From d2f8308813da27f422607e5aa21fc95d113a17f0 Mon Sep 17 00:00:00 2001 From: Andrey Drobyshev Date: Wed, 26 Apr 2023 15:59:46 +0300 Subject: [PATCH] daemon/selinux-relabel: run setfiles with "-T 0", if supported Since SELinux userspace v3.4 [1], setfiles command supports "-T nthreads" option, which allows parallel execution. "-T 0" allows using as many threads as there're available CPU cores. This might speed up the process of filesystem relabeling in case the appliance is being run with multiple vCPUs. The latter is true for at least v2v starting from d2b64ecc67 ("v2v: Set the number of vCPUs to same as host number of pCPUs."). For instance, when running virt-v2v-in-place on my 12-core Xeon host with SSD, with appliance being run with 8 vCPUs (the upper limit specified in d2b64ecc67), and on the ~150GiB disk VM (physical size on the host), I get the following results: ./in-place/virt-v2v-in-place -i libvirt fedora37-vm -v -x Without this patch: ... commandrvf: setfiles -F -e /sysroot/dev -e /sysroot/proc -e /sysroot/sys -m -C -r /sysroot -v /sysroot/etc/selinux/targeted/contexts/files/file_contexts /sysroot/^M libguestfs: trace: v2v: selinux_relabel = 0 libguestfs: trace: v2v: rm_f "/.autorelabel" guestfsd: => selinux_relabel (0x1d3) took 17.94 secs ... With this patch: ... commandrvf: setfiles -F -e /sysroot/dev -e /sysroot/proc -e /sysroot/sys -m -C -T 0 -r /sysroot -v /sysroot/etc/selinux/targeted/contexts/files/file_contexts /sysroot/^M libguestfs: trace: v2v: selinux_relabel = 0 libguestfs: trace: v2v: rm_f "/.autorelabel" guestfsd: => selinux_relabel (0x1d3) took 5.88 secs ... So in my scenario it's getting 3 times faster. [1] https://github.com/SELinuxProject/selinux/releases/tag/3.4 Signed-off-by: Andrey Drobyshev Reviewed-by: Laszlo Ersek Reviewed-by: Richard W.M. Jones (cherry picked from commit d0d8e6738477148a7b752348f9364a3b8faed67f) --- daemon/selinux-relabel.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/daemon/selinux-relabel.c b/daemon/selinux-relabel.c index 60a6f48a..cfc5a31d 100644 --- a/daemon/selinux-relabel.c +++ b/daemon/selinux-relabel.c @@ -73,6 +73,7 @@ do_selinux_relabel (const char *specfile, const char *path, { static int flag_m = -1; static int flag_C = -1; + static int flag_T = -1; const char *argv[MAX_ARGS]; CLEANUP_FREE char *s_dev = NULL, *s_proc = NULL, *s_selinux = NULL, *s_sys = NULL, *s_specfile = NULL, *s_path = NULL; @@ -131,6 +132,17 @@ do_selinux_relabel (const char *specfile, const char *path, if (setfiles_has_option (&flag_C, 'C')) ADD_ARG (argv, i, "-C"); + /* If the appliance is being run with multiple vCPUs, running setfiles + * in multithreading mode might speeds up the process. Option "-T" was + * introduced in SELinux userspace v3.4, and we need to check whether it's + * supported. Passing "-T 0" creates as many threads as there're available + * vCPU cores. + * https://github.com/SELinuxProject/selinux/releases/tag/3.4 + */ + if (setfiles_has_option (&flag_T, 'T')) { + ADD_ARG (argv, i, "-T"); ADD_ARG (argv, i, "0"); + } + /* Relabelling in a chroot. */ if (STRNEQ (sysroot, "/")) { ADD_ARG (argv, i, "-r");