Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3340 bytes --]

Hello *,

some feedback came from the community 
(https://community.ipfire.org/t/core-153-testing/4005/), where CPU load 
seems to behave fine as well.

Unless I overlooked something, this issue primarily seems to affect
- virtualised systems and
- machines running on a CPU with two cores or less.

Thanks, and best regards,
Peter Müller


> Hello Michael, hello Matthias, hello *,
> 
> just for the records: I cannot reproduce this issue on two machines 
> running Core Update 153 (testing) for a while now.
> 
> Both have an Intel N3150 CPU and are running on x86_64 (no 
> virtualisation), one of those is almost permanently under a significant 
> network load. To be honest, it's CPU load actually _decreased_ a bit 
> after installing Core Update 153, but I cannot pinpoint the reason for 
> this at the moment.
> 
>  From my point of view, there is no need to downgrade to Suricata 5.x 
> again. In terms of security, I dislike that idea as well, however, this 
> seems to affect certain scenarios quite bad...
> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hi,
>>
>>> On 12 Dec 2020, at 02:18, Kienker, Fred <fkienker(a)at4b.com> wrote:
>>>
>>> Matthas:
>>>
>>> I worked through some of the examples of the settings described in the
>>> Suricata forum discussion. If my observations is correct, the issue
>>> centers around the flow manager. A change to it has made a big
>>> difference it the resource usage by this process. Its likely going to
>>> come down to live with the load created the v6 version or revert to v5
>>> and wait for them to get to the bottom of this. No combination of
>>> settings in the flow section of suricata.yaml ever seemed to reduce it
>>> and instead increased it.
>>
>> Good research.
>>
>>> I don't use low power systems for IPFire and dont have access to one
>>> but others with these systems may want to take a look at their
>>> performance numbers and report back as to whether they can live with the
>>> higher load.
>>
>> It is not directly low-power systems.
>>
>> I launched this on AWS today and the CPU load is immediately at 25%. 
>> It was mentioned on the linked thread that virtual systems are 
>> affected more.
>>
>> I would now rather lean towards reverting suricata 6 unless there is a 
>> hot fix available soon.
>>
>> Best,
>> -Michael
>>
>>>
>>> Best regards,
>>> Fred
>>>
>>> Please note: Although we may sometimes respond to email, text and phone
>>> calls instantly at all hours of the day, our regular business hours are
>>> 9:00 AM - 6:00 PM ET, Monday thru Friday.
>>>
>>> -----Original Message-----
>>> From: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>> Sent: Friday, December 11, 2020 6:34 PM
>>> To: Kienker, Fred; michael.tremer <michael.tremer(a)ipfire.org>;
>>> stefan.schantl <stefan.schantl(a)ipfire.org>
>>> Cc: development <development(a)lists.ipfire.org>
>>> Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to
>>> 5.0.4
>>>
>>> Hi,
>>>
>>> looks as if there is something going on in the suricata forum regarding
>>> cpu load:
>>>
>>> => https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
>>>
>>> I can't really interpret the numrous screenshots and ongoing
>>> discussions, but could it be that this is related to what I'm
>>> experiencing when upgrading from 5.0.x to 6.0.x?
>>>
>>> Best,
>>> Matthias
>>>
>>>
>>