From: "Ludovic Courtès" <ludovic.courtes@inria.fr>
To: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Cc: Guix-devel <guix-devel@gnu.org>
Subject: Re: Speeding up archive export
Date: Tue, 15 Sep 2020 09:53:08 +0200 [thread overview]
Message-ID: <87d02na32z.fsf@inria.fr> (raw)
In-Reply-To: <87d02n4y29.fsf@gmail.com> (Maxim Cournoyer's message of "Mon, 14 Sep 2020 21:40:30 -0400")
Hi Maxim,
I’m a bad person, I realize I didn’t even follow up to my message to
point to <https://issues.guix.gnu.org/43340>, which I pushed just
yesterday. Sorry for the confusion!
Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
> Ludovic Courtès <ludovic.courtes@inria.fr> writes:
>
>> Hello Guix!
>>
>> If you’ve ever used offloading (or ‘guix copy’), you’ve probably noticed
>> that the time to send store items is proportional to the number of store
>> items to send rather than their total size. Namely:
>>
>> guix archive --export coreutils
>>
>> is fast, but:
>>
>> guix archive --export $(guix build -d coreutils)
>>
>> is slow (there are lots of small files).
>>
>> Running ‘perf timechart record guix archive --export …’ confirms the
>> problem: guix-daemon is mostly idle, waiting for all the tiny ‘guix
>> authenticate’ programs it spawns to sign each every store item. Here’s
>> the Gantt diagram (grey = idle, blue = busy):
>
> Very cool! The timechart suggests the guix-authenticate programs are
> run sequentially? Perhaps running them in parallel would be a cheap,
> first step to improve performance?
The sequence goes like this:
1. Export store item as nar and compute its hash.
2. Pass hash to ‘guix authenticate sign’.
3. Goto 1 for next store item.
So it’s not really parallelizable, and even pipelining is not really
feasible.
>> 1. Sign the whole bundle instead of each individual item.
>>
>> That solves the problem, but that would prevent the receiver from
>> storing individual store item signatures in the future (a few years
>> ago Nix added signatures as part of the ‘ValidPathInfo’ table of
>> the store database, and I think that’s something we might want to
>> have too).
>
> Why? Couldn't the receiver do the book keeping no matter if it received
> a signed bundle or a single file? It could assign the bundle signature
> to individual store files in the database, for example. This seems the
> obvious, easy solution. We need good arguments to not implement it.
The idea of storing signatures is that you’d keep one signature per
store item. That way, you have precise provenance tracking for each
store item. Also, if you re-export them (via ‘guix publish’ or ‘guix
archive’), you can choose to serve those third-party signatures.
>> 2. Sign fewer items: we can do that by signing only store items that
>> are not content-addressed—i.e., resulting from a fixed-output
>> derivation or being a “source” coming from ‘add-to-store’ or
>> similar.
>>
>> That means we wouldn’t have to sign .drv and *-guile-builder, which
>> would make a big difference and is generally advisable.
>> Unfortunately, there’s no easy way to determine whether a store
>> item is content-addressable. Again Nix added
>> “certificate-addressability claims” to ‘ValidPathInfo’, which might
>> help, though it’s not entirely clear.
>>
>> 3. Reimplement ‘guix authenticate’ and a subset of (guix pki) in C++ (!).
>> We could load the keys and the ACL only once, and we wouldn’t have
>> to fork and all, I’m sure it’d be very fast… and very distracting
>> too: I’d rather investigate in the daemon rewrite in Scheme.
>>
>> 4. Spawn ‘guix authenticate’ once and talk to it over a pipe (similar
>> to ‘guix offload’). That might be the easiest short-term solution.
>
> Failing 1., 4. is my second favorite, because it seems the most Guixy of
> the remaining options, and should provide acceptable performance.
Yes, that’s what <https://issues.guix.gnu.org/43340> does, with quite
some success. I’ve been testing it locally and will now give it a spin
on berlin.
Thanks for your feedback!
Ludo’.
next prev parent reply other threads:[~2020-09-15 7:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-10 9:04 Speeding up archive export Ludovic Courtès
2020-09-15 1:40 ` Maxim Cournoyer
2020-09-15 7:53 ` Ludovic Courtès [this message]
2020-09-15 17:14 ` Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87d02na32z.fsf@inria.fr \
--to=ludovic.courtes@inria.fr \
--cc=guix-devel@gnu.org \
--cc=maxim.cournoyer@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.