I've also seen this issue on Centos, and I consider it inherent in Firewalld. Even running Firewall-cmd manually often takes a very long time to complete. One option would be to recompile and use the iptables backend, as it's much less resource intensive.
--Jonathan On Mon, Mar 18, 2019, 11:15 AM Paul Murphy <p...@ousekjarr.org> wrote: > Hi, > > > > I’m seeing a lot of polling of the firewall configuration from fwknopd, > which is leading to high system loads and a lot of CPU time consumed by the > firewalld process. Here’s an extract from ‘top’: > > > > top - 15:43:30 up 110 days, 2:45, 3 users, load average: 0.42, 0.31, > 0.18 > > Tasks: 216 total, 4 running, 211 sleeping, 0 stopped, 1 zombie > > %Cpu0 : 22.2 us, 4.3 sy, 0.0 ni, 73.5 id, 0.0 wa, 0.0 hi, 0.0 si, > 0.0 st > > %Cpu1 : 10.0 us, 1.0 sy, 0.0 ni, 89.0 id, 0.0 wa, 0.0 hi, 0.0 si, > 0.0 st > > KiB Mem : 5945696 total, 655640 free, 2367592 used, 2922464 buff/cache > > KiB Swap: 1048572 total, 575228 free, 473344 used. 2793068 avail Mem > > > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ > COMMAND > > 29756 root 20 0 175200 22168 5816 S 23.9 0.4 0:00.72 > firewall-cmd > > 22900 root 20 0 362560 29332 5816 R 8.3 0.5 13699:23 > firewalld > > 2228 gdm 20 0 763624 34964 2448 S 1.3 0.6 889:23.65 > gsd-color > > 7169 root 20 0 162012 2340 1592 S 1.0 0.0 9:29.47 > top > > 753 dbus 20 0 69832 2868 1356 S 0.3 0.0 717:41.42 > dbus-daemon > > > > I have run strace against the fwknop process and can see the polling every > 2 seconds or so, and I have also found that if I update my config to > include ‘RULES_CHECK_THRESHOLD 200;’ then the polling is significantly more > bearable. Is there an issue with the polling interval here, or should I > disable the rules check entirely as only fwknop is modifying iptables? > > > > Spot the difference since 15:41 when the threshold was commented out of my > config and fwknopd restarted: > > > 14:40:02 CPU %user %nice %system %iowait %steal > %idle > > 14:50:01 all 4.37 0.00 2.02 0.00 0.00 > 93.61 > > 15:00:01 all 3.94 0.00 2.06 0.00 0.00 > 93.99 > > 15:10:01 all 4.64 0.00 2.08 0.01 0.00 > 93.27 > > 15:20:01 all 4.09 0.00 1.97 0.00 0.00 > 93.94 > > 15:30:02 all 4.05 0.00 1.89 0.00 0.00 > 94.06 > > 15:40:01 all 5.71 0.00 2.29 0.02 0.00 > 91.97 > > 15:50:02 all 16.00 0.00 3.44 0.01 0.00 > 80.56 > > 16:00:01 all 17.70 0.00 3.47 0.01 0.00 > 78.83 > > > > System is Centos 7.6.1810, kernel 3.10.0-862.14.4.el7.x86_64, fwknop > version 2.6.7 from the EPEL repository. > > > > Thanks, > > > > Paul. > _______________________________________________ > Fwknop-discuss mailing list > Fwknop-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss >
_______________________________________________ Fwknop-discuss mailing list Fwknop-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
