Bug #2791
closedOOM errors on low end devices
Description
As per a recent discussion on the mailing list, suricata-update takes up too much memory to run and causes OOM errors on low end devices like RPi.
SB Updated by Shivani Bhardwaj about 7 years ago
- Status changed from New to Assigned
VJ Updated by Victor Julien about 7 years ago
Perhaps there are multiple issues. The 'test' step where Suricata itself validates the new rules spins up a new Suricata next to a running one. This will lead to duplicate mem use for Suricata itself. This would not be suricata-update's fault of course.
JI Updated by Jason Ish about 7 years ago
- Status changed from Assigned to Closed
- Target version changed from TBD to 1.0.4
Marking closed for now. I think we've addressed all the low hanging fruit items we can without a redesign of the internals. Feedback from the user shows he is able to update the rules, without these changes, but has to use the --no-test parameter.
https://github.com/OISF/suricata-update/commit/5cea9cf4f29fca00ede5c0882f2f9356415f3aba
KK Updated by Konstantin Klinger about 7 years ago
I think not only the rule testing is the problem here. Our suricata-update instance that runs on a seperate rulehost-server with 2GB RAM gets killed while running suricata-update, because lack of available memory.
This happens during the following line:
7/3/2019 -- 10:01:35 - <Info> -- Backing up current rules.
I think the diff function between the current rule file and the new one consumes to much memory and leads to the killing of the process.
VJ Updated by Victor Julien about 7 years ago
One of the things that can make a difference is making sure that you use python3 instead of python2.