|
Bugzilla – Full Text Bug Listing |
| Summary: | MMTests/gitsource: Performance impact of FIPS support in container is about 2% | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Distribution | Reporter: | Andreas Herrmann <aherrmann> |
| Component: | Containers | Assignee: | Andreas Herrmann <aherrmann> |
| Status: | RESOLVED WONTFIX | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | kernel-performance-bugs |
| Version: | Leap 15.4 | ||
| Target Milestone: | --- | ||
| Hardware: | x86-64 | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
The used base container image was FIPS compliant. Ie. it had installed i+ | patterns-base-fips | FIPS 140-2 specific packages | package i | fips | FIPS 140-2 specific packages | pattern patterns-base-fips pulls in libgcrypt20-hmac. gpg behaves differently depending on whether libgcrypt20-hmac is installed or not. Thus all gitsource test cases using gpg are affected. For individual gitsource test cases using gpg the performance impact of FIPS support is significant. If a workload is affected by this and FIPS compliance is not required, then removing FIPS packages with 'zypper remove --clean-deps patterns-base-fips' can improve performance. Closing as 'wontfix'. |
x86, kernel 5.14.21-150400.24.66-default podman version 4.4.4 runc version 1.1.5 commit: v1.1.5-0-gf19387a6bec4 spec: 1.0.2-dev go: go1.19.9 libseccomp: 2.5.3 Tests with MMTests/gitsource benchmark showed that for elapsed time of this benchmark performance impact of FIPS support is about 2%: ----------------------podman------------------------- no_scaafps aa fips sccmp Amean User 433.58 433.60 -0.00% 446.64 -3.01% 461.13 -6.35% Amean Syst 179.52 188.84 -5.19% 178.48 0.58% 194.38 -8.28% Amean Elap 632.58 642.21 -1.52% 645.78 -2.09% 675.62 -6.80% Amean CPU 96.00 96.00 0.00% 96.00 0.00% 96.67 -0.69% no_scaafps - no seccomp/apparmor confinement, no FIPS sccmp - seccomp confinement on aa - apparmor confinement on fips - FIPS packages installed in container image See also bug #1212272.