significant slowdown for first-run of image with --userns=keep-id and native overlay (not present with fuse-overlayfs?)

[asottile]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

I recently noticed that overlayfs landed in the kernel I'm using and that podman supports it directly instead of using the fuse-overlayfs driver!

I switched some of my container workflows over to this and noticed a significant startup cost on the first execution of an image -- the startup cost doesn't appear to be present in subsequent executions.

Steps to reproduce the issue:

I have narrowed it down to this small shell script -- I'm specifically picking a large image since the image size seems to be a factor here. with a smaller image the difference in startup is noticeable but not as exaggerated.

note: this is a minimal reproduction, my actual use-case involves --user "$(id -u):$(id -g)" but that was not needed to reproduce the slowdown.

note when using the following storage configuration, this issue is not present:

# ~/.config/containers/storage.conf
[storage]
driver = "overlay"
[storage.options]
mount_program = "/usr/bin/fuse-overlayfs"

note this shell script includes podman system reset -f which will blow away everything you have, so only run this if you're ok with that!

set -euxo pipefail

podman system reset -f
iid="$(podman pull -q ghcr.io/pre-commit-ci/runner-image:2022-04-03-b6f0772)"
cmd=(podman run --rm --userns=keep-id "$iid" bash -c 'echo hi')
time "${cmd[@]}"
time "${cmd[@]}"

Describe the results you received:

$ bash t.sh 
+ podman system reset -f
++ podman pull -q ghcr.io/pre-commit-ci/runner-image:2022-04-03-b6f0772
+ iid=01a20d4562735887d3363aab0868e1baad7df919585c0843e2d3f3638a54adc2
+ cmd=(podman run --rm --userns=keep-id "$iid" bash -c 'echo hi')
+ podman run --rm --userns=keep-id 01a20d4562735887d3363aab0868e1baad7df919585c0843e2d3f3638a54adc2 bash -c 'echo hi'
hi

real	0m19.339s
user	0m1.061s
sys	0m10.249s
+ podman run --rm --userns=keep-id 01a20d4562735887d3363aab0868e1baad7df919585c0843e2d3f3638a54adc2 bash -c 'echo hi'
hi

real	0m0.252s
user	0m0.064s
sys	0m0.062s

Describe the results you expected:

I expect the execution time of the two podman run commands to be similar

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

$ podman version
Version:      3.4.2
API Version:  3.4.2
Go Version:   go1.16.6
Built:        Wed Dec 31 19:00:00 1969
OS/Arch:      linux/amd64

Output of podman info --debug:

podman info --debug

host:
  arch: amd64
  buildahVersion: 1.23.1
  cgroupControllers: []
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: 'conmon: /usr/libexec/podman/conmon'
    path: /usr/libexec/podman/conmon
    version: 'conmon version 2.1.0, commit: '
  cpus: 5
  distribution:
    codename: focal
    distribution: ubuntu
    version: "20.04"
  eventLogger: journald
  hostname: babibox
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.13.0-39-generic
  linkmode: dynamic
  logDriver: journald
  memFree: 4912099328
  memTotal: 12552716288
  ociRuntime:
    name: crun
    package: 'crun: /usr/bin/crun'
    path: /usr/bin/crun
    version: |-
      crun version UNKNOWN
      commit: ea1fe3938eefa14eb707f1d22adff4db670645d6
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: 'slirp4netns: /usr/bin/slirp4netns'
    version: |-
      slirp4netns version 1.1.8
      commit: unknown
      libslirp: 4.3.1-git
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.4.3
  swapFree: 1964396544
  swapTotal: 1964396544
  uptime: 4h 11m 45.43s (Approximately 0.17 days)
plugins:
  log:
  - k8s-file
  - none
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - docker.io
  - quay.io
store:
  configFile: /home/asottile/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/asottile/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 1
  runRoot: /run/user/1000/containers
  volumePath: /home/asottile/.local/share/containers/storage/volumes
version:
  APIVersion: 3.4.2
  Built: 0
  BuiltTime: Wed Dec 31 19:00:00 1969
  GitCommit: ""
  GoVersion: go1.16.6
  OsArch: linux/amd64
  Version: 3.4.2

Package info (e.g. output of rpm -q podman or apt list podman):

$ apt list podman
Listing... Done
podman/unknown 100:3.4.2-1 amd64
podman/unknown 100:3.4.2-1 arm64
podman/unknown 100:3.4.2-1 armhf
podman/unknown 100:3.4.2-1 s390x

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

Yes/No -- this is the latest version available to me, and I have checked the guide

Additional environment details (AWS, VirtualBox, physical, etc.):

I have reproduced this on both AWS and on VirtualBox

[Luap99]

I think this because the kernel overlay does not support idmap mounts (yet?). Therefore all files in the image must be chowned on first use.

@giuseppe Correct?

[giuseppe]

yes, correct.

The kernel will likely land idmap support for overlay in the next version, but that won't still work for rootless.

If you create a lot of user namespaces, you may still prefer fuse-overlayfs that supports id mapping.

[giuseppe]

FYI idmap support for overlay: containers/storage#1180

[asottile]

are there any shortcuts I can potentially use that would avoid this perf hit since I'm always executing "as the host user" in the container?

[rhatdan]

It should only be the first time, or setup fuse-overlayfs by default.