skip read /proc/filesystems if process_label is null #4354
Conversation
Signed-off-by: ningmingxiao <[email protected]>
ningmingxiao
changed the title
|
Good news, thanks. Did you have a benchmark to test how faster than before? For example, you can run 1000 times ’runc exec’. |
after this pr will improve little. |
ningmingxiao
changed the title
| defer selinux.SetKeyLabel("") //nolint: errcheck | ||
| } | ||
| defer selinux.SetKeyLabel("") //nolint: errcheck |
There was a problem hiding this comment.
Do we know what the intent was for these empty selinux.SetKeyLabel("") ? See my comment on opencontainers/selinux#214 (comment)
There was a problem hiding this comment.
I think it's used to clear the label for the next keyring created by the current process once we got an error when we start/exec the container. Because this label can't be inherited by sub-process, so the initial value should be "", so we can set it to an empty string directly to clear it.
There was a problem hiding this comment.
can we use unix.KeyctlString() set keylabel ? @lifubang
There was a problem hiding this comment.
can we use unix.KeyctlString() set keylabel ?
I think no.
There was a problem hiding this comment.
Do we know what the intent was for these empty
selinux.SetKeyLabel("")? See my comment on opencontainers/selinux#214 (comment)
Some are added by commit cd96170, and some are by aa3fee6, which provides an explanation:
should also call SetProcessLabel("") after the container starts
to go back to the default SELinux behaviour.
Given the fact that Init() never returns unless there's an error (because it ends with exec), those defers are only called in case of an error.
|
I think the performance overhead is negligible (as the /proc/filesystems is only read once per binary invocation). As to whether we can skip |
when compare to crun runc will open "/proc/filesystems" even process_label is null
when I try to make runc exec faster
#3181