Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deploy: Don't recompute verity checksums if not enabled #3326

Merged
merged 1 commit into from
Oct 29, 2024

Conversation

cgwalters
Copy link
Member

This fixes a truly horrific performance bug when
composefs is enabled, but fsverity is not supported by the filesystem. We'd fall back to doing userspace checksumming of all files at deployment time which was absolutely not expected or required.

There's really an immense amount of technical debt here, such as the confusion between ex-integity.composefs vs the prepare-root config, how we handle "torn" states where some objects don't have verity enabled but some do, etc.

The ostree composefs state has two modes:

  • signed: We need to enforce fsverity
  • unsigned: Best effort resilience

So we fix this by making the deploy path to make verity "opportunistic" - if the ioctl gives us the data, then we add it to the composefs.

However, this code path is also invoked when we're computing the expected composefs digest to inject
as commit metadata, and that API must work regardless of whether the target repo has fsverity enabled as it may operate on a build server.

One lucky thing in all of this: When I went to add the "checkout composefs" API I added a stub GVariant for options extensibility, which we now use.

Copy link
Collaborator

@allisonkarlitskaya allisonkarlitskaya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have a good high-level picture of what this code is trying to do, but I have some C/GVariant-related comments.

man/ostree-checkout.xml Show resolved Hide resolved
src/libostree/ostree-repo-checkout.c Show resolved Hide resolved
src/libostree/ostree-repo-checkout.c Show resolved Hide resolved
src/libostree/ostree-repo-checkout.c Outdated Show resolved Hide resolved
src/libostree/ostree-repo-composefs.c Show resolved Hide resolved
src/libostree/ostree-sysroot-deploy.c Outdated Show resolved Hide resolved
src/libostree/ostree-sysroot-deploy.c Outdated Show resolved Hide resolved
src/ostree/ot-builtin-checkout.c Outdated Show resolved Hide resolved
This fixes a truly horrific performance bug when
composefs is enabled, but fsverity is not supported
by the filesystem. We'd fall back to doing *userspace*
checksumming of all files at deployment time which was absolutely
not expected or required.

There's really an immense amount of technical debt
here, such as the confusion between `ex-integity.composefs`
vs the prepare-root config, how we handle "torn" states
where some objects don't have verity enabled but some do,
etc.

The ostree composefs state has two modes:

- signed: We need to enforce fsverity
- unsigned: Best effort resilience

So we fix this by making the deploy path to make verity
"opportunistic" - if the ioctl gives us the data, then we
add it to the composefs.

However, this code path is also invoked when we're
computing the expected composefs digest to inject
as commit metadata, and *that* API must work regardless
of whether the target repo has fsverity enabled as
it may operate on a build server.

One lucky thing in all of this: When I went to add
the "checkout composefs" API I added a stub `GVariant`
for options extensibility, which we now use.

Signed-off-by: Colin Walters <[email protected]>
@cgwalters
Copy link
Member Author

One possible followup in #3327

@cgwalters cgwalters enabled auto-merge October 29, 2024 13:16
@cgwalters
Copy link
Member Author

Re this code alex wrote most of it originally... @alexlarsson mind giving this a quick skim from a high level? But we can't always get his time.

Copy link
Member

@jmarrero jmarrero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@cgwalters
Copy link
Member Author

@allisonkarlitskaya you need to at least change your review status from "changes requested" to "approve"

@cgwalters cgwalters merged commit 841c8a6 into ostreedev:main Oct 29, 2024
26 checks passed
cgwalters added a commit to cgwalters/rpm-ostree that referenced this pull request Nov 4, 2024
This effectively reverts coreos@c115600

I was wrong, if we don't have fsverity today on the repo (a
common case) then this entails a full read of all files. For more information
see ostreedev/ostree#3326
cgwalters added a commit to cgwalters/rpm-ostree that referenced this pull request Nov 4, 2024
This effectively reverts coreos@c115600

I was wrong, if we don't have fsverity today on the repo (a
common case) then this entails a full read of all files. For more information
see ostreedev/ostree#3326

Signed-off-by: Colin Walters <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants