Expected cost of having a large number of bindings
42 views
Skip to first unread message
Corbin Champion
Oct 7, 2013, 2:58:23 AM10/7/13
to proo...@googlegroups.com
I have not looked into how bindings are stored and looked up, but what do you think the impact is of having 100's or even 1000's of them? Trying to decide to what extent I should move data, (certain folders, or all non-executables) to a larger, but noexec partition.
Corbin
Cédric VINCENT
Oct 7, 2013, 4:22:44 AM10/7/13
to proo...@googlegroups.com
Hello Corbin,
On Mon, Oct 7, 2013 at 8:58 AM, Corbin Champion <corb...@gmail.com> wrote:
> I have not looked into how bindings are stored and looked up, but
> what do you think the impact is of having 100's or even 1000's of
> them?
> I have not looked into how bindings are stored and looked up, but
> what do you think the impact is of having 100's or even 1000's of
> them?
Here are some figures I got on my x86_64 workstation with PRoot v3.1
(process_vm & seccomp_filter accelerators enabled):
=========== =========== ===========
nb bindings benchmark 1 benchmark 2
=========== =========== ===========
0 0.00s 8.4s
10 0.00s 8.4s
100 0.00s 8.9s (+6%)
1000 0.17s 14.8s (+76%)
3281 1.60s 29.0s (+245%)
=========== =========== ===========
where:
* "benchmark 1" is useful to know the cost at startup time:
time proot $BINDINGS /bin/true
* "benchmark 2" is useful to know the cost at run time:
proot $BINDINGS bash(process_vm & seccomp_filter accelerators enabled):
=========== =========== ===========
nb bindings benchmark 1 benchmark 2
=========== =========== ===========
0 0.00s 8.4s
10 0.00s 8.4s
100 0.00s 8.9s (+6%)
1000 0.17s 14.8s (+76%)
3281 1.60s 29.0s (+245%)
=========== =========== ===========
where:
* "benchmark 1" is useful to know the cost at startup time:
time proot $BINDINGS /bin/true
* "benchmark 2" is useful to know the cost at run time:
time perl -e 'system("/usr/bin/true") for (1..10000)'
* $BINDINGS was generated with the following command:
find /usr/bin/ -type f | head -n $NB_BINDINGS | xargs --replace=foo echo -n " -b foo"
A couple of comments regarding these figures:
* the cost might *proportionally* smaller when accelerators are
disabled, since more time is spent elsewhere. For instance,
with seccomp_filter turned off:
=========== ===========
nb bindings benchmark 2
=========== ===========
0 14.3s
10 14.4s
100 14.8s (+3%)
1000 20.7s (+44%)
3281 34.9s (+244%)
=========== ===========
* most programs do not stress PRoot as much as "benchmark 2" does.
It should be considered as a worst case.
* I never benchmarked the cost of bindings before, so it is not
yet optimized. I'm pretty sure there's a lot of room for
improvement.
* $BINDINGS was generated with the following command:
find /usr/bin/ -type f | head -n $NB_BINDINGS | xargs --replace=foo echo -n " -b foo"
A couple of comments regarding these figures:
* the cost might *proportionally* smaller when accelerators are
disabled, since more time is spent elsewhere. For instance,
with seccomp_filter turned off:
=========== ===========
nb bindings benchmark 2
=========== ===========
0 14.3s
10 14.4s
100 14.8s (+3%)
1000 20.7s (+44%)
3281 34.9s (+244%)
=========== ===========
* most programs do not stress PRoot as much as "benchmark 2" does.
It should be considered as a worst case.
* I never benchmarked the cost of bindings before, so it is not
yet optimized. I'm pretty sure there's a lot of room for
improvement.
Cédric.
Corbin Champion
Oct 8, 2013, 1:54:32 AM10/8/13
to proo...@googlegroups.com
Thank you! I have thought of a better way than making a gross number of bindings. Make all non-executables be links but have the links point at paths that are behind one binding where all of them will be stored. For example /etc/resolv.conf will be a symbolic link /etc/resolv.conf -> /mynonexecbinding/etc/resolv.conf.
Reply all
Reply to author
Forward
0 new messages