Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
daemon: cache GPG commit verification
In Fedora today, we ship 51 GPG pubkeys in `/etc/pki/rpm-gpg`. These keys are used to verify RPM packages, but also OSTree commits. But the sheer number of keys makes actually loading them and verifying signatures costly. rpm-ostree pays this price at startup when creating variants for its D-Bus properties describing the deployments. Multiple things make this even costlier in rpm-ostree: 1. by default we auto-exit after a certain period of time, which means that on the next startup we have to pay the verification price again 2. the same deployed commit may be re-verified up to 3 times as the different D-Bus properties may refer to the same deployment, and we dumbly regenerate its `GVariant` each time This results in a noticeable delay in rpm-ostree startup: coreos/fedora-coreos-tracker#761 I believe also this is the root cause for the `ostree.hotfix` FCOS test flaking: coreos/fedora-coreos-tracker#942. My theory is that when this test runs on nodes with contended I/O (e.g. with many other tests running in parallel), GPG verification can get slow enough that the daemon doesn't finish in time to answer back the the D-Bus call from the client, which then times out. That test creates a new deployment using `ostree admin unlock --hotfix` which multiples the cost. This patch adds caching of verification results as suggested in the tracker issue. This makes rpm-ostree startup *noticeably* faster and should also fix the `ostree.hotfix` flake. I think though we should still do $something about those keys, ideally at the Fedora level if not in FCOS/FSB/FIoT. Closes: coreos/fedora-coreos-tracker#761
- Loading branch information