search

ostreedev / ostree

Operating system and container binary deployment and upgrades
https://ostreedev.github.io/ostree/
Other
1.3k stars 296 forks source link

5 second delay in `ostree remote gpg-import` if repository path is over a certain length #883

Closed ssssam closed 7 years ago

ssssam commented 7 years ago

This is a slightly odd issue report because the problem is already fixed in libostree v2017.6. However it seems to be a coincidental fix so I want to document the actual issue. The problem could also still occur in the case that the user sets TMPDIR to a really long pathname, although that's unlikely.

Steps to reproduce

This requires a GPG key such as https://sdk.gnome.org/keys/gnome-sdk.gpg. I ran these commands with ostree 2017.2 from Fedora 24.

Good case:

$ repo=/tmp/repo
$ ostree init --repo=$repo
$ ostree remote add origin http://example.com/ --repo=$repo
$ time ostree remote gpg-import origin --repo=$repo --stdin < ./gnome-sdk.gpg
Imported 1 GPG key to remote "origin"
0.01user 0.01system 0:02.07elapsed

Bad case:

$ repo=/tmp/repo-1234567890123456789012345678901234567890123456789012345678901234567890
$ ostree init --repo=$repo
$ ostree remote add origin http://example.com/ --repo=$repo
$ time ostree remote gpg-import origin --repo=$repo --stdin < ./gnome-sdk.gpg
Imported 1 GPG key to remote "origin"
0.01user 0.01system 0:10.06elapsed

Notice in the bad case it takes 10 second to import the key. Re-importing the key takes 1 second in the good case and 5 seconds in the bad case.

Cause

This is actually a GNUPG issue where it fails to open a socket to the gpg-agent if the "home directory" is over a certain length and blocks for 5 seconds in the process.

Running the ostree remote gpg-import command with GPGME_DEBUG=9 highlights that, and we can reproduce the problem with gpg2 itself:

$ repo=/tmp/repo-1234567890123456789012345678901234567890123456789012345678901234567890
$ mkdir -p $repo/tmp-gpg-1234567890
$ cat ./gnome-sdk.gpg  | time /usr/bin/gpg2 --homedir $repo/tmp-gpg-1234567890 --import
gpg: can't connect to the agent: File name too long
gpg: Total number processed: 1
gpg:               imported: 1
0.00user 0.00system 0:05.00elapsed

Running the same command with a shorter repo path name takes around 1 second.

So the problem is triggered when libostree creates a GPG home dir context inside the tempdir of a repo that already has a long pathname.

Fix

Commit 4f80548454dba1342849caf5b568cb4e34883ba4 changes the ot_gpgme_ctx_tmp_home_dir() function to use a tempdir in /tmp (or whatever TMPDIR is specified) rather than the /tmp subdirectory of the repository for the GPG home directory. This makes it much less likely that the GPG home directory path will be long enough to trigger the 5 second wait. I don't hit this problem any more now that I've upgraded to libostree 2017.6.

Ultimately this is a bug in GPG -- it seems that when importing public keys there's no need to connect to the agent anyway.

cgwalters commented 7 years ago

Thanks for the diagnosis! Reporting even fixed issues like this is very useful so people can find via search.

Hmm, I wonder if https://github.com/ostreedev/ostree/issues/727 was caused by this as well?