Bug 2326999
| Summary: | passt-selinux upgrade: restorecon taking 30+ minutes | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Garrett M <garrett> |
| Component: | passt | Assignee: | Stefano Brivio <sbrivio> |
| Status: | CLOSED DUPLICATE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 40 | CC: | plautrba, sbrivio, sehnoutka.martin |
| Target Milestone: | --- | Keywords: | SELinux, Upgrades |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-11-26 14:20:53 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Garrett M
2024-11-18 14:38:55 UTC
Garrett, thanks for reporting this. The installation scriptlets for passt-selinux use the %selinux_relabel_pre and %selinux_relabel_post macros: the former prepares a list of SELinux contexts for the affected files, and the latter ensures we relabel only the affected files. I wouldn't expect such a wide 'restorecon' to be issued as a result of that, so I have a couple of questions: - did you have a look at the parent process for that 'restorecon' command? - was the passt-selinux scriptlet just running for a very long time, or it also had very high CPU usage? - I haven't tried to reproduce this yet... do you think you would have a chance to? How big was the package update otherwise? Hello,
I'm experiencing the same issue. During the previous dnf upgrade I killed the upgrade process, this time I'm still waiting for it to finish:
dnf output:
228/265] Removing qemu-device-display-virtio-gpu-rutabaga-2:9.1.1-2.fc41.x86_64 100% | 129.0 B/s | 4.0 B | 00m00s
[229/265] Removing qemu-device-usb-redirect-2:9.1.1-2.fc41.x86_64 100% | 800.0 B/s | 4.0 B | 00m00s
[230/265] Removing qemu-ui-curses-2:9.1.1-2.fc41.x86_64 100% | 1.0 KiB/s | 4.0 B | 00m00s
[231/265] Removing intel-gmmlib-0:22.5.2-1.fc41.x86_64 100% | 1.8 KiB/s | 9.0 B | 00m00s
[232/265] Removing qemu-block-blkio-2:9.1.1-2.fc41.x86_64 100% | 1.3 KiB/s | 4.0 B | 00m00s
[233/265] Removing qemu-block-dmg-2:9.1.1-2.fc41.x86_64 100% | 1.3 KiB/s | 4.0 B | 00m00s
[234/265] Removing qemu-block-gluster-2:9.1.1-2.fc41.x86_64 100% | 105.0 B/s | 4.0 B | 00m00s
[235/265] Removing qemu-ui-egl-headless-2:9.1.1-2.fc41.x86_64 100% | 800.0 B/s | 4.0 B | 00m00s
[236/265] Removing qemu-ui-opengl-2:9.1.1-2.fc41.x86_64 100% | 800.0 B/s | 4.0 B | 00m00s
[237/265] Removing qemu-device-display-virtio-gpu-pci-gl-2:9.1.1-2.fc41.x86_64 100% | 1.0 KiB/s | 4.0 B | 00m00s
[238/265] Removing rubygem-irb-0:1.13.1-14.fc41.noarch 100% | 23.6 KiB/s | 169.0 B | 00m00s
[239/265] Removing qemu-device-display-virtio-gpu-gl-2:9.1.1-2.fc41.x86_64 100% | 125.0 B/s | 4.0 B | 00m00s
[240/265] Removing rubygem-rdoc-0:6.6.3.1-14.fc41.noarch 100% | 9.2 KiB/s | 198.0 B | 00m00s
[241/265] Removing qemu-device-display-virtio-gpu-ccw-2:9.1.1-2.fc41.x86_64 100% | 1.0 KiB/s | 4.0 B | 00m00s
[242/265] Removing qemu-device-display-virtio-gpu-pci-rutabaga-2:9.1.1-2.fc41.x86_64 100% | 750.0 B/s | 3.0 B | 00m00s
