Installing snap with multiple interfaces is slow due to incremental apparmor/seccomp changes

abeato · June 20, 2018, 1:04pm

In the first boot of a system using a rather slow CPU (imx6ull, one core), installation times for snap can go up to more than 2 minutes. For instance, installation of the network-manager snap is taking around 2m15s.

The time used is split between snapd processing and calls to apparmor_parser (seccomp compile calls are not very costly in comparison). It looks like apparmor_parser is called more than once per profile, depending on the snap it can be up to 3-5 times.

This can be seen in the attached bootchart. I recommend opening it with firefox, and search there for apparmor_parser --replace --write-cache -O no-expr-simplify --cache-loc=/var/cache/apparmor --quiet /var/lib/snapd/apparmor/profiles/snap.network-manager.networkmanager. The same profile is parsed 5 times, spending 3-5 seconds each time. These calls sum up 40 seconds for this snap, if we reduce them to 10 sec, that would save 22% of the installation time.

Bootchart: https://drive.google.com/file/d/1nIIMyD0flXL6R4c_NeXJKvpdOaPEoIop/view?usp=sharing

Journal: https://drive.google.com/file/d/1AdBi0UsrO_vjMGQBfJatwwy28SQA1W5I/view?usp=sharing

Calls to apparmor_parser (note that it forks, so the number is half of what is seen in the text. Also, the times shown are strict CPU time, not real time, which takes longer for each process): https://paste.ubuntu.com/p/b7ysv5FKH8/

zyga-snapd · June 20, 2018, 1:13pm

Thank you for preparing this. I will look at the numbers and discuss what kind of changes we could make in the security layers and above to optimise the number of transitional security setups (where the setup is temporary for a brief split second and is promptly replaced by another one).

abeato · June 20, 2018, 1:33pm

Connecting GPIO interfaces takes around 18 seconds is a similar situation. the solution in that case seems to be to be able to tell snapd to make multiple interface connections at the same time.

jdstrand · June 27, 2018, 6:57pm

@zyga-snapd, recall that a solution to this would be to run apparmor_parser only at the end of a snap install/refresh, whichis something we’ve discussed before. apparmor_parser is tolerable on armhf if it is once per profile, but once per interface per profile can be painful.

zyga-snapd · June 27, 2018, 7:00pm

Yes, that’s the plan but we need to think how to implement it given the changes planned in Issue with using snapstate Active for interface repository

JohnAgosta · September 5, 2018, 3:55pm

hi @zyga-snapd, any update on this one? This change should provide significant boot time improvements for our use of the IMX6. Thanks.

zyga-snapd · September 6, 2018, 8:30am

We don’t have any updates yet.