Add helper binary for bulk certificate processing. #15
Conversation
busykai
force-pushed
the
kai/perf-helper-for-bulk-ops
branch
from
95371d9
to
a9f59fa
Compare
|
@icarus-sparry would you fancy reviewing this change? |
busykai
force-pushed
the
kai/perf-helper-for-bulk-ops
branch
from
a9f59fa
to
bfa9134
Compare
| @@ -0,0 +1,148 @@ | |||
|
|
|||
| : | ||
| done 2>/dev/null | ||
| done | ||
| ) | ||
| if [ $? -ne 0 ]; then |
There was a problem hiding this comment.
Unless you want to explicitly want to return just 0/1, you could loose lines 196-199, as the function by default will return the value of the last command (in this case the subshell) by default.
clrtrust.in
Outdated
| finger=${finger#SHA1 Fingerprint=} | ||
| printf "%s\t%s\n" "${f}" "${finger}" | ||
| done | ||
| find $dir -maxdepth 1 -type f | "${CLR_HELPER_CMD}" -f |
There was a problem hiding this comment.
Is there any sanity checking somewhere that filenames do not include embedded newlines and tabs?
If not, then can I suggest using
find "$dir" -maxdepth 1 -type f -exec "${CLR_HELPER_CMD}" -f {} +
and making the helper program loop over its arguments? Another popular approach is to add a -z flag to the helper to accept NUL terminated filenames rather than newline terminated ones.
There was a problem hiding this comment.
Since there are few other places already which would fail anyways, I documented this as an issue #16. I will address it at some point, but not as part of this change.
clrtrust.in
Outdated
| # configured location. | ||
| LIBEXEC_DIR=LIBEXEC_CONFIG_VALUE | ||
| CLR_HELPER_NAME=clrtrust-helper | ||
| if [ -n "${CLR_LIBEXEC_DIR}" ]; then # environment override |
There was a problem hiding this comment.
This is fine. If I was writing it I would do it more like
for d in ${CLR_LIBEXEC_DIR+"$CLR_LIB_EXEC_DIR"} "$(dirname "$0")" "${LIBEXEC_DIR}"
do if [ -x "$d/${CLR_HELPER_NAME}" ] ; then
CLR_HELPER_CMD="$d/${CLR_HELPER_NAME}"
break
fi
done
There was a problem hiding this comment.
I started with it, just like the lock file location few lines below, but after few modifications got confused. This is way cleaner, thanks!
clrtrust-helper.c
Outdated
|
|
||
| if (fname) free(fname); | ||
|
|
||
| return 0; |
There was a problem hiding this comment.
Perhaps a global return code to indicate if there were any errors (e.g. missing files) rather than success except for "somehow I got to line 136" and "missing or conflicting -s -f switches"?
There was a problem hiding this comment.
Will do. Actually, the errors are not handled correctly in the caller script either, so this must be taken care of.
clrtrust-helper.c
Outdated
| print_help(); | ||
| return 1; | ||
| } | ||
|
|
There was a problem hiding this comment.
I suggest below allowing the filenames to be specified on the command line.
If you don't then perhaps a check that nothing extra has been passed on the command line?
Maybe a '-z' mode to read the names NUL deliminated rather than newline deliminated?
|
thank you for the review, @icarus-sparry! it's very helpful. |
busykai
force-pushed
the
kai/perf-helper-for-bulk-ops
branch
from
bfa9134
to
257bab0
Compare
Instead of launching 'openssl x509' for each file, use small binary to process files in bulk. This optimization improves performance more than 7 times (measured on store generation). Performance of 'clrtrust generate' is important for first-time booting.
busykai
force-pushed
the
kai/perf-helper-for-bulk-ops
branch
from
257bab0
to
33ccc14
Compare
Instead of launching 'openssl x509' for each file, use small binary to
process files in bulk. This optimization improves performance more than
7 times (measured on store generation). Performance of 'clrtrust
generate' is important for first-time booting.
Before:
After: