Intermittent hangs seen on VxFS when SELINUX is enabled

book

Article ID: 100052012

calendar_today

Updated On:

Description

Error Message


There is no specific error message that will indicate that this issue was hit. 

The performance impact has been observed using InfoScale 7.4.1 with RHEL 7.6 or higher. 

Cause

When SELinux is enabled on a system with VxFS, additional information about SELinux is kept in the filesystem metadata.

By default, VxFS uses a 256byte inode and there is no space for the additional data required by SELinux. Therefore, additional inodes are created to contain the information about SELinux. When many files are being created rapidly, this can cause issues. Along with extended search times.

The issue has been observed on InfoScale 7.4.1 with RHEL 7.6 or higher.
 

SELinux can be enabled or disabled. When enabled, SELinux has two modes: enforcing and permissive.

Use the getenforce or sestatus commands to check in which mode SELinux is running.

The getenforce command returns Enforcing, Permissive, or Disabled.
The sestatus command returns the SELinux status and the SELinux policy being used:


Sample output

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

 

Resolution

To alleviate this, we have two options.
 

Option 1:

A new filesystem can be created with a larger default inode size, so no additional inodes need to be created to contain SELinux data.
This cannot be changed on an existing filesystem, it can only be set when running "mkfs".

To set the inode size, use the "inosize=512" option with mkfs:

# mkfs -t vxfs -o inosize=512  /dev/vx/rdsk//
 

You can determine the inode size of a filesystem with the following command:

# echo "8192B.p S" | /opt/VRTS/bin/fsdb  /dev/vx/dsk// | grep dinosize


Example of a filesystem with the default inode size of 256.

# echo "8192B.p S" | /opt/VRTS/bin/fsdb  /dev/vx/dsk/datadg/testvol3 | grep dinosize
iauimlen 1  iausize 4  dinosize 256

Example of a filesystem with an increased inode size of 512.

# echo "8192B.p S" | /opt/VRTS/bin/fsdb /dev/vx/dsk/datadg/datavol1 | grep dinosize
iauimlen 1  iausize 4  dinosize 512

 

Option 2:

Disable SELinux fully. This means that it must be set to "disabled" in /etc/selinux/config. If left in permissive mode, then the SELinux data is still being maintained in the filesystem metadata.

https://access.redhat.com/solutions/3176
 

Issue/Introduction

When using SELinux, some application performance can be degraded when running on VxFS. Applications that create many files in short periods may be more susceptible to observable degradation.

Security-Enhanced Linux (SELinux) is a security architecture for Linux systems that allows administrators to have more control over who can access the system.
Powered by Wolken Software