filestore to uses rename syscall instead of sendfile,which doesn't allow files to be sent across file systems
I would very much like to use tmpfs for the spool dir for the suricata filestore feature to minimize disk I/O and associated thrashing.
However, since suricata uses the 'rename' syscall it doesn't allow the tmp files to be moved across filesystems. So this doesn't work.
If this is changed to use the 'sendfile' syscall it should work.
Updated by Jason Ish about 2 years ago
This will never be as efficient as rename as its essential a copy, just done within the context of kernel, rather than multiple read and write system calls from a userland application.
I'm also not sure if logging to a ramdisk and using sendfile makes sense.
In the current model we write chunks of data as we receive them, mean any calls to write() should be short, and the final rename is is practically instant. Of course this has the limitation that tmp dir and the final directory are on the same file system. The Suricata administrator has to go out of their way to make this the case though.
With the tmp directory and final directories on different file systems, we still write out the files in smaller chunks, but the final rename, instead of using rename would use sendfile. While more efficient than the
cp command, all bytes still need to be read and written before this system call will return, which for log files could be quite noticeable. And effectively we've written the whole file twice.
But I do think it would be nice to work, and not fail if the 2 directories are on different file systems. Using rename if possible, using sendfile if not, and perhaps falling back to a traditional copy otherwise.