[Bug 2054390] Re: Refine proc mounts entries traversal

Chengen Du 2054390 at bugs.launchpad.net
Mon Feb 10 02:35:10 UTC 2025 

The reported regression in Noble involves an error occurring while
processing the `mandos-client` package, which does not appear to be
related to this issue.

161s Setting up mandos-client (1.8.16-1ubuntu4) ...
170s gpg: key 5F3A09F160B7A22B was created 77 seconds in the future (time warp or clock problem)
170s gpg: key 5F3A09F160B7A22B was created 77 seconds in the future (time warp or clock problem)
170s gpg: key 5F3A09F160B7A22B was created 77 seconds in the future (time warp or clock problem)
170s gpg: make_keysig_packet failed: Time conflict
170s shred: /tmp/mandos-keygen-privkey.A3zKnKrm06: failed to open for writing: No such file or directory
170s dpkg: error processing package mandos-client (--configure):
170s  installed mandos-client package post-installation script subprocess returned error exit status 2

Both proposed packages in Jammy and Noble have been verified according
to the test plan, and the results meet expectations.

[Jammy]
root at jammy:~# apt policy cryptsetup
cryptsetup:
  Installed: 2:2.4.3-1ubuntu1.3
  Candidate: 2:2.4.3-1ubuntu1.3
  Version table:
 *** 2:2.4.3-1ubuntu1.3 500
        500 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2:2.4.3-1ubuntu1.2 500
        500 http://tw.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
     2:2.4.3-1ubuntu1 500
        500 http://tw.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

root at jammy:~# mount | grep zfs
zfs on /zfs type zfs (rw,xattr,noacl)
zfs/ds on /zfs/ds type zfs (rw,xattr,noacl)
root at jammy:~# ./test /zfs/ds
devnos: 
root at jammy:~# echo $?
0

root at jammy:~# wc -l /proc/mounts 
5028 /proc/mounts
<-Before->
root at jammy:~# time /usr/share/initramfs-tools/hooks/cryptroot
real	0m1.538s
user	0m1.032s
sys	0m0.582s
<-After->
root at jammy:~# time /usr/share/initramfs-tools/hooks/cryptroot
real	0m0.097s
user	0m0.074s
sys	0m0.025s

[Noble]
root at noble:~# apt policy cryptsetup
cryptsetup:
  Installed: 2:2.7.0-1ubuntu4.2
  Candidate: 2:2.7.0-1ubuntu4.2
  Version table:
 *** 2:2.7.0-1ubuntu4.2 100
        100 http://tw.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2:2.7.0-1ubuntu4.1 500
        500 http://tw.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
     2:2.7.0-1ubuntu4 500
        500 http://tw.archive.ubuntu.com/ubuntu noble/main amd64 Packages

root at noble:~# mount | grep zfs
zfs on /zfs type zfs (rw,relatime,xattr,noacl,casesensitive)
zfs/ds on /zfs/ds type zfs (rw,relatime,xattr,noacl,casesensitive)
root at noble:~# ./test /zfs/ds
devnos: 
root at noble:~# echo $?
0

root at noble:~# wc -l /proc/mounts 
5022 /proc/mounts
<-Before->
root at noble:~# time /usr/share/initramfs-tools/hooks/cryptroot
real	0m1.654s
user	0m0.995s
sys	0m0.726s
<-After->
root at noble:~# time /usr/share/initramfs-tools/hooks/cryptroot
real	0m0.058s
user	0m0.038s
sys	0m0.024s

** Tags removed: verification-needed verification-needed-jammy verification-needed-noble
** Tags added: verification-done verification-done-jammy verification-done-noble

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/2054390

Title:
  Refine proc mounts entries traversal

Status in cryptsetup package in Ubuntu:
  Fix Released
Status in cryptsetup source package in Focal:
  In Progress
Status in cryptsetup source package in Jammy:
  Fix Committed
Status in cryptsetup source package in Mantic:
  Won't Fix
Status in cryptsetup source package in Noble:
  Fix Committed
Status in cryptsetup source package in Oracular:
  Fix Released
Status in cryptsetup source package in Plucky:
  Fix Released

Bug description:
  [Impact]
  The shell's read builtin iterates through /proc/mounts one line at a time. This becomes problematic when LDAP automount maps generate a large number of entries in /proc/mounts. It can lead to timeout issues, especially when iterating through the entries twice in the cryptroot hook.

  [Fix]
  Applying the following upstream commit [1] can resolve this issue.

  95fd4be9b4c6 d/functions: get_mnt_devno(): Speed up execution time on large /proc/mounts.
      Use awk rather than a `while read; do done` loop here as the /proc/mounts
      pseudo-file can be many thousands lines long and the shell's `read` builtin
      traverses it one read(2) at the time which cruelly slows down execution time.

      See https://salsa.debian.org/cryptsetup-
  team/cryptsetup/-/merge_requests/36 .

  [Test Plan]
  1. Prepare a VM with its root partition encrypted using LUKS.
  2. Save the content of /etc/crypttab for reference.
  3. Install the patched package and execute the binary located at /usr/share/initramfs-tools/hooks/cryptroot.
  4. Verify that the /etc/crypttab content remains unchanged and ensure the output does not include the following warning message:
  cryptsetup: WARNING: Couldn't determine root device

  For ZFS, which does not have a major/minor device number, the hook function will skip it.
  To reproduce this scenario, it is necessary to configure the root partition on ZFS.
  You can refer to the documentation [2] for the setup process.
  Alternatively, we can prepare a simple script to manually trigger this scenario for testing purposes.
  ===
  #!/bin/sh

  . /lib/cryptsetup/functions

  if devnos="$(get_mnt_devno $1)"; then
  	echo "devnos: ${devnos}"
  else
  	echo "WARNING: Couldn't determine device"
  fi
  ===

  The logic can be easily verified by following these steps:
  # mount | grep zfs
  /zfs on /zfs type zfs (rw,xattr,noacl)
  zfs/dataset on /mnt type zfs (rw,xattr,noacl)
  # ./test /mnt
  devnos:
  # echo $?
  0

  The devnos should be empty, and no errors should occur.

  The performance improvement test is outlined as follows:
  root at jammy-ptp:~# mkdir src dst
  root at jammy-ptp:~# for i in {1..5000}; do touch src/test_${i} dst/test_${i}; mount --bind src/test_${i} dst/test_${i}; done
  root at jammy-ptp:~# wc -l /proc/mounts
  5028 /proc/mounts

  [Before]
  root at jammy-ptp:~# time /usr/share/initramfs-tools/hooks/cryptroot
  real	0m1.415s
  user	0m0.975s
  sys	0m0.529s

  [After]
  root at jammy-ptp:~/cryptsetup# time /usr/share/initramfs-tools/hooks/cryptroot
  real	0m0.129s
  user	0m0.098s
  sys	0m0.037s

  [Where problems could occur]
  The patch exclusively modifies the method of extracting information without altering the underlying hook logic.
  It's crucial to note that the successful generation of the crypttab is contingent upon the accuracy of the information provided by the patch.
  Any inaccuracies may impede the crypttab generation process.

  [Other Info]
  The proposed change [1] is already applied in Oracular and Plucky.

  [1] https://salsa.debian.org/cryptsetup-team/cryptsetup/-/commit/95fd4be9b4c6471e94c418101e7acfae7e1aa4fc
  [2] https://openzfs.github.io/openzfs-docs/Getting%20Started/Ubuntu/Ubuntu%2022.04%20Root%20on%20ZFS.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/2054390/+subscriptions

More information about the foundations-bugs mailing list