On OI (and Solaris 11.4), nscd caches auth_attr, user_attr, prof_attr, and exec_attr (and of course passwd, group, and project); so I'm not sure what could be done to speed up RBAC. However, policy.conf is NOT cached (and has lots of CDDL etc comments in it); per policy.conf(4) it's read by chkauthattr(3SECDB) and getexecuser(3SECDB).
OTOH, unless one is using one of the pf*sh shells or pfexec(1), I don't see how RBAC is part of the problem anyway. > On Jan 19, 2021, at 05:17, Jim Klimov <[email protected]> wrote: > > On January 19, 2021 4:27:04 AM UTC, Hung Nguyen Gia via openindiana-discuss > <[email protected]> wrote: >> OI included many shells. So far I only stick with the default, bash. >> >> But the performance is very bad. e.g: when using pkgsrc to build >> packages. >> >> As I have said on this list: pkgsrc bootstrap on OI is 4x slower than >> on FreeBSD. Building packages also that slower. >> >> I think the problem is of the shell. Because I see it checking for >> something very slowly. >> >> The output printed on the screen 'Checking for...' is line by line, >> very slow. Meanwhile, the same thing on FreeBSD is blazing fast that I >> can't even see what's going on at all. >> >> I'm thinking about using other shell than bash. >> >> But I can't test with each shell. They are too many. >> >> From your own experience, which shell is the fastest? >> >> _______________________________________________ >> openindiana-discuss mailing list >> [email protected] >> https://openindiana.org/mailman/listinfo/openindiana-discuss > > This matches my experience sadly, also on systems with ksh93 as the real > default system shell since Solaris, and e.g. configure scripts using that > as-is or patched to use bash explicitly. > > Same codebase mounted from OI over NFS to a Linux VM passes configuration > much faster - so it is not e.g. overheads of disk/FS layers. > > Similarly for shell/fork heavy tests like https://github.com/42ity/JSON.sh > unit-testing (nearly zero I/O, but lots of shells tried) - the linux worker > completes minutes before OI does. > > As far as I could unravel and guess, this is just about a more expensive > forking routine (RBAC and all) than on less protective OSes. This is a PITA > sadly, but unless something is just broken in the kernel but rather really > does more work by design because of different goals and trade-offs, then so > be it. > > If something *is* broken and can be made faster, it would be much appreciated > :-) > > Jim > > -- > Typos courtesy of K-9 Mail on my Android > > _______________________________________________ > openindiana-discuss mailing list > [email protected] > https://openindiana.org/mailman/listinfo/openindiana-discuss >
_______________________________________________ openindiana-discuss mailing list [email protected] https://openindiana.org/mailman/listinfo/openindiana-discuss
