[Oisf-users] Configuring cpu affinity for suricata 1.4.7

C. L. Martinez carlopmart at gmail.com
Fri Mar 7 09:52:19 UTC 2014 

On Fri, Mar 7, 2014 at 9:19 AM, C. L. Martinez <carlopmart at gmail.com> wrote:
> On Fri, Mar 7, 2014 at 9:10 AM, Eric Leblond <eric at regit.org> wrote:
>> Hello,
>>
>> On Fri, 2014-03-07 at 09:06 +0000, C. L. Martinez wrote:
>>> Hi all,
>>>
>>>  I am running two suricata instances in a host with 6 cores.
>>
>> Why are you running two instances (simple curiosity) ?
>
> On instance monitors traffic for a proxy that comes/go to/from
> internet ... And the other instance monitors traffic that go to proxy
> from internal networks.
>>
>>> I would
>>> like to configure cpu affinity for both instances to use only 2,3,4,5
>>> cores.
>>>
>>>  For suricata01 I have tried the following config:
>>>
>>> threading:
>>>   set-cpu-affinity: no
>>
>> Set previous variable to yes to have the rest used ;)
>
> Sorry, it is a mistake with cut and paste :))... It is enabled
>>
>>>   cpu-affinity:
>>>     - management-cpu-set:
>>>         cpu: [ 2 ]  # include only these cpus in affinity settings
>>>     - receive-cpu-set:
>>>         cpu: [ 2 ]  # include only these cpus in affinity settings
>>>     - decode-cpu-set:
>>>         cpu: [ 2,3 ]
>>>         mode: "balanced"
>>>     - stream-cpu-set:
>>>         cpu: [ 2,3 ]
>>>     - detect-cpu-set:
>>>         cpu: [ 2 ]
>>>         mode: "exclusive" # run detect threads in these cpus
>>
>> Here you say that detect which is the most consuming task is only using
>> one CPU. I don't think this is really what you want.
>>
>
> Uhmm ... Maybe is it more correct to use core 2 to all tasks except
> for detect (using core 3 for this)??


Ok, sorry for the mistake in my last sentence. New config:

threading:
  set-cpu-affinity: yes
  cpu-affinity:
    - management-cpu-set:
        cpu: [ 2 ]  # include only these cpus in affinity settings
    - receive-cpu-set:
        cpu: [ 2 ]  # include only these cpus in affinity settings
    - decode-cpu-set:
        cpu: [ 2 ]
        mode: "balanced"
    - stream-cpu-set:
        cpu: [ 2,3 ]
    - detect-cpu-set:
        cpu: [ 2,3 ]
        mode: "exclusive" # run detect threads in these cpus
        prio:
          #low: [ 0 ]
          medium: [ 2,3 ]
          high: [ 2,3 ]
          default: "medium"
    - verdict-cpu-set:
        cpu: [ 3 ]
        prio:
          default: "high"
    - reject-cpu-set:
        cpu: [ 3 ]
        prio:
          default: "low"
    - output-cpu-set:
        cpu: [ 3 ]
        prio:
           default: "medium"
  detect-thread-ratio: 1.5

Is this more correct??

More information about the Oisf-users mailing list