Use seccomp policy to avoid necessary sync operations

Sync operations are really slow on btrfs. They're also pointless, since if the computer crashes while we're doing a build then we'll just throw it away and start again anyway. This commit provides a seccomp policy that causes all sync operations to "fail", with errno 0 ("success"). On my machine, this reduces the time to `apt-get install -y shared-mime-info` from 18.5s to 4.7s. Based on https://bblank.thinkmo.de/using-seccomp-to-filter-sync-operations.html
ocurrent · Nov 24, 2020 · db79e09 · db79e09
1 parent c22da3b
commit db79e09
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 1 deletion.
diff --git a/.run-travis-tests.sh b/.run-travis-tests.sh
@@ -2,6 +2,9 @@
 set -eux
 export OPAMYES=true
 
+wget https://github.com/opencontainers/runc/releases/download/v1.0.0-rc92/runc.amd64 -O /usr/local/bin/runc
+chmod a+x /usr/local/bin/runc
+
 ZFS_LOOP=$(sudo losetup -f)
 dd if=/dev/zero of=/tmp/zfs.img bs=100M count=50
 sudo losetup -P $ZFS_LOOP /tmp/zfs.img

diff --git a/README.md b/README.md
@@ -8,6 +8,8 @@ Repeating a build will reuse the cached results where possible.
 OBuilder aims to be portable, although currently only Linux support is present.
 On Linux, it uses `runc` to sandbox the build steps, but any system that can run a command safely in a chroot could be used.
 
+**Note:** OBuilder requires `runc >= v1.0.0-rc92` (otherwise, sync operations will fail with EPERM)
+
 OBuilder stores the log output of each build step.
 This is useful for CI, where you may still want to see the output even if the result was cached from some other build.
 

diff --git a/lib/runc_sandbox.ml b/lib/runc_sandbox.ml
@@ -199,7 +199,28 @@ module Json_config = struct
           "/proc/irq";
           "/proc/sys";
           "/proc/sysrq-trigger"
-        ]
+        ];
+        "seccomp", `Assoc [
+          "defaultAction", `String "SCMP_ACT_ALLOW";
+          "syscalls", `List [
+            `Assoc [
+              (* Sync calls are pointless for the builder, because if the computer crashes then we'll
+                 just throw the build dir away and start again. And btrfs sync is really slow.
+                 Based on https://bblank.thinkmo.de/using-seccomp-to-filter-sync-operations.html
+                 Note: requires runc >= v1.0.0-rc92. *)
+              "names", strings [
+                "fsync";
+                "fdatasync";
+                "msync";
+                "sync";
+                "syncfs";
+                "sync_file_range";
+              ];
+              "action", `String "SCMP_ACT_ERRNO";
+              "errnoRet", `Int 0;                         (* Return error "success" *)
+            ];
+          ];
+        ];
       ];
     ]
 end