[MODULES-7319] selmodule provider should only list modules once Created: 2016/07/15  Updated: 2020/03/27  Resolved: 2020/03/27

Status: Resolved
Project: Modules
Component/s: selinux_core
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Adam Bottchen Assignee: Branan Riley
Resolution: Fixed Votes: 2
Labels: linux, performance, selinux, type_and_provider
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relates to PUP-10313 Selmodule provider fetch loaded modul... Resolved
Acceptance Criteria:

Selmodule provider no longer makes redundant queries to the operating system

Team: Night's Watch
Story Points: 2
Sprint: PR - Triage
CS Priority: Reviewed
Release Notes: Not Needed


With a selmodule resource such as:

selmodule { 'test': 
  ensure => present, 
  selmodulepath => '/usr/share/selinux/test.pp', 
  syncversion => true, 

The provider runs semodule --list twice, once for exists? and once for syncversion:

Debug: Selmodule[test](provider=semodule): Checking for module test 
Debug: Executing '/usr/sbin/semodule --list' 
Debug: Selmodule[test](provider=semodule): Checking syncversion on test 
Debug: Executing '/usr/sbin/semodule --list' 
Debug: Selmodule[test](provider=semodule): load version 1.1 
Debug: Selmodule[test](provider=semodule): file version 1.1 

The semodule --list command takes around 2-3 seconds to execute, which causes a large performance hit when there are multiple selmodule resources.

This impact could be cut in half if the command was only run once and the data cached for the syncversion function. It could be cut even more dramatically if semodule --list was stored as a fact and the output merely referenced in the provider.

Comment by Alex [ 2016/08/21 ]

Hi everyone.
Not sure at what stage this issue is at the moment. Just wondering if there is an ETA on issuing a fix for this?
Thanks, Alex

Comment by Alex [ 2017/06/18 ]


It's been almost a year since this was raised. Is there any progress?


Comment by Doug Penner [ 2017/07/11 ]

I'm also wondering if there is an ETA on a fix for this. We use puppet to manage over a dozen SELinux modules on about 2 dozen virtual machines. This means we are unnecessarily running "semodule --list" thousands of times per day. A caching system that runs once at the start, then once at the end for verification would be very nice.

Let me know if beta testing will help speed things up.

Comment by Sam McLeod [ 2017/10/24 ]

This has been unresolved for a long time now - can we please get a fix for this Puppet?

I've logged an enterprise support ticket for this: https://support.puppet.com/hc/en-us/requests/27866

Comment by Sam McLeod [ 2018/06/18 ]

We're still battling with this problem internally, it uses more CPU than any other single thing across our fleet of servers (excluding application workloads).

Comment by Thomas Montague [ 2020/02/25 ]

PR to Puppet 5.5.x branch: https://github.com/puppetlabs/puppet/pull/7998
PR to Puppetlabs selinux_core module: https://github.com/puppetlabs/puppetlabs-selinux_core/pull/23

Comment by Gheorghe Popescu [ 2020/03/27 ]

PR's merged, thank you Thomas Montague

Generated at Sat Jul 11 08:00:16 PDT 2020 using Jira 8.5.2#805002-sha1:a66f9354b9e12ac788984e5d84669c903a370049.