Michael Meeks
Collabora Online puts a lot of effort into containing your changes inside a new file-system jail per document. We use chroot or unprivileged user namespaces to achieve, but in some cases we are unable to bind mount, or hard-link readonly files across. This is a problem because it is vital that we don’t allow users to change files that could be used in another jail.
In these cases we have copied the files that are required. After years of hard work to reduce this set, the jail systemplate now contains primarily two things first timezone files, and second system-fonts.
Timezone files are particularly annoying – since there are a very large number of them:
$ ls -R /usr/share/zoneinfo | wc -l
1993
But in total they are very small:
du -k -c /usr/share/zoneinfo/ | grep total
3020 totalie. only around 3Mb. With this commit (and thanks for Noel Grandin’s review) we now switch to using the internal timezone database from ICU which was duplicated internally.
That should saves over half the time of jail setup, a large number of system calls, and some surprising costs in terms of memory pages, and stacked-file-system latency in unpleasant corner cases.
Faster setup, smaller jails, fewer dependencies, lets go!
