-
Notifications
You must be signed in to change notification settings - Fork 554
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Slowdown with latest kernels #5293
Comments
After hearing about this by accidental presence on #archlinux IRC I installed several kernels available on Arch Linux to dig deeper into this slowdown issue:
There's indeed a rather significant difference in sandbox initialization time depending on kernel in use, as observed by the OP. I cannot (yet) determine what could be causing any of this but I'm keeping these extra kernels installed to check how things evolve on future releases. Even when its not our bug it's always nice to know how firejail users in the field may notice these fluctuations, and how we could respond to potential reports. |
I don't notice any slowdown on Debian (5.18.5), |
Hmm. I wonder if this could be hardware specific then. My CPU is a ryzen 1600af. I wonder if the mitigations could affect the sandbox init time. |
I just updated my kernel to 5.18.14 and noticed a very small slowdown; it consistently takes about 60ms now. Edit: CPU: Intel Core i7-7820HQ |
Alright, I recorded |
Can you maybe try recording it with perf record -F 99 -g -- firejail ls
perf report --stdio (might need to be run as root) If that works there are also tools to generate flamegraphs etc., see https://www.brendangregg.com/perf.html For me it seems to spend a lot of time in |
It fluctuates quite a bit for me. I have built firejail from master with debug symbols. Right now it is at 86 ms which is fine. I will re-test after a reboot which also applies the kernel update. It appears that a reboot randomizes the time it takes for the sandbox to initialize, its super weird. |
There's a nice tool in arch linux repo https://archlinux.org/packages/community/x86_64/cargo-flamegraph/. Pretty handy to create flamegraphs directly from perf output. |
Alright. I got 16k ms after a reboot and kernel upgrade. Had to gzip because of github.
|
This sounds increasingly more plausible, especially when taken in context with the observation shared on IRC that the 16k ms sowdown is also noticeable on starting systemd sandboxed units. I just finished another round of tests on the kernels noted in #5293 (comment). On an Intel® Core™2 Duo CPU T6600 @ 2.20GHz × 2 there's hardly any difference between running with/without Realizing this is a big ask, but would any of you be willing to run the same tests with |
According to the perf trace it seems to take >95% of the time doing syscalls (read). |
I am a noob at interpreting perf traces, but
Sure, I can do that. Applying the kernel parameter will take a reboot and since the time used for initializing is very inconsistent, I will report back if it still happens after I reboot. So expect another comment from me tomorrow or so. |
Took a bit longer than I planned because I did not get a slowdown immediately, but it is currently at 5k ms even with mitigations=off |
Still happening by the way. glitsj16 said on IRC I should bump this. |
Wondering if this might be related to #6307. Couldn't determine that (yet) as OP needed to attend other things on IRC. |
Looks to be unrelated. I freshly built firejail from -git while I had that persistent delay again just now, according to |
Recap of the latest revisit (with recent 6.8.x kernels) on IRC #firejail:
TL;DR looks like a kernel issue. Not very likely we can do much about it. |
I updated my BIOS, yes the firmware, the BIOS, however you want to call it, and the issue got immediately better. This is very cursed indeed that the firmware affects a random syscall. However, since this issue is very random I am unsure if this is really fixed. Give me some more time and I'll see if this still happens. Hardware, for anyone interested:
|
So far no more slowdowns. I still cant believe this issue got fixed by a BIOS update of all things. I should have applied more holy water. |
Description
With the newest kernels, at least on Arch Linux, which ships 5.18.15-arch1-1, the time to initialize the sandbox (
Child process initialized in ...
) skyrockets. Arch Linux's kernel patches are minimal enough that I think they are not the issue here.Steps to Reproduce
firejail ls
.To be clear here: Right now it takes around 900 ms to init, on a prior boot without updating or touching anything, 35 ms. On slightly earlier kernel versions I sometimes even had an unusable 10 seconds.
I need to do proper tests, but it looks like systemd sandboxing, which also makes use of the same kernel features, may also be affected. I noticed a slowdown there, too but I did not measure it. I only took note of this during the start and shutdown sequence, and it was worse in the latter.
However, when I had the unusable 10 seconds delay, only firejailed stuff was affected by it. All systemd service units, which do not use firejail but their own sandboxing, initialized without delay, resulting in a normal system startup.
I did run firejail with
--debug
and the slowdown was very visible when it was setting up filesystems.Expected behavior
No slowdown.
Actual behavior
Slowdown.
Behavior without a profile
n/a
Additional context
Ping @glitsj16, I discussed this on IRC with them and they said they also noticed slowdowns. It may very well be a kernel regression, aka a "notourbug".
The bug is so inconsistent it is driving me insane, so I'd love some more pairs of eyes looking over this.
Environment
Checklist
/usr/bin/vlc
) "fixes" it).https://github.com/netblue30/firejail/issues/1139
)browser-allow-drm yes
/browser-disable-u2f no
infirejail.config
to allow DRM/U2F in browsers.--profile=PROFILENAME
to set the right profile. (Only relevant for AppImages)Log
n/a
The text was updated successfully, but these errors were encountered: