Bug 1213640 - MMTests/gitsource: Performance impact of FIPS support in container is about 2%
Summary: MMTests/gitsource: Performance impact of FIPS support in container is about 2%
Status: RESOLVED WONTFIX
Alias: None
Product: openSUSE Distribution
Classification: openSUSE
Component: Containers (show other bugs)
Version: Leap 15.4
Hardware: x86-64 Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Andreas Herrmann
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-25 11:48 UTC by Andreas Herrmann
Modified: 2023-07-25 11:57 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Herrmann 2023-07-25 11:48:46 UTC 
x86, kernel 5.14.21-150400.24.66-default
podman version 4.4.4
runc version 1.1.5
commit: v1.1.5-0-gf19387a6bec4
spec: 1.0.2-dev
go: go1.19.9
libseccomp: 2.5.3

Tests with MMTests/gitsource benchmark showed that for elapsed time of this benchmark performance impact of FIPS support is about 2%:

           ----------------------podman-------------------------
           no_scaafps      aa           fips           sccmp
Amean User   433.58  433.60 -0.00%  446.64 -3.01%  461.13 -6.35%
Amean Syst   179.52  188.84 -5.19%  178.48  0.58%  194.38 -8.28%
Amean Elap   632.58  642.21 -1.52%  645.78 -2.09%  675.62 -6.80%
Amean CPU     96.00   96.00  0.00%   96.00  0.00%   96.67 -0.69%

no_scaafps - no seccomp/apparmor confinement, no FIPS
sccmp      - seccomp confinement on
aa         - apparmor confinement on
fips       - FIPS packages installed in container image

See also bug #1212272.
Comment 1 Andreas Herrmann 2023-07-25 11:56:48 UTC 
The used base container image was FIPS compliant. Ie. it had installed

i+ | patterns-base-fips  | FIPS 140-2 specific packages  | package
i  | fips                | FIPS 140-2 specific packages  | pattern

patterns-base-fips pulls in libgcrypt20-hmac.

gpg behaves differently depending on whether libgcrypt20-hmac is installed or not. Thus all gitsource test cases using gpg are affected.

For individual gitsource test cases using gpg the performance impact of FIPS support is significant.

If a workload is affected by this and FIPS compliance is not required, then removing FIPS packages with 'zypper remove --clean-deps patterns-base-fips' can improve performance.
Comment 2 Andreas Herrmann 2023-07-25 11:57:14 UTC 
Closing as 'wontfix'.