Bug 644636 - kernel wastes huge amounts of memory due to CONFIG_IMA [rhel-6.0.z]
Summary: kernel wastes huge amounts of memory due to CONFIG_IMA [rhel-6.0.z]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: kernel
Version: 6.0
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Red Hat Kernel Manager
QA Contact: Mike Gahagan
URL:
Whiteboard:
Depends On: 643667
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-10-19 21:03 UTC by Benjamin Kahn
Modified: 2010-11-11 12:05 UTC (History)
13 users (show)

Fixed In Version: kernel-2.6.32-71.5.1.el6
Doc Type: Bug Fix
Doc Text:
Previously, Red Hat Enterprise Linux 6 enabled the CONFIG_IMA option in the kernel. This caused the kernel to track all inodes in the system in a radix tree, leading to a huge waste of memory. With this update, an optimized version of a tree (rbtree) is used and memory is no longer wasted.
Clone Of:
Environment:
Last Closed: 2010-11-10 19:11:49 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0842 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-11-22 19:34:20 UTC

Description Benjamin Kahn 2010-10-19 21:03:27 UTC
This bug has been copied from bug #643667 and has been proposed
to be backported to 6.0 z-stream (EUS).

Comment 2 Eric Paris 2010-10-19 21:45:29 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
In RHEL6 GA IMA will be available simply by loading an IMA policy.  In the 6.0.z and 6.1+ kernels one will need to boot with ima=on on the command line as well as load an IMA policy in order for IMA to function.  This is to reduce the overhead of IMA for users who do not intend to use this feature.

Comment 3 Frantisek Hrbata 2010-10-20 06:22:32 UTC
in 2.6.32-71.5.1.el6

Comment 5 Mike Gahagan 2010-10-25 20:46:55 UTC
Confirmed IMA is disabled by default. Enabled IMA with ima=on ima_tcb=1. Ran LTP fs tests with both IMA on and off, observed radix_tree_node slab object was about 6-8 times larger with IMA on with the same test suite. After mounting securityfs I could see that IMA was indeed functional.

Comment 6 Ryan Lerch 2010-11-04 03:46:42 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-In RHEL6 GA IMA will be available simply by loading an IMA policy.  In the 6.0.z and 6.1+ kernels one will need to boot with ima=on on the command line as well as load an IMA policy in order for IMA to function.  This is to reduce the overhead of IMA for users who do not intend to use this feature.+IMA In Red Hat Enterprise Linux 6.0 GA is enabled by loading an IMA policy. However, future updates will require the boot parameter "ima=on" in addition to loading an IMA policy to enable IMA to function.

Comment 8 Ryan Lerch 2010-11-04 03:50:21 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-IMA In Red Hat Enterprise Linux 6.0 GA is enabled by loading an IMA policy. However, future updates will require the boot parameter "ima=on" in addition to loading an IMA policy to enable IMA to function.+IMA in Red Hat Enterprise Linux 6.0 GA is enabled by loading an IMA policy. However, future updates will require the boot parameter "ima=on" in addition to loading an IMA policy to enable IMA. This change reduces overhead on systems not using IMA.

Comment 10 errata-xmlrpc 2010-11-10 19:11:49 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0842.html

Comment 11 Martin Prpič 2010-11-11 12:05:56 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-IMA in Red Hat Enterprise Linux 6.0 GA is enabled by loading an IMA policy. However, future updates will require the boot parameter "ima=on" in addition to loading an IMA policy to enable IMA. This change reduces overhead on systems not using IMA.+Previously, Red Hat Enterprise Linux 6 enabled the CONFIG_IMA option in the kernel. This caused the kernel to track all inodes in the system in a radix tree, leading to a huge waste of memory. With this update, an optimized version of a tree (rbtree) is used and memory is no longer wasted.


Note You need to log in before you can comment on or make changes to this bug.