Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] OOMs during prebuilt rules package installation #187969

Closed
3 tasks done
Tracked by #174168
xcrzx opened this issue Jul 10, 2024 · 7 comments
Closed
3 tasks done
Tracked by #174168

[Security Solution] OOMs during prebuilt rules package installation #187969

xcrzx opened this issue Jul 10, 2024 · 7 comments
Assignees
@xcrzx
Labels
8.16 candidate Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team:Fleet Team label for Observability Data Collection Fleet team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.16.0

Comments

@xcrzx
Copy link
Contributor

xcrzx commented Jul 10, 2024
edited by banderror
Loading

Epic: #174168

Summary

We've seen a number of incidents with OOMs when installing the security_detection_engine Fleet package that contains a significant number of prebuilt rules (> 5000 in Serverless or > 15000 locally).

We need to find and mitigate all memory bottlenecks during package installation to unblock the release of the prebuilt rule customization epic.

Known memory issues
Beta Give feedback
  1. [Fleet] All package SOs are being read into memory during package upgrade or force installation #187975
    8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp Team:Fleet technical debt
    xcrzx
  2. [Fleet] Split bulk delete into chunks to avoid high memory consumption #188208
    8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp Team:Fleet technical debt
    xcrzx
  3. [Fleet] Split asset installation into chunks to avoid high memory pressure #189043
    8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp Team:Fleet
    xcrzx
@xcrzx xcrzx added Team:Fleet Team label for Observability Data Collection Fleet team Team:Detections and Resp Security Detection Response Team Team:Detection Rule Management Security Detection Rule Management Team Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules 8.16 candidate labels Jul 10, 2024
@xcrzx xcrzx self-assigned this Jul 10, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@xcrzx xcrzx mentioned this issue Jul 10, 2024
Open
@xcrzx xcrzx added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Jul 10, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

This was referenced Jul 10, 2024
Closed
Closed
@xcrzx xcrzx mentioned this issue Jul 24, 2024
Closed
@kpollich kpollich mentioned this issue Jul 24, 2024
Closed
7 tasks
@kpollich
Copy link
Member

@xcrzx - I wonder if we could introduce another option aside from force (which causes Fleet to uninstall all previous assets before installing new ones) that would allow Fleet to skip the initial deletion of old assets and just run the bulk import operation as an optimization here.

@xcrzx
Copy link
Contributor Author

xcrzx commented Jul 25, 2024

@xcrzx - I wonder if we could introduce another option aside from force (which causes Fleet to uninstall all previous assets before installing new ones) that would allow Fleet to skip the initial deletion of old assets and just run the bulk import operation as an optimization here.

Yes, incremental installation might help for our use case. I'm not sure how SO import handles conflicts when writing new assets, but if we can instruct it to ignore existing saved objects or filter them before passing them to the import function, that should work.

@banderror
Copy link
Contributor

@xcrzx I think we can consider this done at this point. The issue with OOMs has been mitigated, and follow-up improvements will be done as part of #192350 and #187645.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xcrzx xcrzx

Labels
8.16 candidate Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team:Fleet Team label for Observability Data Collection Fleet team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.16.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@xcrzx @kpollich @banderror @elasticmachine