rpm-ostree startup delays because of GPG key loading #761
Comments
|
Supporting Maybe best is to have all commits signed with the N and the N-1 keys. |
|
Makes sense, though an entirely different fix is to cache the deployment verification status (debate whether to do it in |
jlebon
added a commit
to jlebon/rpm-ostree
that referenced
this issue
Feb 4, 2022
In Fedora today, we ship 51 GPG pubkeys in `/etc/pki/rpm-gpg`. These keys are used to verify RPM packages, but also OSTree commits. But the sheer number of keys makes actually loading them and verifying signatures costly. rpm-ostree pays this price at startup when creating variants for its D-Bus properties describing the deployments. Multiple things make this even costlier in rpm-ostree: 1. by default we auto-exit after a certain period of time, which means that on the next startup we have to pay the verification price again 2. the same deployed commit may be re-verified up to 3 times as the different D-Bus properties may refer to the same deployment, and we dumbly regenerate its `GVariant` each time This results in a noticeable delay in rpm-ostree startup: coreos/fedora-coreos-tracker#761 I believe also this is the root cause for the `ostree.hotfix` FCOS test flaking: coreos/fedora-coreos-tracker#942. My theory is that when this test runs on nodes with contended I/O (e.g. with many other tests running in parallel), GPG verification can get slow enough that the daemon doesn't finish in time to answer back the the D-Bus call from the client, which then times out. That test creates a new deployment using `ostree admin unlock --hotfix` which multiples the cost. This patch adds caching of verification results as suggested in the tracker issue. This makes rpm-ostree startup *noticeably* faster and should also fix the `ostree.hotfix` flake. I think though we should still do $something about those keys, ideally at the Fedora level if not in FCOS/FSB/FIoT. Closes: coreos/fedora-coreos-tracker#761
|
The original problem which motivated me filing this is fixed by coreos/rpm-ostree#3406, but as mentioned there, we should probably still discuss if there's something we should do about all those keys. |
jlebon
added a commit
to jlebon/rpm-ostree
that referenced
this issue
Feb 4, 2022
In Fedora today, we ship 51 GPG pubkeys in `/etc/pki/rpm-gpg`. These keys are used to verify RPM packages, but also OSTree commits. But the sheer number of keys makes actually loading them and verifying signatures costly. rpm-ostree pays this price at startup when creating variants for its D-Bus properties describing the deployments. Multiple things make this even costlier in rpm-ostree: 1. by default we auto-exit after a certain period of time, which means that on the next startup we have to pay the verification price again 2. the same deployed commit may be re-verified up to 3 times as the different D-Bus properties may refer to the same deployment, and we dumbly regenerate its `GVariant` each time This results in a noticeable delay in rpm-ostree startup: coreos/fedora-coreos-tracker#761 I believe also this is the root cause for the `ostree.hotfix` FCOS test flaking: coreos/fedora-coreos-tracker#942. My theory is that when this test runs on nodes with contended I/O (e.g. with many other tests running in parallel), GPG verification can get slow enough that the daemon doesn't finish in time to answer back the the D-Bus call from the client, which then times out. That test creates a new deployment using `ostree admin unlock --hotfix` which multiples the cost. This patch adds caching of verification results as suggested in the tracker issue. This makes rpm-ostree startup *noticeably* faster and should also fix the `ostree.hotfix` flake. I think though we should still do $something about those keys, ideally at the Fedora level if not in FCOS/FSB/FIoT. Closes: coreos/fedora-coreos-tracker#761
jlebon
added a commit
to jlebon/rpm-ostree
that referenced
this issue
Feb 8, 2022
In Fedora today, we ship 51 GPG pubkeys in `/etc/pki/rpm-gpg`. These keys are used to verify RPM packages, but also OSTree commits. But the sheer number of keys makes actually loading them and verifying signatures costly. rpm-ostree pays this price at startup when creating variants for its D-Bus properties describing the deployments. Multiple things make this even costlier in rpm-ostree: 1. by default we auto-exit after a certain period of time, which means that on the next startup we have to pay the verification price again 2. the same deployed commit may be re-verified up to 3 times as the different D-Bus properties may refer to the same deployment, and we dumbly regenerate its `GVariant` each time This results in a noticeable delay in rpm-ostree startup: coreos/fedora-coreos-tracker#761 I believe also this is the root cause for the `ostree.hotfix` FCOS test flaking: coreos/fedora-coreos-tracker#942. My theory is that when this test runs on nodes with contended I/O (e.g. with many other tests running in parallel), GPG verification can get slow enough that the daemon doesn't finish in time to answer back the the D-Bus call from the client, which then times out. That test creates a new deployment using `ostree admin unlock --hotfix` which multiples the cost. This patch adds caching of verification results as suggested in the tracker issue. This makes rpm-ostree startup *noticeably* faster and should also fix the `ostree.hotfix` flake. I think though we should still do $something about those keys, ideally at the Fedora level if not in FCOS/FSB/FIoT. Closes: coreos/fedora-coreos-tracker#761
jlebon
added a commit
to jlebon/rpm-ostree
that referenced
this issue
Feb 10, 2022
In Fedora today, we ship 51 GPG pubkeys in `/etc/pki/rpm-gpg`. These keys are used to verify RPM packages, but also OSTree commits. But the sheer number of keys makes actually loading them and verifying signatures costly. rpm-ostree pays this price at startup when creating variants for its D-Bus properties describing the deployments. Multiple things make this even costlier in rpm-ostree: 1. by default we auto-exit after a certain period of time, which means that on the next startup we have to pay the verification price again 2. the same deployed commit may be re-verified up to 3 times as the different D-Bus properties may refer to the same deployment, and we dumbly regenerate its `GVariant` each time This results in a noticeable delay in rpm-ostree startup: coreos/fedora-coreos-tracker#761 I believe also this is the root cause for the `ostree.hotfix` FCOS test flaking: coreos/fedora-coreos-tracker#942. My theory is that when this test runs on nodes with contended I/O (e.g. with many other tests running in parallel), GPG verification can get slow enough that the daemon doesn't finish in time to answer back the the D-Bus call from the client, which then times out. That test creates a new deployment using `ostree admin unlock --hotfix` which multiples the cost. This patch adds caching of verification results as suggested in the tracker issue. This makes rpm-ostree startup *noticeably* faster and should also fix the `ostree.hotfix` flake. I think though we should still do $something about those keys, ideally at the Fedora level if not in FCOS/FSB/FIoT. Closes: coreos/fedora-coreos-tracker#761
dustymabe
added
the
status/pending-upstream-release
|
The fix for this went into |
dustymabe
added
status/pending-stable-release
|
The fix for this went into |
dustymabe
removed
the
status/pending-stable-release
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When
rpm-ostreed.servicestarts, there's a noticeable delay and a slight CPU spike caused by rpm-ostree having to load all the GPG keys from/etc/pki/rpm-gpgto verify deployment commits (because we usegpgkeypath=/etc/pki/rpm-gpg/):Ideally it'd only import the one key it needs corresponding to the right release, but it's more complicated than that because of major version rebases.
We could probably at least nuke all the super ancient keys in there to start (could do that in a post-processing script though... maybe all of Fedora should do that; yum-based systems don't really suffer from the status quo because yumrepo files always point to a specific key).
This also applies to other rpm-ostree-based Fedora variants with the same remote configuration
The text was updated successfully, but these errors were encountered: