BIG performance hit with auditd on large systems (>64 CPUs)
Paul Moore
paul at paul-moore.com
Tue May 30 19:49:13 UTC 2017
On Tue, May 30, 2017 at 2:17 PM, Klaus Lichtenwalder
<klic at mnet-online.de> wrote:
>>>> your rules to put all the ones with '-F auid>=400' below a single
>>>> line rule
>>>> like this:
>>>> -a never,exit -F auid<400
>>>>
>>>> and remove the '-F auid>=400' from all of the rules below it.
>>>>
>>> ...
>>>
>>> I did this, and verified it, but there was absolutely no difference
>>> to unsorted rules having -S all also specified
>>>
>>> Still cpu %system up to 50% and run time of jobs 100% longer.
>>> This was on a vm with 72 cpus
>>>
>
> Just to give this story some kind of closure: we got a test kernel from
> $SUPPORT fixing a specifig bugzilla (which seems to be private) and %cpu
> system is in normal (low) ranges again.
>
> So thanks for your advices, they are still heeded!
For the record the core issue was fixed in f56298835036 ("audit:
acquire creds selectively to reduce atomic op overhead").
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list