Dependents
E/easy
E/hard
E/help wanted
E/reproducible
E/requires rearchitecture
imported
Needs Langver
OS/Linux
OS/macOS
performance
regression
release-blocker
RFD
stability
Status
blocked
Status
invalid
Status
postponed
Status
wontfix
testing
testing/flakey
ux
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: lix-project/lix#461
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
127ee1a101
made the seccomp filter large. while this is not a problem at builder runtime it is a problem at daemon runtime, because this large filter takes an inordinate amount of time to load. in a very simple test (runCommand "x" {} "echo > $out"
) we've seen per-drv build time increase by 50% (from 25ms to 35ms on the test setup). reverting that commit restores performance to non-seccomp'd levels.ideally we'd keep a zygote process around with the filter fully loaded and ready to go and fork sandboxes off of that, but the current worker architecture is so far removed from making this easy that should just revert the better sandbox for now. 😭
cc @alois31
This issue was mentioned on Gerrit on the following CLs: