RE: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 5.0.4

["Kienker, Fred" <fkienker@at4b.com>]

[-- Attachment #1: Type: text/plain, Size: 4407 bytes --]

After several hours spent trying various Suricata configuration 
settings, these are my observations. 

The big change in Suricata v6 is that it is more oriented toward 
multiprocessor systems than v5. The best performance I could get was by 
allocating a specific cpu to management-cpu-set, receive-cpu-set, and 
verdict-cpu-set with a range of worker-cpu-set. This:

threading:
# set-cpu-affinity: no
  set-cpu-affinity: yes
  cpu-affinity:
    - management-cpu-set:
      # cpu: [ 0 ]  # include only these cpus in affinity settings
        cpu: [ "3" ]  # include only these cpus in affinity settings
    - receive-cpu-set:
        cpu: [ "4" ]  # include only these cpus in affinity settings
      # mode: "balanced"
    - verdict-cpu-set:
      # cpu: [ 0 ]  # include only these cpus in affinity settings
        cpu: [ "5" ]  # include only these cpus in affinity settings
        prio:
          default: "high"
    - worker-cpu-set:
      # cpu: [ "all" ]
        cpu: [ "6-11" ]
        mode: "exclusive"
      # prio:
      #   low: [ 0 ]
      #   medium: [ "1-2" ]
      #   high: [ 3 ]
          default: "medium"

Adding set-cpu-affinity:yes and putting the management-cpu-set on it 
*own* cpu made the single biggest difference in reducing CPU load. Just 
adding just these two changes might make v6 performance acceptable. This 
assumes the target system has at least two cores, though 4 would be much 
better.

For those of us with the luxury of numerous cores and lots of CPU cache 
memory, this set up results in dramatically better performance over 
stock IPFire. Suricata literature points out it is designed to perform 
the best in this setting.

Best regards, 
Fred

Please note: Although we may sometimes respond to email, text and phone 
calls instantly at all hours of the day, our regular business hours are 
9:00 AM - 6:00 PM ET, Monday thru Friday.

-----Original Message-----
From: Michael Tremer <michael.tremer(a)ipfire.org> 
Sent: Monday, December 14, 2020 9:26 AM
To: Kienker, Fred
Cc: matthias.fischer <matthias.fischer(a)ipfire.org>; Stefan Schantl 
<stefan.schantl(a)ipfire.org>; development <development(a)lists.ipfire.org>
Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared to 
5.0.4

Hi,

> On 12 Dec 2020, at 02:18, Kienker, Fred <fkienker(a)at4b.com> wrote:
> 
> Matthas:
> 
> I worked through some of the examples of the settings described in the 

> Suricata forum discussion. If my observations is correct, the issue 
> centers around the flow manager. A change to it has made a big 
> difference it the resource usage by this process. Its likely going to 
> come down to live with the load created the v6 version or revert to v5 

> and wait for them to get to the bottom of this. No combination of 
> settings in the flow section of suricata.yaml ever seemed to reduce it 

> and instead increased it.

Good research.

> I don't use low power systems for IPFire and dont have access to one 
> but others with these systems may want to take a look at their 
> performance numbers and report back as to whether they can live with 
> the higher load.

It is not directly low-power systems.

I launched this on AWS today and the CPU load is immediately at 25%. It 
was mentioned on the linked thread that virtual systems are affected 
more.

I would now rather lean towards reverting suricata 6 unless there is a 
hot fix available soon.

Best,
-Michael

> 
> Best regards,
> Fred
> 
> Please note: Although we may sometimes respond to email, text and 
> phone calls instantly at all hours of the day, our regular business 
> hours are
> 9:00 AM - 6:00 PM ET, Monday thru Friday.
> 
> -----Original Message-----
> From: Matthias Fischer <matthias.fischer(a)ipfire.org>
> Sent: Friday, December 11, 2020 6:34 PM
> To: Kienker, Fred; michael.tremer <michael.tremer(a)ipfire.org>; 
> stefan.schantl <stefan.schantl(a)ipfire.org>
> Cc: development <development(a)lists.ipfire.org>
> Subject: Re: suricata 6.0.0 / 6.0.1 - cpu load (idle) rising compared 
> to
> 5.0.4
> 
> Hi,
> 
> looks as if there is something going on in the suricata forum 
> regarding cpu load:
> 
> => https://forum.suricata.io/t/cpu-usage-of-version-6-0-0/706
> 
> I can't really interpret the numrous screenshots and ongoing 
> discussions, but could it be that this is related to what I'm 
> experiencing when upgrading from 5.0.x to 6.0.x?
> 
> Best,
> Matthias
> 
>