1 |
Hi Fabian, |
2 |
|
3 |
On Wed, Feb 21, 2018 at 10:04:42AM +0100, Fabian Groffen wrote: |
4 |
|
5 |
> To give you an idea; the current tree is getting its Manifests from |
6 |
> hashgen.c, which you can find in scripts/rsync-generation/hashgen.c. |
7 |
> The hashverify tool, which I'm currently working on, is basically an |
8 |
> addition to that file (doing argv[0] detection) to perform the |
9 |
> verification. At this time of writing, I have the gpg-verification and |
10 |
> single file entry verification in place. I'm still trying to close the |
11 |
> gap in checking the dirs in particular looking for files that are not |
12 |
> listed in the Manifest. |
13 |
|
14 |
I've been following or rather post-reading the discussion about GLEP-74 |
15 |
and it seems a lot of thought and security considerations have gone into |
16 |
it. Are you following it for your implementation? |
17 |
|
18 |
I see you're using OpenMP. That looks very neat and could certainly make |
19 |
it scale better than gemato. |
20 |
|
21 |
BTW: I remember OpenMP being plain missing from clang until recently. |
22 |
Ah, https://clang-omp.github.io/ says 3.7 and onwards have native |
23 |
support. |
24 |
|
25 |
> hashgen currently runs in 30s or so on the tree to generate manifests. |
26 |
> I hope it can verify in the same amount of time (we're talking about a |
27 |
> Quad G5 PowerPC machine here with rusty old spinning disks), leaving it |
28 |
> in a much better position to be used for Prefix, since we tend to have |
29 |
> slower/older machines around. |
30 |
|
31 |
I can only believe that number if the portage tree fits into the fs |
32 |
cache (RAM). Then it would be purely CPU-bound, I guess, and C could |
33 |
play out its advantage. |
34 |
|
35 |
On a machine that has just synced the tree using rsync it would also |
36 |
still be in RAM as a working set (if there was sufficient RAM) and the |
37 |
same consideration would apply. On my MacBook Air I get 625012k from du |
38 |
for the tree. So this should be alright for any machine with 1GB+ of RAM |
39 |
that's not doing anything else at the time. |
40 |
|
41 |
As soon as the tree doesn't completely fit into RAM, the later files of |
42 |
the rsync will push the first files out of the cache. So for |
43 |
verification, the reading will start from scratch, making the |
44 |
verification I/O-bound and the advantage of a C implementation mostly |
45 |
irrelevant, won't it? |
46 |
|
47 |
As a quick number: On an ARM SBC of mine with a Dual-Core 1.2GHz |
48 |
Cortex-A7, 1GB of RAM and fs on a microSD card that does 22MB/s |
49 |
sequential read I get 400 seconds flat for the first run of gemato |
50 |
verify and 386 for the second when the fs cache is primed already. I do |
51 |
see a bit of I/O-boundness on the first run and on the second, gemato |
52 |
fully hogs the CPU. It would be interesting to compare how much of that |
53 |
is python overhead and how much the actual crypto. Unfortunately the gcc |
54 |
on that board doesn't have openmp support (yet). |
55 |
|
56 |
gemato create runs 667s on the same board and falls back to a single |
57 |
thread for some reason about a minute in. So I'd certainly take a |
58 |
22fold speedup if I could get it. :) |
59 |
|
60 |
> We're not really looking forward to 15 |
61 |
> minutes of verification as some bugs have been reported to with gemato. |
62 |
|
63 |
Well, with webrsync I was looking at around three minutes of download |
64 |
and five minutes of unpacking and local rsync on my ARM SBCs. With |
65 |
gemato it's now about 30 seconds to three minutes of rsyncing depending |
66 |
on the amount of changes and six minutes of gemato checking. So |
67 |
basically I've neither gained nor lost anything but feel much more |
68 |
efficient by once again not downloading what hasn't changed. |
69 |
|
70 |
It also shows that I have a high pain threshold in dealing with Gentoo |
71 |
on small and old machines. Considering how long Gentoo users typically |
72 |
wait for compiles to finish I wouldn't have expected a bit of a wait for |
73 |
gemato or hashverify to be much of an issue. |
74 |
|
75 |
> Portage used to do 1) checking the digests of ebuilds and 2) checking |
76 |
> for missing and extra files. I noticed that at least 1) is no longer |
77 |
> present, which I find weird. I need checking this on normal Gentoo, |
78 |
> (simply edit an ebuild and try to emerge it without updating its |
79 |
> digest), but I have the suspicion this got disabled because the full |
80 |
> tree verification should catch this. Needless to say, that's |
81 |
> suboptimal, and not very secure IMO. |
82 |
|
83 |
Ah, now I understand what you were getting at. I just verified: Both |
84 |
checks are working on Gentoo Linux but not in Prefix Mac. It seems to |
85 |
have to do with setting "thin-manifests" in layout.conf of the prefix |
86 |
tree. Once I set that to false, prefix portage behaves the same as |
87 |
Gentoo Linux portage. |
88 |
|
89 |
Gentoo Linux: |
90 |
|
91 |
[root@linux:/usr/portage/xfce-base/garcon] sha512sum garcon-0.6.1.ebuild |
92 |
dfa80c3e8c766af3d170536f6d7c48793da6bccd4f1647ac8194130a521eb852bf6872514a75e8da7d0eec02eca53d76e431c4371c6f9c891a68fa516fdca8b7 garcon-0.6.1.ebuild |
93 |
[root@linux:/usr/portage/xfce-base/garcon] grep EBUILD.*0.6.1.*SHA512 Manifest |
94 |
EBUILD garcon-0.6.1.ebuild 1018 SHA512 dfa80c3e8c766af3d170536f6d7c48793da6bccd4f1647ac8194130a521eb852bf6872514a75e8da7d0eec02eca53d76e431c4371c6f9c891a68fa516fdca8b7 |
95 |
[root@linux:/usr/portage/xfce-base/garcon] sed -i -e "s,econf,fooconf," garcon-0.6.1.ebuild |
96 |
[root@linux:/usr/portage/xfce-base/garcon] ebuild garcon-0.6.1.ebuild compile |
97 |
* Digest verification failed: |
98 |
* /usr/portage/xfce-base/garcon/garcon-0.6.1.ebuild |
99 |
* Reason: Filesize does not match recorded size |
100 |
* Got: 1020 |
101 |
* Expected: 1018 |
102 |
|
103 |
[root@linux:/usr/portage/xfce-base/garcon] ebuild garcon-0.6.1.ebuild digest |
104 |
>>> Creating Manifest for /usr/portage/xfce-base/garcon |
105 |
[root@linux:/usr/portage/xfce-base/garcon] mkdir files |
106 |
[root@linux:/usr/portage/xfce-base/garcon] echo foo > files/foo |
107 |
[root@linux:/usr/portage/xfce-base/garcon] ebuild garcon-0.6.1.ebuild prepare |
108 |
* garcon-0.6.1.tar.bz2 BLAKE2B SHA512 size ;-) ... |
109 |
[ ok ] |
110 |
* checking ebuild checksums ;-) ... |
111 |
[ ok ] |
112 |
* checking miscfile checksums ;-) ... |
113 |
[ ok ] |
114 |
!!! A file is not listed in the Manifest: |
115 |
'/usr/portage/xfce-base/garcon/files/foo' |
116 |
[root@linux:/usr/portage/xfce-base/garcon] touch garcon-0.7.0.ebuild |
117 |
[root@linux:/usr/portage/xfce-base/garcon] ebuild garcon-0.6.1.ebuild prepare |
118 |
* A file is not listed in the Manifest: '/usr/portage/xfce-base/garcon/garcon-0.7.0.ebuild' |
119 |
[root@linux:~] grep thin /usr/portage/metadata/layout.conf |
120 |
# Use thin Manifests for Git |
121 |
thin-manifests = false |
122 |
|
123 |
Prefix Mac: |
124 |
|
125 |
root@mac:/gentoo/usr/portage/xfce-base/garcon $ sha512sum garcon-0.6.1.ebuild |
126 |
dfa80c3e8c766af3d170536f6d7c48793da6bccd4f1647ac8194130a521eb852bf6872514a75e8da7d0eec02eca53d76e431c4371c6f9c891a68fa516fdca8b7 garcon-0.6.1.ebuild |
127 |
root@mac:/gentoo/usr/portage/xfce-base/garcon $ grep EBUILD.*0.6.1.*SHA512 Manifest |
128 |
