[Fwknop-discuss] High CPU utilisation in firewalld/firewall-cmd

Mon, 18 Mar 2019 09:15:15 -0700 

Hi,

I'm seeing a lot of polling of the firewall configuration from fwknopd, which 
is leading to high system loads and a lot of CPU time consumed by the firewalld 
process.  Here's an extract from 'top':

top - 15:43:30 up 110 days,  2:45,  3 users,  load average: 0.42, 0.31, 0.18
Tasks: 216 total,   4 running, 211 sleeping,   0 stopped,   1 zombie
%Cpu0  : 22.2 us,  4.3 sy,  0.0 ni, 73.5 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
%Cpu1  : 10.0 us,  1.0 sy,  0.0 ni, 89.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem :  5945696 total,   655640 free,  2367592 used,  2922464 buff/cache
KiB Swap:  1048572 total,   575228 free,   473344 used.  2793068 avail Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
29756 root      20   0  175200  22168   5816 S  23.9  0.4   0:00.72 firewall-cmd
22900 root      20   0  362560  29332   5816 R   8.3  0.5  13699:23 firewalld
 2228 gdm       20   0  763624  34964   2448 S   1.3  0.6 889:23.65 gsd-color
 7169 root      20   0  162012   2340   1592 S   1.0  0.0   9:29.47 top
  753 dbus      20   0   69832   2868   1356 S   0.3  0.0 717:41.42 dbus-daemon

I have run strace against the fwknop process and can see the polling every 2 
seconds or so, and I have also found that if I update my config to include 
'RULES_CHECK_THRESHOLD 200;' then the polling is significantly more bearable.  
Is there an issue with the polling interval here, or should I disable the rules 
check entirely as only fwknop is modifying iptables?

Spot the difference since 15:41 when the threshold was commented out of my 
config and fwknopd restarted:

14:40:02        CPU     %user     %nice   %system   %iowait    %steal     %idle
14:50:01        all      4.37      0.00      2.02      0.00      0.00     93.61
15:00:01        all      3.94      0.00      2.06      0.00      0.00     93.99
15:10:01        all      4.64      0.00      2.08      0.01      0.00     93.27
15:20:01        all      4.09      0.00      1.97      0.00      0.00     93.94
15:30:02        all      4.05      0.00      1.89      0.00      0.00     94.06
15:40:01        all      5.71      0.00      2.29      0.02      0.00     91.97
15:50:02        all     16.00      0.00      3.44      0.01      0.00     80.56
16:00:01        all     17.70      0.00      3.47      0.01      0.00     78.83

System is Centos 7.6.1810, kernel 3.10.0-862.14.4.el7.x86_64, fwknop version 
2.6.7 from the EPEL repository.

Thanks,

Paul.

_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss






















					Reply via email to