[243/265] Removing qemu-device-display-virtio-gpu-pci-2:9.1.1-2.fc41.x86_64 100% | 1.0 KiB/s | 4.0 B | 00m00s
[244/265] Removing qemu-device-display-virtio-vga-gl-2:9.1.1-2.fc41.x86_64 100% | 75.0 B/s | 3.0 B | 00m00s
[245/265] Removing qemu-device-display-virtio-vga-rutabaga-2:9.1.1-2.fc41.x86_64 100% | 1.0 KiB/s | 4.0 B | 00m00s
[246/265] Removing rubygem-io-console-0:0.7.1-14.fc41.x86_64 100% | 4.9 KiB/s | 15.0 B | 00m00s
[247/265] Removing rubygem-psych-0:5.1.2-14.fc41.x86_64 100% | 10.5 KiB/s | 54.0 B | 00m00s
[248/265] Removing ruby-default-gems-0:3.3.5-14.fc41.noarch 100% | 10.0 KiB/s | 72.0 B | 00m00s
[249/265] Removing rubygems-0:3.5.16-14.fc41.noarch 100% | 14.9 KiB/s | 305.0 B | 00m00s
[250/265] Removing passt-selinux-0:0^20241030.gee7d0b6-1.fc41.noarch 100% | 58.0 B/s | 3.0 B | 00m00s
[251/265] Removing selinux-policy-0:41.25-1.fc41.noarch 100% | 200.0 B/s | 12.0 B | 00m00s
[252/265] Removing selinux-policy-targeted-0:41.25-1.fc41.noarch 100% | 19.9 KiB/s | 1.7 KiB | 00m00s
[253/265] Removing evolution-data-server-langpacks-0:3.54.1-1.fc41.noarch 100% | 4.8 KiB/s | 89.0 B | 00m00s
[254/265] Removing grub2-common-1:2.12-10.fc41.noarch 100% | 9.3 KiB/s | 57.0 B | 00m00s
[255/265] Removing pcp-conf-0:6.3.1-1.fc41.x86_64 100% | 6.2 KiB/s | 19.0 B | 00m00s
[256/265] Removing cups-filesystem-1:2.4.11-2.fc41.noarch 100% | 387.0 B/s | 12.0 B | 00m00s
[257/265] Removing mutter-common-0:47.1-2.fc41.noarch 100% | 2.0 KiB/s | 8.0 B | 00m00s
[258/265] Removing ruby-libs-0:3.3.5-14.fc41.x86_64 100% | 8.2 KiB/s | 596.0 B | 00m00s
[259/265] Removing qemu-device-display-virtio-vga-2:9.1.1-2.fc41.x86_64 100% | 800.0 B/s | 4.0 B | 00m00s
[260/265] Removing qemu-device-display-virtio-gpu-2:9.1.1-2.fc41.x86_64 100% | 1.0 KiB/s | 4.0 B | 00m00s
[261/265] Removing qemu-common-2:9.1.1-2.fc41.x86_64 100% | 1.9 KiB/s | 100.0 B | 00m00s
[262/265] Removing glibc-0:2.40-11.fc41.x86_64 100% | 6.5 KiB/s | 100.0 B | 00m00s
[263/265] Removing glibc-langpack-en-0:2.40-11.fc41.x86_64 100% | 80.1 KiB/s | 492.0 B | 00m00s
[264/265] Removing glibc-gconv-extra-0:2.40-11.fc41.x86_64 100% | 7.7 KiB/s | 627.0 B | 00m00s
[265/265] Removing glibc-common-0:2.40-11.fc41.x86_64 100% [==================] | 2.0 B/s | 53.0 B | -00m00s
>>> Running post-transaction scriptlet: passt-selinux-0:0^20241121.g238c69f-1.fc41.noarch
pstree:
root@m ~ [SIGINT]# pstree -pa | rg dnf -C 10
| | | |-{Xwayland},6327
| | | |-{Xwayland},6328
| | | |-{Xwayland},6329
| | | |-{Xwayland},6330
| | | |-{Xwayland},6331
| | | |-{Xwayland},6332
| | | |-{Xwayland},6333
| | | `-{Xwayland},6387
| | |-alacritty,57416
| | | |-fish,57483
| | | | `-sudo,57952 dnf upgrade --refresh
| | | | `-sudo,57981 dnf upgrade --refresh
| | | | `-dnf,57982 upgrade --refresh
| | | | |-sh,59778 /var/tmp/rpm-tmp.SadBzo 2
| | | | | `-fixfiles,59781 /sbin/fixfiles -C /var/lib/rpm-state/file_contexts.pre restore
| | | | | `-restorecon,60420 -e /sys -e /proc -e /mnt -e /var/tmp -e /home -e /root -e /tmp -i -R ...
