On 14/06/2024 16:30, Julien Petit wrote:
What processes are CPU hungry?
[...]
udisksd,
This one does not use mount namespace for the obvious reason. However it tends to generate unnecessary activity. Perhaps it needs optimizations for your case.
(fstrim)
There were some bugs including sandboxing setting in its unit file, but perhaps it is irrelevant.
find
Does it have some logic to avoid descending into bind mounts? Maybe I am wrong with my expectation that it does not use anything besides st_dev from stat result. It may be promising case to demonstrate the issue in a way independent of systemd and sandboxing. You can obtain command line arguments. Attach to its mount namespace and inspect content of its /proc/<PID>/mounts or mountinfo. The next step would be to profile or at least to trace a process.
It seems to happen with all processes accessing mounts. And since disabling sandboxing with php fixed the problem for the php process, it looks like it is linked to sandboxing.
From my point of view PHP is more complex than find.
We only use mount bind to share an initial folder with other users with different access rights (rw or ro).
I have not figured out from your description what problem you solved by using bind mounts, but bublewrap (so flatpak and snap) and firejail relies on bind mounts as well. Perhaps you have some unique factors.
