Bug 644636

Summary: kernel wastes huge amounts of memory due to CONFIG_IMA [rhel-6.0.z]
Product: Red Hat Enterprise Linux 6 Reporter: Benjamin Kahn <bkahn>
Component: kernelAssignee: Red Hat Kernel Manager <kernel-mgr>
Status: CLOSED ERRATA QA Contact: Mike Gahagan <mgahagan>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.0CC: arozansk, chellwig, dchinner, dhoward, eparis, fhrbata, jeder, jwest, kyle, msnitzer, pm-eus, sgrubb, syeghiay
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel-2.6.32-71.5.1.el6 Doc Type: Bug Fix
Doc Text:
Previously, Red Hat Enterprise Linux 6 enabled the CONFIG_IMA option in the kernel. This caused the kernel to track all inodes in the system in a radix tree, leading to a huge waste of memory. With this update, an optimized version of a tree (rbtree) is used and memory is no longer wasted.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-10 19:11:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 643667    
Bug Blocks:    

Description Benjamin Kahn 2010-10-19 21:03:27 UTC 
This bug has been copied from bug #643667 and has been proposed
to be backported to 6.0 z-stream (EUS).
Comment 2 Eric Paris 2010-10-19 21:45:29 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
In RHEL6 GA IMA will be available simply by loading an IMA policy.  In the 6.0.z and 6.1+ kernels one will need to boot with ima=on on the command line as well as load an IMA policy in order for IMA to function.  This is to reduce the overhead of IMA for users who do not intend to use this feature.
Comment 3 Frantisek Hrbata 2010-10-20 06:22:32 UTC 
in 2.6.32-71.5.1.el6
Comment 5 Mike Gahagan 2010-10-25 20:46:55 UTC 
Confirmed IMA is disabled by default. Enabled IMA with ima=on ima_tcb=1. Ran LTP fs tests with both IMA on and off, observed radix_tree_node slab object was about 6-8 times larger with IMA on with the same test suite. After mounting securityfs I could see that IMA was indeed functional.
Comment 6 Ryan Lerch 2010-11-04 03:46:42 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-In RHEL6 GA IMA will be available simply by loading an IMA policy.  In the 6.0.z and 6.1+ kernels one will need to boot with ima=on on the command line as well as load an IMA policy in order for IMA to function.  This is to reduce the overhead of IMA for users who do not intend to use this feature.+IMA In Red Hat Enterprise Linux 6.0 GA is enabled by loading an IMA policy. However, future updates will require the boot parameter "ima=on" in addition to loading an IMA policy to enable IMA to function.
Comment 8 Ryan Lerch 2010-11-04 03:50:21 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-IMA In Red Hat Enterprise Linux 6.0 GA is enabled by loading an IMA policy. However, future updates will require the boot parameter "ima=on" in addition to loading an IMA policy to enable IMA to function.+IMA in Red Hat Enterprise Linux 6.0 GA is enabled by loading an IMA policy. However, future updates will require the boot parameter "ima=on" in addition to loading an IMA policy to enable IMA. This change reduces overhead on systems not using IMA.
Comment 10 errata-xmlrpc 2010-11-10 19:11:49 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0842.html
Comment 11 Martin Prpič 2010-11-11 12:05:56 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-IMA in Red Hat Enterprise Linux 6.0 GA is enabled by loading an IMA policy. However, future updates will require the boot parameter "ima=on" in addition to loading an IMA policy to enable IMA. This change reduces overhead on systems not using IMA.+Previously, Red Hat Enterprise Linux 6 enabled the CONFIG_IMA option in the kernel. This caused the kernel to track all inodes in the system in a radix tree, leading to a huge waste of memory. With this update, an optimized version of a tree (rbtree) is used and memory is no longer wasted.