Red Hat Bugzilla – Bug 644636
kernel wastes huge amounts of memory due to CONFIG_IMA [rhel-6.0.z]
Last modified: 2010-11-11 07:05:56 EST
This bug has been copied from bug #643667 and has been proposed to be backported to 6.0 z-stream (EUS).
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: In RHEL6 GA IMA will be available simply by loading an IMA policy. In the 6.0.z and 6.1+ kernels one will need to boot with ima=on on the command line as well as load an IMA policy in order for IMA to function. This is to reduce the overhead of IMA for users who do not intend to use this feature.
in 2.6.32-71.5.1.el6
Confirmed IMA is disabled by default. Enabled IMA with ima=on ima_tcb=1. Ran LTP fs tests with both IMA on and off, observed radix_tree_node slab object was about 6-8 times larger with IMA on with the same test suite. After mounting securityfs I could see that IMA was indeed functional.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1 @@ -In RHEL6 GA IMA will be available simply by loading an IMA policy. In the 6.0.z and 6.1+ kernels one will need to boot with ima=on on the command line as well as load an IMA policy in order for IMA to function. This is to reduce the overhead of IMA for users who do not intend to use this feature.+IMA In Red Hat Enterprise Linux 6.0 GA is enabled by loading an IMA policy. However, future updates will require the boot parameter "ima=on" in addition to loading an IMA policy to enable IMA to function.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1 @@ -IMA In Red Hat Enterprise Linux 6.0 GA is enabled by loading an IMA policy. However, future updates will require the boot parameter "ima=on" in addition to loading an IMA policy to enable IMA to function.+IMA in Red Hat Enterprise Linux 6.0 GA is enabled by loading an IMA policy. However, future updates will require the boot parameter "ima=on" in addition to loading an IMA policy to enable IMA. This change reduces overhead on systems not using IMA.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2010-0842.html
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1 @@ -IMA in Red Hat Enterprise Linux 6.0 GA is enabled by loading an IMA policy. However, future updates will require the boot parameter "ima=on" in addition to loading an IMA policy to enable IMA. This change reduces overhead on systems not using IMA.+Previously, Red Hat Enterprise Linux 6 enabled the CONFIG_IMA option in the kernel. This caused the kernel to track all inodes in the system in a radix tree, leading to a huge waste of memory. With this update, an optimized version of a tree (rbtree) is used and memory is no longer wasted.