| | | | `-{dnf},58249
strace reports huge amount of operations, so this is just a small part:
newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdcache.h", {st_mode=S_IFREG|0644, st_size=2679, ...}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfontg.h", {st_mode=S_IFREG|0644, st_size=490, ...}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfontl.h", {st_mode=S_IFREG|0644, st_size=488, ...}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfontmb.h", {st_mode=S_IFREG|0644, st_size=451, ...}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfonts.h", {st_mode=S_IFREG|0644, st_size=452, ...}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfontt.h", {st_mode=S_IFREG|0644, st_size=484, ...}, AT_SYMLINK_NOFOLLOW) = 0
getdents64(3, 0x55ae3c17cf40 /* 0 entries */, 32768) = 0
close(3) = 0
lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gd.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41
lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gd_clip.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41
lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gd_io.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41
lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdcache.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41
lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfontg.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41
lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfontl.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41
lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfontmb.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41
lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfonts.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41
lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfontt.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41
lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41
lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/ipa.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41
lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/macro.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41
lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/svg.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41
lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/types.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41
lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/x.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41
lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41
openat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0755, st_size=12, ...}) = 0
getdents64(3, 0x55ae3c17cf40 /* 3 entries */, 32768) = 80
newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml", {st_mode=S_IFDIR|0755, st_size=930, ...}, AT_SYMLINK_NOFOLLOW) = 0
getdents64(3, 0x55ae3c17cf40 /* 0 entries */, 32768) = 0
close(3) = 0
lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41
openat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0755, st_size=930, ...}) = 0
getdents64(3, 0x55ae3c17cf40 /* 49 entries */, 32768) = 1592
newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml/DOCBparser.h", {st_mode=S_IFREG|0644, st_size=3157, ...}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml/HTMLparser.h", {st_mode=S_IFREG|0644, st_size=9410, ...}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml/HTMLtree.h", {st_mode=S_IFREG|0644, st_size=3646, ...}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml/SAX.h", {st_mode=S_IFREG|0644, st_size=4341, ...}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml/SAX2.h", {st_mode=S_IFREG|0644, st_size=4949, ...}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml/c14n.h", {st_mode=S_IFREG|0644, st_size=3115, ...}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml/catalog.h", {st_mode=S_IFREG|0644, st_size=4906, ...}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml/chvalid.h", {st_mode=S_IFREG|0644, st_size=5159, ...}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml/debugXML.h", {st_mode=S_IFREG|0644, st_size=5152, ...}, AT_SYMLINK_NOFOLLOW) = 0
the CPU usage is high and the laptop fan is very noisy
(In reply to Martin Sehnoutka from comment #2) > | | | | | `-restorecon,60420 -e /sys -e /proc -e > /mnt -e /var/tmp -e /home -e /root -e /tmp -i -R ... > | | | | `-{dnf},58249 > > [...] > > newfstatat(AT_FDCWD, > "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/ > libwmf/gd/gdcache.h", {st_mode=S_IFREG|0644, st_size=2679, ...}, > AT_SYMLINK_NOFOLLOW) = 0 > newfstatat(AT_FDCWD, > "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/ > libwmf/gd/gdfontg.h", {st_mode=S_IFREG|0644, st_size=490, ...}, > AT_SYMLINK_NOFOLLOW) = 0 > > [...] Ouch, it's relabeling the whole filesystem. I'm still trying to find out why. Petr, do you have a hint for me here? The passt-selinux scriptlets are the "recommended":
--
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/passt.pp
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} passt
%selinux_modules_uninstall -s %{selinuxtype} pasta
fi
%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}
--
and since some time %selinux_relabel_post decides to relabel the whole root filesystem (and beyond?). What am I doing wrong?
It's probably the known problem which rarely happens, see https://bugzilla.redhat.com/show_bug.cgi?id=2318279 It's related to changes in selinux-policy which affect high level paths like /usr/ and which use regexp. E.g. If there's a change like sbin -> bin merge the scriptlet runs relabel on whole /usr and it could take its time. (In reply to Petr Lautrbach from comment #5) > It's probably the known problem which rarely happens, see > https://bugzilla.redhat.com/show_bug.cgi?id=2318279 > > It's related to changes in selinux-policy which affect high level paths like > /usr/ and which use regexp. E.g. If there's a change like sbin -> bin merge > the scriptlet runs relabel on whole /usr and it could take its time. Thanks Petr for the explanation! Garrett, Martin, there isn't much we can do: this upgrade will take a long time, but it's a one-off thing. It's not specific to passt-selinux files, it's just that this package triggers a relabeling at the end of the transaction. I would mark this as duplicate of bz2318279 if it makes sense to you. Let me know. Yes, I saw that commit in selinux policy, it is not a great upgrade path, but I completely understand there is not much to do. Thanks! :-) Closing the bug as duplicate makes sense to me. Wasn't able to reproduce this on my other system, but closing as duplicate makes sense I think. Curious that it finished when I stopped packagekit, but that might've just been a coincidence. Thanks for the investigation. *** This bug has been marked as a duplicate of bug 2318279 *** |