Bug #2791
closedOOM errors on low end devices
Description
As per a recent discussion on the mailing list, suricata-update takes up too much memory to run and causes OOM errors on low end devices like RPi.
Updated by Shivani Bhardwaj about 5 years ago
- Status changed from New to Assigned
Updated by Victor Julien about 5 years ago
Perhaps there are multiple issues. The 'test' step where Suricata itself validates the new rules spins up a new Suricata next to a running one. This will lead to duplicate mem use for Suricata itself. This would not be suricata-update's fault of course.
Updated by Jason Ish about 5 years ago
- Status changed from Assigned to Closed
- Target version changed from TBD to 1.0.4
Marking closed for now. I think we've addressed all the low hanging fruit items we can without a redesign of the internals. Feedback from the user shows he is able to update the rules, without these changes, but has to use the --no-test parameter.
https://github.com/OISF/suricata-update/commit/5cea9cf4f29fca00ede5c0882f2f9356415f3aba
Updated by Konstantin Klinger about 5 years ago
I think not only the rule testing is the problem here. Our suricata-update instance that runs on a seperate rulehost-server with 2GB RAM gets killed while running suricata-update, because lack of available memory.
This happens during the following line:
7/3/2019 -- 10:01:35 - <Info> -- Backing up current rules.
I think the diff function between the current rule file and the new one consumes to much memory and leads to the killing of the process.
Updated by Victor Julien about 5 years ago
One of the things that can make a difference is making sure that you use python3 instead of python2.