<div dir="ltr"><div>I'd like to pick the Suricata developer brains on what each cpu-set does, and how to best handle cpu pinning.</div><div><br></div><div>I've noticed enormous performance gains by tweaking the following settings, but still feel as though I only have a partial picture. </div><div><br></div><div>For those still getting up to speed, check out section 8.1.9 at:</div><div><a href="http://jasonish-suricata.readthedocs.org/en/latest/configuration/suricata-yaml.html">http://jasonish-suricata.readthedocs.org/en/latest/configuration/suricata-yaml.html</a></div><div><br></div><div>I'd like approach this from the expectation that we're looking at many-core machines capable of handling a 10Gbps link at moderate levels of saturation.</div><div><br></div><div>Ideally, this info might make it's way to the official docs. I'm going to enter this under the assumption that my assumptions on what each cpu-set does is wrong or misguided (which is so often the case)!</div><div><br></div><div>So, here's what we have:</div><div><br></div><div>- management-cpu-set:</div><div>Description: ???</div><div><br></div><div>- receive-cpu-set:</div><div>Description: ???</div><div><br></div><div>- decode-cpu-set:</div><div>Description: ???</div><div><br></div><div>- stream-cpu-set:</div><div>Description: ???</div><div><br></div><div>- detect-cpu-set:</div><div>Description: ???</div><div><br></div><div>- verdict-cpu-set:</div><div>Description: ???</div><div><br></div><div>- reject-cpu-set:</div><div>Description: ???</div><div><br></div><div>- output-cpu-set:</div><div>Description: ???</div><div><br></div><div><br></div><div>I don't want to derail the thread with tuning voodoo just yet, but it may help to have an understanding of where I'm coming from. </div><div><br></div><div>Here's my current config settings. We're handling a max of about 1100MB/s over a Myricom (18 ring buffers, hence 18 pinned cores; kernel 2.6) with 19,000 ET Pro rules on a Dell R630 with 2x Xeon E5-2687W v3 @ 3.1GHz and 128GB RAM. I'll be bringing up mpm-context/detect-engine tuning in a later email thread, so don't jump the gun!</div><div><br></div><div>threading:</div><div> set-cpu-affinity: yes</div><div> cpu-affinity:</div><div> - management-cpu-set:</div><div> cpu: [ 0,2 ] </div><div> mode: "exclusive"</div><div> prio:</div><div> default: "high"</div><div> - receive-cpu-set:</div><div> cpu: [ 4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38 ] </div><div> mode: "exclusive"</div><div> prio:</div><div> default: "low"</div><div> - decode-cpu-set:</div><div> cpu: [ 4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38 ]</div><div> mode: "exclusive"</div><div> prio:</div><div> default: "medium"</div><div> - stream-cpu-set:</div><div> cpu: [ 4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38 ]</div><div> mode: "exclusive"</div><div> prio:</div><div> default: "medium"</div><div> - detect-cpu-set:</div><div> cpu: [ 4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38 ]</div><div> mode: "exclusive" </div><div> prio:</div><div> default: "medium"</div><div> - verdict-cpu-set:</div><div> cpu: [ 4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38 ]</div><div> mode: "exclusive"</div><div> prio:</div><div> default: "high"</div><div> - reject-cpu-set:</div><div> cpu: [ 4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38 ]</div><div> mode: "exclusive"</div><div> prio:</div><div> default: "low"</div><div> - output-cpu-set:</div><div> cpu: [ 4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38 ]</div><div> mode: "exclusive"</div><div> prio:</div><div> default: "medium"</div><div><br></div><div><br></div><div>Victor, Eric, Peter, and everyone else who I've forgotten,</div><div><br></div><div>What have you got for us?</div><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Brandon Lattin<div>Security Analyst<br><div>University of Minnesota - University Information Security<br>Office: 612-626-6672</div></div></div></div>
</div>