[Oisf-users] Figuring out how many cpus to allocate

Russell Fulton r.fulton at auckland.ac.nz
Wed Oct 8 03:07:52 UTC 2014 

After having various mysterious (and hard to diagnose) problems with my setup using the SO packages and pfring I have been experimenting with oisf packages or compiling from source and af_packet. 

I have been using af_packet on a compiled version of 2.0.4 (Thanks Peter M!) for getting on to a day now.  Overnight it detected more events than the production box which has more cores and memory. I notice is that suricata uses about twice as much cpu as before!  The big difference in the config apart from the change to af_packet was that I had not enabled cpu affinity in the new config — more by oversight than anything else.

I then went back to the production box and set cpu affinity to no and the cpu rocketed up.  This strongly suggests that I had crippled the application by failing to allocate enough cpus for detection.  The downside is that the kernel is dropping half packets!

I then turned the cpu affinity back on and started adding more cpus to the detection and I now have about 1% kernel drops and 8 busy cpus.

What should I have been looking for in the stats to alert me to the fact that I did not have enough CPUs assigned to detection threads?

Or put another way “How do I know when I have enough detection threads?”

Also is there another way to stop suricata hogging all the CPU to the point where the kernel drops packets  — apart from adding more cores ;)

Russell

  set-cpu-affinity: yes
  # Tune cpu affinity of suricata threads. Each family of threads can be bound
  # on specific CPUs.
  cpu-affinity:
    - management-cpu-set:
        cpu: [ 6 ]  # include only these cpus in affinity settings
    - receive-cpu-set:
        cpu: [ 7,6 ]  # include only these cpus in affinity settings
    - decode-cpu-set:
        cpu: [ 7, 6 ]
        mode: "balanced"
    - stream-cpu-set:
        cpu: [ "6-7" ]
    - detect-cpu-set:
        cpu: [ "8-15" ]
        mode: "exclusive" # run detect threads in these cpus
        # Use explicitely 3 threads and don't compute number by using
        # detect-thread-ratio variable:
        threads: 8
        prio:
          low: [ 8]
          medium: [ "8-14" ]
          high: [ 15 ]
          default: "medium"
    - verdict-cpu-set:
        cpu: [ 8 ]
        prio:
          default: "high"
    - reject-cpu-set:
        cpu: [ 8 ]
        prio:
          default: "low"
    - output-cpu-set:
        cpu: [ "all" ]
        prio:
           default: "medium"

More information about the Oisf-users mailing list