Bug 1213629

Summary: MMTests/gitsource: Performance impact of AppArmor confinement of container is about 1.5%
Product: [openSUSE] openSUSE Distribution Reporter: Andreas Herrmann <aherrmann>
Component: ContainersAssignee: Andreas Herrmann <aherrmann>
Status: RESOLVED WONTFIX QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: kernel-performance-bugs
Version: Leap 15.4   
Target Milestone: ---   
Hardware: x86-64   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Herrmann 2023-07-25 09:38:27 UTC 
x86, kernel 5.14.21-150400.24.66-default
podman version 4.4.4
runc version 1.1.5
commit: v1.1.5-0-gf19387a6bec4
spec: 1.0.2-dev
go: go1.19.9
libseccomp: 2.5.3

Tests with MMTests/gitsource benchmark showed that for elapsed time of this benchmark overhead of AppArmor confinement is about 1.5%:

           ----------------------podman-------------------------
           no_scaafps      aa           fips           sccmp
Amean User   433.58  433.60 -0.00%  446.64 -3.01%  461.13 -6.35%
Amean Syst   179.52  188.84 -5.19%  178.48  0.58%  194.38 -8.28%
Amean Elap   632.58  642.21 -1.52%  645.78 -2.09%  675.62 -6.80%
Amean CPU     96.00   96.00  0.00%   96.00  0.00%   96.67 -0.69%

no_scaafps - no seccomp/apparmor confinement, no FIPS
sccmp      - seccomp confinement on
aa         - apparmor confinement on
fips       - FIPS packages installed in container image

See also bug #1212272.
Comment 1 Andreas Herrmann 2023-07-25 09:41:17 UTC 
If this performance impact is an issue for a workload AppArmor confinement can be turned off using '--security-opt apparmor=unconfined' when the container is started.
Comment 2 Andreas Herrmann 2023-07-25 09:42:15 UTC 
Closing as 'wontfix'.