az confcom katapolicygen extremely slow with big container image #31490
Description
Describe the bug
The command az confcom katapolicygen can take more than 11 hours to finish when generating the policy for a 10GB container image while it only takes ~30 seconds for a 300MB container image.
Related command
$ /usr/bin/time -v az confcom katapolicygen --yaml cc-ai-demo.yaml --debug
Command being timed: "az confcom katapolicygen --yaml cc-ai-demo.yaml --debug"
User time (seconds): 31.49
System time (seconds): 38.05
Percent of CPU this job got: 0%
Elapsed (wall clock) time (h:mm:ss or m:ss): 10:51:40
Average shared text size (kbytes): 0
Average unshared data size (kbytes): 0
Average stack size (kbytes): 0
Average total size (kbytes): 0
Maximum resident set size (kbytes): 60072
Average resident set size (kbytes): 0
Major (requiring I/O) page faults: 266
Minor (reclaiming a frame) page faults: 27113
Voluntary context switches: 1694824
Involuntary context switches: 14384
Swaps: 0
File system inputs: 98848
File system outputs: 11490720
Socket messages sent: 0
Socket messages received: 0
Signals delivered: 0
Page size (bytes): 4096
Exit status: 0Errors
No error but unusable in practice.
Issue script & Debug output
$ /usr/bin/time -v az confcom katapolicygen --yaml cc-ai-demo.yaml --debug
cli.knack.cli: Command arguments: ['confcom', 'katapolicygen', '--yaml', 'cc-ai-demo.yaml', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7d436c8680d0>, <function OutputProducer.on_global_arguments at 0x7d436c7bab00>, <function CLIQuery.on_global_arguments at 0x7d436c7f8040>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'confcom': ['azext_confcom']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: confcom 0.002 1 3 /home/grydz/.azure/cliextensions/confcom
cli.azure.cli.core: Total (1) 0.002 1 3
cli.azure.cli.core: Loaded 1 groups, 3 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : confcom katapolicygen
cli.azure.cli.core: Command table: confcom katapolicygen
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7d436b95dfc0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/grydz/.azure/commands/2025-05-16.14-32-04.confcom_katapolicygen.83972.log'.
az_command_data_logger: command args: confcom katapolicygen --yaml {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7d436b972b00>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7d436b9a1ea0>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7d436b9a3d00>, <function register_upcoming_breaking_change_info.<locals>.update_breaking_change_info at 0x7d436b9a3d90>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7d436c7bab90>, <function CLIQuery.handle_query_parameter at 0x7d436c7f80d0>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7d436b9a3c70>]
az_command_data_logger: extension name: confcom
az_command_data_logger: extension version: 1.2.4Expected behavior
The execution time between a 10GB and a 300MB container image with az confcom katapolicygen should not be as huge.
Environment Summary
$ az --version
azure-cli 2.72.0
core 2.72.0
telemetry 1.1.0
Extensions:
aks-preview 16.0.0b1
attestation 1.0.0
confcom 1.2.4
Dependencies:
msal 1.32.3
azure-mgmt-resource 23.1.1
Python location '/home/grydz/.pyenv/versions/3.10.14/envs/azure/bin/python'
Config directory '/home/grydz/.azure'
Extensions directory '/home/grydz/.azure/cliextensions'
Python (Linux) 3.10.14 (main, Apr 2 2024, 15:30:39) [GCC 13.2.1 20230801]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.Additional context
My hardware info:
# System Details Report
---
## Report details
- **Date generated:** 2025-05-16 15:22:41
## Hardware Information:
- **Hardware Model:** Dell Inc. XPS 13 9310
- **Memory:** 16.0 GiB
- **Processor:** 11th Gen Intel® Core™ i7-1165G7 × 8
- **Graphics:** Intel® Iris® Xe Graphics (TGL GT2)
- **Disk Capacity:** (null)
## Software Information:
- **Firmware Version:** 3.11.0
- **OS Name:** Manjaro Linux
- **OS Build:** rolling
- **OS Type:** 64-bit
- **GNOME Version:** 48
- **Windowing System:** Wayland
- **Kernel Version:** Linux 6.13.12-2-MANJARO