[Oisf-users] CPU Affinity and Best practicies

Charles DeVoe scarecrow_57 at yahoo.com
Wed Dec 14 13:41:53 UTC 2016 

I have many sensors in various configurations.  I want to setup CPU affinity to improve performance.  Some have 2 physical CPUs some have just 1. Commentary, calling them CPUs is incorrect, actually a chip with 8 cores has 8 CPUs.  Runmode is pfring workers in IDS configuration.

As I understand it, in this configuration I am only concerned with 

management-cpu-set - used for management (example - flow.managers, flow.recyclers)
detect-cpu-set - used for receive,streamtcp,decode,detect,output(logging),respond/reject
On systems where a tap is used we get data on 2 separate NICS (one is the Rx channel the other is the Tx).  These are then placed in a bond so as to treat this as 1 data stream.  We also do this in instances where we get multiple SPAN/Mirror port feeds.  I believe in the latter case we should be treating each feed separately and running a separate suricata instance for that feed.  Comments on this???

ALSO.......In the PFRING setup we are running multiple threads.  Seems to me I should only need one, but what do I know.....



I believe my rules of application here should be as follows


On Systems with a single physical CPU monitoring 1 feed I should reserve a couple of cores for system processes and the remainder should be split up for the acquisition, decode, detect, and output threads. 

On systems with 2 physical CPUs monitoring one feed,  I should reserve one physical CPU for the system, the other physical CPU should be used for  Suricata

On systems with 2 physical CPUs monitoring 2 feeds, I should reserve a couple of cores for the system, the 2 feeds should be split to run on separate instances of Suricata 


The logic I am using here is that I want the acquisition and decode to run on a single core (perhaps multiple cores Advice here) the detect processes can use multiple cores.


One other question  in this section what is the prio doing???

  - detect-cpu-set:
      cpu: [ "all" ]
      mode: "exclusive" # run detect threads in these cpus
      # Use explicitely 3 threads and don't compute number by using
      # detect-thread-ratio variable:
      # threads: 3
      prio:
        low: [ 0 ]
        medium: [ "1-2" ]
        high: [ 3 ]
        default: "medium"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161214/b13596e2/attachment.html>

More information about the Oisf-users mailing list