Bug 1213629 - MMTests/gitsource: Performance impact of AppArmor confinement of container is about 1.5%
Summary: MMTests/gitsource: Performance impact of AppArmor confinement of container is...
Status: RESOLVED WONTFIX
Alias: None
Product: openSUSE Distribution
Classification: openSUSE
Component: Containers (show other bugs)
Version: Leap 15.4
Hardware: x86-64 Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Andreas Herrmann
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-25 09:38 UTC by Andreas Herrmann
Modified: 2023-07-25 09:58 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Herrmann 2023-07-25 09:38:27 UTC 
x86, kernel 5.14.21-150400.24.66-default
podman version 4.4.4
runc version 1.1.5
commit: v1.1.5-0-gf19387a6bec4
spec: 1.0.2-dev
go: go1.19.9
libseccomp: 2.5.3

Tests with MMTests/gitsource benchmark showed that for elapsed time of this benchmark overhead of AppArmor confinement is about 1.5%:

           ----------------------podman-------------------------
           no_scaafps      aa           fips           sccmp
Amean User   433.58  433.60 -0.00%  446.64 -3.01%  461.13 -6.35%
Amean Syst   179.52  188.84 -5.19%  178.48  0.58%  194.38 -8.28%
Amean Elap   632.58  642.21 -1.52%  645.78 -2.09%  675.62 -6.80%
Amean CPU     96.00   96.00  0.00%   96.00  0.00%   96.67 -0.69%

no_scaafps - no seccomp/apparmor confinement, no FIPS
sccmp      - seccomp confinement on
aa         - apparmor confinement on
fips       - FIPS packages installed in container image

See also bug #1212272.
Comment 1 Andreas Herrmann 2023-07-25 09:41:17 UTC 
If this performance impact is an issue for a workload AppArmor confinement can be turned off using '--security-opt apparmor=unconfined' when the container is started.
Comment 2 Andreas Herrmann 2023-07-25 09:42:15 UTC 
Closing as 'wontfix'.