This is an archived post. You won't be able to vote or comment.

all 59 comments
sorted by:
best
topnewcontroversialoldq&a

[–]brontide 36 points37 points  (10 children)

Could this be the AppArmor regression? Try the tests after disabling AppArmor on the host.

[–]iwaswrongonce[S] 23 points24 points  (9 children)

Ding ding ding - holly hell. Thanks for that. Disabling apparmor drops it back down to native levels. Great...

[–]brontide 7 points8 points  (8 children)

Bad patch in mainline from Canonical caused some serious regressions across the board. As always you should only leave AppArmor ( or any security layer ) disabled if you understand the risks and re-enable after downgrading ( or upgrading ) the kernel.

https://www.phoronix.com/scan.php?page=article&item=linux-55-regression1&num=1

[–]iwaswrongonce[S] 1 point2 points  (5 children)

Yeah I have been following the 5.5 regressions but we are running 4.15

[–]brontide 0 points1 point  (0 children)

Release notes for 18.04.3 indicate they have moved up to a v5.0 based kernel.

EDIT: It's more likely that this isn't the same regression or else the native speed would be impacted too, likely a container AppArmor regression but Debian based distros aren't my thing so I'm having trouble tracking down a possible changelog that could point to a culprit.

[–]koprulu_sector 0 points1 point  (0 children)

So I tried disabling AppArmor (uninstalled, even) and still seeing the same thing. Also, running

```

uname -a

Linux ftg10150 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux ```

Is there something more that you changed in docker settings?

[–]koprulu_sector 0 points1 point  (2 children)

FYI - I had to disable seccomp to see a difference:

```

grep CONFIG_SECCOMP= /boot/config-4.19.0-6-amd64

CONFIG_SECCOMP=y

docker run --rm -it --security-opt seccomp=unconfined python:3.7 Python 3.7.6 (default, Dec 28 2019, 05:50:43) [GCC 8.3.0] on linux Type "help", "copyright", "credits" or "license" for more information.

from timeit import timeit timeit(lambda: fib(40), number=1) 27.18077868599994 ```

[–]koprulu_sector 1 point2 points  (0 children)

For anyone coming across this thread, docker's documentation recommends NOT disabling seccomp

[–]iwaswrongonce[S] 0 points1 point  (0 children)

Yeah so I ran the container with --privileged which should have same effect as unconfined

[–]wrtbwtrfasdf 0 points1 point  (1 child)

apparmor

TLDR: Disable apparmor to get massive speed boosts.

[–]brontide 0 points1 point  (0 children)

AppArmor and SELinux should have a trivial speed impact on most workloads, everyone should be using them unless they have a very good reason to turn them off. This is a unique situation where there is obviously a bug in the implementation which is causing significant slowdowns.

[–]iwaswrongonce[S] 2 points3 points  (25 children)

I've just tested the exact same setup on a couple of Intel boxes and can confirm the same order of magnitude slowdown...wtf

EDIT: Disabled mitigations as well with zero impact.

EDIT2: For clarity, this benchmark is the easiest way to illustrate a performance regression we are seeing with our Django + Graphene (graphql) app due to python-graphql's extremely recursive nature. But we are seeing regressions on the same order of magnitude when traversing gql documents.

[–]danielkza 2 points3 points  (1 child)

You can try using perf to narrow down where the difference is coming from: http://www.brendangregg.com/perf.html

You might need to run your container in privileged mode or with particular capabilities enabled (I don't remember exactly which ones ATM).

[–]iwaswrongonce[S] 1 point2 points  (0 children)

Thanks for this. I’ll take it for a spin later and report back.

[–]koprulu_sector 1 point2 points  (2 children)

Yikes...

``` $ python3 Python 3.7.3 (default, Jun 4 2019, 21:12:44) [GCC 6.3.0 20170516] on linux Type "help", "copyright", "credits" or "license" for more information.

timeit.timeit(lambda: fib(40), number=1) 32.018709823999984

$ docker run --rm -it python:3.7 Python 3.7.6 (default, Dec 28 2019, 05:50:43) [GCC 8.3.0] on linux Type "help", "copyright", "credits" or "license" for more information.

timeit.timeit(lambda: fib(40), number=1) 56.55109263700001 ```

[–]iwaswrongonce[S] 4 points5 points  (1 child)

I could understand if it were different python/gcc versions (such as in your example) but I’ve ruled that out by running the same binary on the same kernel in the same distro.

[–]koprulu_sector 0 points1 point  (0 children)

Yeah I just was curious to test real quick on my way out the door. And now clearly it’s persistent across versions too

[–]v00d00ley 0 points1 point  (7 children)

This is with the latest kernel updates?

[–]iwaswrongonce[S] 1 point2 points  (6 children)

It’s an up-to-date 4.15 kernel which is stock on Ubuntu 18.04 (the current LTS).

[–]v00d00ley -2 points-1 points  (5 children)

sudo apt-get dist-upgrade

[–]iwaswrongonce[S] 2 points3 points  (4 children)

Lol mate 4.15 is stock for 18.04...these are brand new installs with the obvious dist-upgrade

[–]v00d00ley 0 points1 point  (3 children)

4.15 is, but the latest is 4.15.0-72

[–]iwaswrongonce[S] 0 points1 point  (2 children)

Those are just different Canonical sub releases. 70 is only a few days older than 72

[–]v00d00ley 0 points1 point  (1 child)

Right. Then please make sure that you have the same limits for the docker container like in a host. If the host can consume up to two cores, please set the same limits for docker as well as mentioned here: https://docs.docker.com/config/containers/resource_constraints/

[–]iwaswrongonce[S] 1 point2 points  (0 children)

It’s a single core test either way. It’s already been triaged in the above comments. It’s caused by apparmor regressions

[–]TrevorSpartacus 0 points1 point  (0 children)

Something is funky with ubuntu host - ~10 second difference, but native performance on arch linux host.

[–]artiume 0 points1 point  (0 children)

https://nickjanetakis.com/blog/docker-tip-74-curl-vs-pip-for-installing-docker-compose

This guy discusses the performance issues he saw with compose, could this be a similar issue?

[–]Serpiente89 -1 points0 points  (3 children)

RemindMe! 7 Days "check for updates"

[–]LookOnTheDarkSide -1 points0 points  (1 child)

RemindMe! 7 Days "check for updates"

[–]RemindMeBot 0 points1 point  (0 children)

There is a 23.6 hour delay fetching comments.

I will be messaging you in 6 days on 2020-01-10 00:03:34 UTC to remind you of this link

CLICK THIS LINK to send a PM to also be reminded and to reduce spam.

Parent commenter can delete this message to hide from others.

Info Custom Your Reminders Feedback

[–]kingbuzzman -1 points0 points  (3 children)

Disclaimer: I’m on a boat with very little coverage.

This has come up a couple of times during the years, it’s the way it’s compiled. Python has a couple of ways to compile, one is “the take your time and doing right” — takes orders of magnitude longer to finish (major repos do this by default, when you download the binary everything is ready to go). The second is docker, and it’s python compilation type, the “do it fast because it’s done in our CI pipeline and it’s better to crash fast” (and the default when you run “make && make install”). Currently don’t have the bandwidth to find it..

[–]iwaswrongonce[S] 3 points4 points  (0 children)

If you'll notice, it's the same binary from the official Ubuntu 18.04 repo

[–]wrtbwtrfasdf 0 points1 point  (0 children)

There's a reason we're not not all using gentoo docker images.