EBUILD garcon-0.6.1.ebuild 1018 SHA512 dfa80c3e8c766af3d170536f6d7c48793da6bccd4f1647ac8194130a521eb852bf6872514a75e8da7d0eec02eca53d76e431c4371c6f9c891a68fa516fdca8b7 |
129 |
root@mac:/gentoo/usr/portage/xfce-base/garcon $ sed -i -e "s,econf,fooconf," garcon-0.6.1.ebuild |
130 |
root@mac:/gentoo/usr/portage/xfce-base/garcon $ sha512sum garcon-0.6.1.ebuild |
131 |
42f04d921b82955f8ac6237b4f2ebd78fad1cb0f2ab3cbf0f11b4b055b5a20c0cba6f2a37639b759a8912ec728bbde2f491b57d7565066f3ef5f4587e8f787a5 garcon-0.6.1.ebuild |
132 |
root@mac:/gentoo/usr/portage/xfce-base/garcon $ ebuild garcon-0.6.1.ebuild compile |
133 |
>>> Downloading 'http://distfiles.gentoo.org/distfiles/garcon-0.6.1.tar.bz2' |
134 |
[...] |
135 |
|
136 |
root@mac:/gentoo/usr/portage/xfce-base/garcon $ grep -r thin /gentoo/usr/portage/metadata/layout.conf |
137 |
# Use thin Manifests for Git |
138 |
thin-manifests = true |
139 |
root@mac:/gentoo/usr/portage/xfce-base/garcon $ sed -i -e "s,thin-manifests = true,thin-manifests = false," /gentoo/usr/portage/metadata/layout.conf |
140 |
|
141 |
root@mac:/gentoo/usr/portage/xfce-base/garcon $ ebuild garcon-0.6.1.ebuild prepare |
142 |
>>> Existing ${T}/environment for 'garcon-0.6.1' will be sourced. Run |
143 |
>>> 'clean' to start with a fresh environment. |
144 |
* Missing digest for '/gentoo/usr/portage/xfce-base/garcon/garcon-0.6.1.ebuild' |
145 |
|
146 |
root@nindamos:/usr/local/gentoo/usr/portage/xfce-base/garcon $ mkdir files |
147 |
root@nindamos:/usr/local/gentoo/usr/portage/xfce-base/garcon $ touch files/foo |
148 |
root@nindamos:/usr/local/gentoo/usr/portage/xfce-base/garcon $ ebuild garcon-0.6.1.ebuild prepare |
149 |
* garcon-0.6.1.tar.bz2 BLAKE2B SHA512 size ;-) ... |
150 |
[ ok ] |
151 |
* checking ebuild checksums ;-) ... |
152 |
[ ok ] |
153 |
* checking miscfile checksums ;-) ... |
154 |
[ ok ] |
155 |
!!! A file is not listed in the Manifest: '/usr/local/gentoo/usr/portage/xfce-base/garcon/files/foo' |
156 |
|
157 |
> Now I may be all wrong with trying to implement the verification myself, |
158 |
> but that's a separate topic. gemato should work fine. |
159 |
|
160 |
I think it's a worthy cause just for the fact that multiple |
161 |
implementations of a protocol are always good to drive improvement and |
162 |
show up the corner cases. |
163 |
|
164 |
Maybe it shouldn't be hidden away in the prefix tree so others can more |
165 |
easily become aware of and contribute to it. |
166 |
|
167 |
> I've checked some of the digests you mentioned and they look ok. So I'm |
168 |
> wondering whether perhaps you got caught in the middle of a sync. This |
169 |
> used to be much less of a problem because of per-ebuild-dir integrity, |
170 |
> but now the entire tree requires to be consistent. I'll look into |
171 |
> re-activating my symlink-flip, which should make the switch atomic, but |
172 |
> I don't know what rsync is doing if the symlink is flipped during a |
173 |
> sync. It reduces the invalid window somewhat I guess. |
174 |
|
175 |
I've retried a couple of times today. I deleted timestamp.chk several |
176 |
times and resynced until I saw no delta any more. There actually was a |
177 |
delta on the second and sometimes third run, mostly Manifest.gzs and |
178 |
metadata. It still fails reliably on second-level Manifests, e.g. |
179 |
dev-dotnet/Manifest.gz and sys-libs/Manifest.gz |
180 |
|
181 |
It looks as if regeneration of Manifests and md5-cache runs almost |
182 |
continuously, not just every 26,56 of the hour as rsync's motd says. Is |
183 |
that intentional or are perhaps multiple instances of the script running |
184 |
amok? |
185 |
-- |
186 |
Micha |
187 |
Elephants don't play chess! |