Project

General

Profile

Actions

Optimization #3449

open

output calls fflush very often

Added by Victor Julien almost 5 years ago. Updated about 1 year ago.

Status:
In Review
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:
Actions #1

Updated by Jeff Lucovsky over 1 year ago

  • Status changed from New to In Progress
  • Assignee set to Jeff Lucovsky
Actions #2

Updated by Jeff Lucovsky over 1 year ago

  • Status changed from In Progress to In Review
Actions #3

Updated by Philippe Antoine over 1 year ago

  • Target version set to 8.0.0-beta1
Actions #4

Updated by Jeff Lucovsky about 1 year ago

Rather than aim for reducing fflush calls, we will:
- Eliminate the flush following writes and instead mark the stdio elements as "unbuffered" using the configuration setting from the next item.
- Add a configuration parameter that specifies whether the output is to be "buffered". Currently, Suricata treats all output as unbuffered since every write of log/alert data is followed by a flush call. The configuration value will specify the amount of buffering. The current (default) value is 0 (no buffering); values must be a multiple of the file system block size (usually 4k) with an upper limit determined by the system's stdio implementation, e.g., setvbuf.
- Add a configurable "flush" packet mechanism that will periodically cause output streams to be flushed. When there is buffering, this will mitigate the amount of unbuffered log/alert data. The configuration setting is expressed in seconds specifying the amount of data in "time" that can be buffered and potentially lost if Suricata were to terminate unexpectedly. A value of 0 means do not periodically flush data; any other value (up to a TBD maximum value) specifies how often to flush the output streams.

We hope that this will eliminate a buffer copy present in the existing flows -- Suricata > stdio buffer -> kernel buffer - and replace it with Suricata -> NO stdio buffering -> kernel buffers.

- Related to output stream buffering, we will add a filetype with a name TBD that will act as an application level /dev/null -- all data written to the output is immediately accepted, but never persisted.

Actions #5

Updated by Jason Ish about 1 year ago

At any point here it would make more sense to just the write system call and bypass libc buffering altogether?

Actions #6

Updated by Victor Julien about 1 year ago

I think the current buffered with default libc defined bufsize + fflush should probably remain the default until we've established that unbuffered performs the same or better.

I think fwrite on an unbuffered FILE is probably the same as a write?

Actions

Also available in: Atom PDF