[MODULES-7319] selmodule provider should only list modules once Created: 2016/07/15  Updated: 2018/06/18

Status: Ready for Engineering
Project: Modules
Component/s: selinux_core
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Adam Bottchen Assignee: Branan Riley
Resolution: Unresolved Votes: 2
Labels: linux, performance, selinux, type_and_provider
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance Criteria:

Selmodule provider no longer makes redundant queries to the operating system

Team: Platform OS
Story Points: 2
CS Priority: Reviewed

 Description   

With a selmodule resource such as:

selmodule { 'test': 
  ensure => present, 
  selmodulepath => '/usr/share/selinux/test.pp', 
  syncversion => true, 
}

The provider runs semodule --list twice, once for exists? and once for syncversion:

Debug: Selmodule[test](provider=semodule): Checking for module test 
Debug: Executing '/usr/sbin/semodule --list' 
Debug: Selmodule[test](provider=semodule): Checking syncversion on test 
Debug: Executing '/usr/sbin/semodule --list' 
Debug: Selmodule[test](provider=semodule): load version 1.1 
Debug: Selmodule[test](provider=semodule): file version 1.1 

The semodule --list command takes around 2-3 seconds to execute, which causes a large performance hit when there are multiple selmodule resources.

This impact could be cut in half if the command was only run once and the data cached for the syncversion function. It could be cut even more dramatically if semodule --list was stored as a fact and the output merely referenced in the provider.



 Comments   
Comment by Alex [ 2016/08/21 ]

Hi everyone.
Not sure at what stage this issue is at the moment. Just wondering if there is an ETA on issuing a fix for this?
Thanks, Alex

Comment by Alex [ 2017/06/18 ]

Hi

It's been almost a year since this was raised. Is there any progress?

Thanks,
Alex

Comment by Doug Penner [ 2017/07/11 ]

I'm also wondering if there is an ETA on a fix for this. We use puppet to manage over a dozen SELinux modules on about 2 dozen virtual machines. This means we are unnecessarily running "semodule --list" thousands of times per day. A caching system that runs once at the start, then once at the end for verification would be very nice.

Let me know if beta testing will help speed things up.

Comment by Sam McLeod [ 2017/10/24 ]

This has been unresolved for a long time now - can we please get a fix for this Puppet?

I've logged an enterprise support ticket for this: https://support.puppet.com/hc/en-us/requests/27866

Comment by Sam McLeod [ 2018/06/18 ]

We're still battling with this problem internally, it uses more CPU than any other single thing across our fleet of servers (excluding application workloads).

Generated at Fri Dec 13 07:42:56 PST 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.