Feature #3003


filestore to uses rename syscall instead of sendfile,which doesn't allow files to be sent across file systems

Added by Cooper Nelson over 4 years ago. Updated over 1 year ago.

Target version:


I would very much like to use tmpfs for the spool dir for the suricata filestore feature to minimize disk I/O and associated thrashing.

However, since suricata uses the 'rename' syscall it doesn't allow the tmp files to be moved across filesystems. So this doesn't work.

If this is changed to use the 'sendfile' syscall it should work.

Actions #1

Updated by Andreas Herz over 4 years ago

  • Tracker changed from Bug to Feature
  • Assignee set to Community Ticket
  • Target version set to TBD
Actions #2

Updated by Victor Julien over 4 years ago

  • Status changed from New to Assigned
  • Assignee changed from Community Ticket to Jason Ish
  • Target version changed from TBD to 70

Jason can you check if this makes sense to do?

Actions #3

Updated by Victor Julien over 3 years ago

  • Target version changed from 70 to 7.0.0-beta1

Would be good to perf test to see if it has negative effects.

Actions #4

Updated by Jason Ish about 2 years ago

This will never be as efficient as rename as its essential a copy, just done within the context of kernel, rather than multiple read and write system calls from a userland application.

I'm also not sure if logging to a ramdisk and using sendfile makes sense.

In the current model we write chunks of data as we receive them, mean any calls to write() should be short, and the final rename is is practically instant. Of course this has the limitation that tmp dir and the final directory are on the same file system. The Suricata administrator has to go out of their way to make this the case though.

With the tmp directory and final directories on different file systems, we still write out the files in smaller chunks, but the final rename, instead of using rename would use sendfile. While more efficient than the cp command, all bytes still need to be read and written before this system call will return, which for log files could be quite noticeable. And effectively we've written the whole file twice.

But I do think it would be nice to work, and not fail if the 2 directories are on different file systems. Using rename if possible, using sendfile if not, and perhaps falling back to a traditional copy otherwise.

Actions #5

Updated by Victor Julien over 1 year ago

  • Target version changed from 7.0.0-beta1 to 8.0.0-beta1

Also available in: Atom PDF