[Oisf-users] Suricata threading
Russell Fulton
r.fulton at auckland.ac.nz
Thu Aug 14 10:26:12 UTC 2014
Thanks Duarte and Coop!
On 14/08/2014, at 7:11 pm, Duarte Silva <duarte.silva at serializing.me> wrote:
> Hi,
>
> in your configuration you should enable affinity :P
>
>> #
>> # On Intel Core2 and Nehalem CPU's enabling this will degrade performance.
>> #
>> set-cpu-affinity: no
>
> Change this to yes, otherwise any settings bellow will be ignored.
I fixed that but the behaviour has not changed much it is still hogging one CPU.
Looking at the startup logs I see:
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Core dump size set to unlimited.
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - dropped the caps for main thread
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - fast output device (regular) initialized: fast.log
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Adding interface eth3 from config file
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Found affinity definition for "management-cpu-set"
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Found affinity definition for "receive-cpu-set"
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Found affinity definition for "decode-cpu-set"
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Found affinity definition for "stream-cpu-set"
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Found affinity definition for "detect-cpu-set"
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Using default prio 'medium'
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Found affinity definition for "verdict-cpu-set"
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Using default prio 'high'
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Found affinity definition for "reject-cpu-set"
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Using default prio 'low'
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Found affinity definition for "output-cpu-set"
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Using default prio 'medium'
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Using flow cluster mode for PF_RING (iface eth3)
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Going to use 1 thread(s)
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Setting affinity on CPU 13
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Setting prio -2 for "RxPFReth31" Module to cpu/core 13, thread id 9432
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Error> - [ERRCODE: SC_ERR_THREAD_NICE_PRIO(47)] - Error setting nice value for thread RxPFReth31: Operation not permitted
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - (RxPFReth31) Using PF_RING v.5.6.1, interface eth3, cluster-id 99, single-pfring-thread
Aug 14 22:15:08 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - RunModeIdsPfringWorkers initialised
Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - Setting prio 0 for "FlowManagerThread" thread , thread id 9433
Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - stream "max-sessions": 262144
Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - stream "prealloc-sessions": 32768
Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - stream "memcap": 33554432
Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - stream "midstream" session pickups: disabled
Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - stream "async-oneside": disabled
Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - stream "checksum-validation": enabled
Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - stream."inline": disabled
Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - stream.reassembly "memcap": 67108864
Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - stream.reassembly "depth": 1048576
Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - stream.reassembly "toserver-chunk-size": 2560
Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:08 - <Info> - stream.reassembly "toclient-chunk-size": 2560
Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:09 - <Info> - Setting prio 0 for "SCPerfWakeupThread" thread , thread id 9434
Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:09 - <Info> - Setting prio 0 for "SCPerfMgmtThread" thread , thread id 9435
Aug 14 22:15:09 secmonprd02 suricata: 14/8/2014 -- 22:15:09 - <Info> - all 1 packet processing threads, 3 management threads initialized, engine started.
I get affinity set for just cpu 13.
I am guessing the nice fails because I have dropped prigs.
here is the current config:
# Tune cpu affinity of suricata threads. Each family of threads can be bound
# on specific CPUs.
cpu-affinity:
- management-cpu-set:
cpu: [ 10 ] # include only these cpus in affinity settings
- receive-cpu-set:
cpu: [ 10 ] # include only these cpus in affinity settings
- decode-cpu-set:
cpu: [ 10, 11 ]
mode: "balanced"
- stream-cpu-set:
cpu: [ "10-11" ]
- detect-cpu-set:
cpu: [ "13-15" ]
mode: "exclusive" # run detect threads in these cpus
# Use explicitely 3 threads and don't compute number by using
# detect-thread-ratio variable:
threads: 3
prio:
low: [ 10 ]
medium: [ "11-12" ]
high: [ 13 ]
default: "medium"
- verdict-cpu-set:
cpu: [ 10 ]
prio:
default: "high"
- reject-cpu-set:
cpu: [ 10 ]
prio:
default: "low"
- output-cpu-set:
cpu: [ "all" ]
prio:
default: "medium"
I also uncommented the “threads: 3” under -detect-cpu-set
It is cpu13 that is running at 100%
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140814/858f0587/attachment-0002.html>
More information about the Oisf-users
mailing list