Ring buffer size as module parameter #1671
Conversation
CMakeLists.txt
Outdated
| @@ -92,6 +92,7 @@ if(NOT WIN32) | |||
| if(NOT DEFINED PROBE_NAME) | |||
| set(PROBE_NAME "sysdig-probe") | |||
| endif() | |||
| string(REPLACE "-" "_" PROBE_NAME ${PROBE_NAME}) | |||
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
userspace/libscap/scap.c
Outdated
| @@ -323,7 +323,16 @@ scap_t* scap_open_live_int(char *error, int32_t *rc, | |||
| // | |||
| // Allocate the device descriptors. | |||
| // | |||
| len = RING_BUF_SIZE * 2; | |||
|
|
|||
| FILE * fp = fopen("/sys/module/" PROBE_NAME "/parameters/ring_buf_size", "r"); | |||
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
userspace/libscap/scap.c
Outdated
|
|
||
| FILE * fp = fopen("/sys/module/" PROBE_NAME "/parameters/ring_buf_size", "r"); | ||
| if (fp == NULL){ | ||
| snprintf(error, SCAP_LASTERR_SIZE, "Could not read module parameter ring_bug_size at '/sys/module/" PROBE_NAME "/parameters/ring_buf_size'"); |
There was a problem hiding this comment.
Would it be worth adding a fallback to the current default value? (In case libscap doesn't match the kernel module value)
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
nvanheuverzwijn
force-pushed
the
ring-buffer-parameter
branch
2 times, most recently
from
62cf5a4
to
43905bd
Compare
|
Thanks for opening @nvanheuverzwijn - This is very needed for Falco! I'm taking a look. |
|
@fntlnz If that helps, we run with these patches in our production kubernetes cluster without problems so far! |
|
Any updates on this? |
|
+1 @nvanheuverzwijn do you run this with Falco o sysdig secure? |
|
@jannis-a we're running this with a patched Falco 0.24.0 version |
|
@fntlnz Hi, is this going to be merged anytime soon ? |
…/module/. Linux kernel replaces dash (`-`) by underscore (`_`) when installing a module with a dash in it's name. sysdig-CLA-1.0-signed-off-by: Nicolas Vanheuverzwijn <[email protected]>
sysdig-CLA-1.0-signed-off-by: Nicolas Vanheuverzwijn <[email protected]>
instead of "Ring buffer size too small (4096 bytes, must be at least 4096 bytes", message is now "Ring buffer size too small (4096 bytes, must be at least 8192 bytes)" sysdig-CLA-1.0-signed-off-by: Nicolas Vanheuverzwijn <[email protected]>
sysdig-CLA-1.0-signed-off-by: Nicolas Vanheuverzwijn <[email protected]>
…umers parameter sysdig-CLA-1.0-signed-off-by: Nicolas Vanheuverzwijn <[email protected]>
fntlnz
force-pushed
the
ring-buffer-parameter
branch
from
537e0cb
to
73569dd
Compare
|
@nvanheuverzwijn I'm reviewing and I rebased the branch with the current dev. |
There was a problem hiding this comment.
Hi !
If I understand correctly, what you want to do here is to have a sysfs structure to place a configurable ring_buf_size and adjust the ring buffer based on your needs.
To justify this change my question is: Do you have any benchmarks to share with us on how did you tune the number?
Second, updating the value of ring_buf_size at runtime leads to a page fault. Logs are following
| @@ -114,7 +114,7 @@ scap_t* scap_open_udig_int(char *error, int32_t *rc, | |||
| static uint32_t get_max_consumers() | |||
| { | |||
| uint32_t max; | |||
| FILE *pfile = fopen("/sys/module/" PROBE_DEVICE_NAME "_probe/parameters/max_consumers", "r"); | |||
| FILE *pfile = fopen("/sys/module/" SYSFS_NAME "/parameters/max_consumers", "r"); | |||
There was a problem hiding this comment.
a reminder for ourselves: if this gets merged the libscap patch that Falco uses needs to be slimmed down https://github.com/falcosecurity/falco/blob/master/cmake/modules/sysdig-repo/patch/libscap.patch#L19
|
Here are the logs for the page fault. click for logsHonestly, we have two options. Do this read only and only allow to modify the value via module insertion like it's done for The second option is a bit harder because it requires the module to have a way to tell the consumers to remap the memory in userspace after resizing the buffer. This could also have security implications that are not coming in mind right now. |
There was a problem hiding this comment.
I've concerns about letting users change the ring buffer size at runtime.
What are the use cases to change the ring buffer size during run time?
I see more cons than benefits because doing it has a lot of implications and opens the path to a lot of unknowns that should be handled (and are not, at the moment).
My vote goes to make it configurable at insertion time, just like max_consumers.
| @@ -114,7 +114,7 @@ scap_t* scap_open_udig_int(char *error, int32_t *rc, | |||
| static uint32_t get_max_consumers() | |||
| { | |||
| uint32_t max; | |||
| FILE *pfile = fopen("/sys/module/" PROBE_DEVICE_NAME "_probe/parameters/max_consumers", "r"); | |||
| FILE *pfile = fopen("/sys/module/" SYSFS_NAME "/parameters/max_consumers", "r"); | |||
There was a problem hiding this comment.
a reminder for ourselves: if this gets merged the libscap patch that Falco uses needs to be slimmed down https://github.com/falcosecurity/falco/blob/master/cmake/modules/sysdig-repo/patch/libscap.patch#L19
|
I agree with @leodido - this is the option we want: |
This PR makes the ring_buf_size variable as a module parameter, configurable via
/sys/module/MODULE_NAME/parameters/ring_buf_size.This should help users to prevent syscall drop error message by making the ring_buf_size bigger.
Related issues
falcosecurity/falco#813