[MODULES-7319] selmodule provider should only list modules once Created: 2016/07/15 Updated: 2018/06/18
|Status:||Ready for Engineering|
|Reporter:||Adam Bottchen||Assignee:||Branan Riley|
|Labels:||linux, performance, selinux, type_and_provider|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
Selmodule provider no longer makes redundant queries to the operating system
With a selmodule resource such as:
The provider runs semodule --list twice, once for exists? and once for syncversion:
The semodule --list command takes around 2-3 seconds to execute, which causes a large performance hit when there are multiple selmodule resources.
This impact could be cut in half if the command was only run once and the data cached for the syncversion function. It could be cut even more dramatically if semodule --list was stored as a fact and the output merely referenced in the provider.
|Comment by Alex [ 2016/08/21 ]|
|Comment by Alex [ 2017/06/18 ]|
It's been almost a year since this was raised. Is there any progress?
|Comment by Doug Penner [ 2017/07/11 ]|
I'm also wondering if there is an ETA on a fix for this. We use puppet to manage over a dozen SELinux modules on about 2 dozen virtual machines. This means we are unnecessarily running "semodule --list" thousands of times per day. A caching system that runs once at the start, then once at the end for verification would be very nice.
Let me know if beta testing will help speed things up.
|Comment by Sam McLeod [ 2017/10/24 ]|
This has been unresolved for a long time now - can we please get a fix for this Puppet?
I've logged an enterprise support ticket for this: https://support.puppet.com/hc/en-us/requests/27866
|Comment by Sam McLeod [ 2018/06/18 ]|
We're still battling with this problem internally, it uses more CPU than any other single thing across our fleet of servers (excluding application workloads).