From: Paul Moore <paul@paul-moore.com>
To: Klaus Lichtenwalder <klic@mnet-online.de>, linux-audit@redhat.com
Subject: Re: BIG performance hit with auditd on large systems (>64 CPUs)
Date: Tue, 30 May 2017 15:49:13 -0400 [thread overview]
Message-ID: <CAHC9VhS_XPnBLsU3b=3Wws1HmCO7sNrrGfqyvxi=SyNhVUFhjg@mail.gmail.com> (raw)
In-Reply-To: <cd40e2a5-6862-09a1-94c8-f7347dfd20bd@mnet-online.de>
On Tue, May 30, 2017 at 2:17 PM, Klaus Lichtenwalder
<klic@mnet-online.de> wrote:
>>>> your rules to put all the ones with '-F auid>=400' below a single
>>>> line rule
>>>> like this:
>>>> -a never,exit -F auid<400
>>>>
>>>> and remove the '-F auid>=400' from all of the rules below it.
>>>>
>>> ...
>>>
>>> I did this, and verified it, but there was absolutely no difference
>>> to unsorted rules having -S all also specified
>>>
>>> Still cpu %system up to 50% and run time of jobs 100% longer.
>>> This was on a vm with 72 cpus
>>>
>
> Just to give this story some kind of closure: we got a test kernel from
> $SUPPORT fixing a specifig bugzilla (which seems to be private) and %cpu
> system is in normal (low) ranges again.
>
> So thanks for your advices, they are still heeded!
For the record the core issue was fixed in f56298835036 ("audit:
acquire creds selectively to reduce atomic op overhead").
--
paul moore
www.paul-moore.com
prev parent reply other threads:[~2017-05-30 19:49 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-19 18:52 BIG performance hit with auditd on large systems (>64 CPUs) Klaus Lichtenwalder
2017-05-19 20:56 ` Paul Moore
2017-05-19 21:41 ` Stephen Buchanan
2017-05-20 7:18 ` Klaus Lichtenwalder
2017-05-23 9:05 ` Klaus Lichtenwalder
2017-05-23 12:51 ` Steve Grubb
2017-05-23 14:45 ` Klaus Lichtenwalder
2017-05-30 18:17 ` Klaus Lichtenwalder
2017-05-30 19:49 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhS_XPnBLsU3b=3Wws1HmCO7sNrrGfqyvxi=SyNhVUFhjg@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=klic@mnet-online.de \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.