[prev in list] [next in list] [prev in thread] [next in thread]
List: fwknop-discuss
Subject: Re: [Fwknop-discuss] High CPU utilisation in firewalld/firewall-cmd
From: Jonathan Bennett <jbscience87 () gmail ! com>
Date: 2019-03-18 16:18:14
Message-ID: CAB-pspdJ9-WgZk81Y95cmrUNSpCgp9RGjfdusG8xOoDoGABmaA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I've also seen this issue on Centos, and I consider it inherent in
Firewalld. Even running Firewall-cmd manually often takes a very long time
to complete. One option would be to recompile and use the iptables backend,
as it's much less resource intensive.
--Jonathan
On Mon, Mar 18, 2019, 11:15 AM Paul Murphy <pjm@ousekjarr.org> wrote:
> Hi,
>
>
>
> I'm seeing a lot of polling of the firewall configuration from fwknopd,
> which is leading to high system loads and a lot of CPU time consumed by the
> firewalld process. Here's an extract from ‘top':
>
>
>
> top - 15:43:30 up 110 days, 2:45, 3 users, load average: 0.42, 0.31,
> 0.18
>
> Tasks: 216 total, 4 running, 211 sleeping, 0 stopped, 1 zombie
>
> %Cpu0 : 22.2 us, 4.3 sy, 0.0 ni, 73.5 id, 0.0 wa, 0.0 hi, 0.0 si,
> 0.0 st
>
> %Cpu1 : 10.0 us, 1.0 sy, 0.0 ni, 89.0 id, 0.0 wa, 0.0 hi, 0.0 si,
> 0.0 st
>
> KiB Mem : 5945696 total, 655640 free, 2367592 used, 2922464 buff/cache
>
> KiB Swap: 1048572 total, 575228 free, 473344 used. 2793068 avail Mem
>
>
>
> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+
> COMMAND
>
> 29756 root 20 0 175200 22168 5816 S 23.9 0.4 0:00.72
> firewall-cmd
>
> 22900 root 20 0 362560 29332 5816 R 8.3 0.5 13699:23
> firewalld
>
> 2228 gdm 20 0 763624 34964 2448 S 1.3 0.6 889:23.65
> gsd-color
>
> 7169 root 20 0 162012 2340 1592 S 1.0 0.0 9:29.47
> top
>
> 753 dbus 20 0 69832 2868 1356 S 0.3 0.0 717:41.42
> dbus-daemon
>
>
>
> I have run strace against the fwknop process and can see the polling every
> 2 seconds or so, and I have also found that if I update my config to
> include ‘RULES_CHECK_THRESHOLD 200;' then the polling is significantly more
> bearable. Is there an issue with the polling interval here, or should I
> disable the rules check entirely as only fwknop is modifying iptables?
>
>
>
> Spot the difference since 15:41 when the threshold was commented out of my
> config and fwknopd restarted:
>
>
> 14:40:02 CPU %user %nice %system %iowait %steal
> %idle
>
> 14:50:01 all 4.37 0.00 2.02 0.00 0.00
> 93.61
>
> 15:00:01 all 3.94 0.00 2.06 0.00 0.00
> 93.99
>
> 15:10:01 all 4.64 0.00 2.08 0.01 0.00
> 93.27
>
> 15:20:01 all 4.09 0.00 1.97 0.00 0.00
> 93.94
>
> 15:30:02 all 4.05 0.00 1.89 0.00 0.00
> 94.06
>
> 15:40:01 all 5.71 0.00 2.29 0.02 0.00
> 91.97
>
> 15:50:02 all 16.00 0.00 3.44 0.01 0.00
> 80.56
>
> 16:00:01 all 17.70 0.00 3.47 0.01 0.00
> 78.83
>
>
>
> System is Centos 7.6.1810, kernel 3.10.0-862.14.4.el7.x86_64, fwknop
> version 2.6.7 from the EPEL repository.
>
>
>
> Thanks,
>
>
>
> Paul.
> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
[Attachment #5 (text/html)]
<div dir="auto">I've also seen this issue on Centos, and I consider it inherent \
in Firewalld. Even running Firewall-cmd manually often takes a very long time to \
complete. One option would be to recompile and use the iptables backend, as it's \
much less resource intensive.<div dir="auto"><br></div><div \
dir="auto">--Jonathan</div></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Mon, Mar 18, 2019, 11:15 AM Paul Murphy <<a \
href="mailto:pjm@ousekjarr.org">pjm@ousekjarr.org</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">
<div lang="EN-GB" link="blue" vlink="purple">
<div class="m_-3690787794552042510WordSection1">
<p class="MsoNormal">Hi,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I'm seeing a lot of polling of the firewall configuration from \
fwknopd, which is leading to high system loads and a lot of CPU time consumed by the \
firewalld process. Here's an extract from ‘top':<u></u><u></u></p> <p \
class="MsoNormal"><span style="font-family:"Courier New""><u></u> \
<u></u></span></p> <p class="MsoNormal" style="margin-left:.5in"><span \
style="font-family:"Courier New"">top - 15:43:30 up 110 days, 2:45, 3 \
users, load average: 0.42, 0.31, 0.18<u></u><u></u></span></p> <p class="MsoNormal" \
style="margin-left:.5in"><span style="font-family:"Courier New"">Tasks: 216 \
total, 4 running, 211 sleeping, 0 stopped, 1 \
zombie<u></u><u></u></span></p> <p class="MsoNormal" style="margin-left:.5in"><span \
style="font-family:"Courier New"">%Cpu0 : 22.2 us, 4.3 sy, 0.0 ni, \
73.5 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st<u></u><u></u></span></p> <p \
class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier \
New"">%Cpu1 : 10.0 us, 1.0 sy, 0.0 ni, 89.0 id, 0.0 wa, 0.0 hi, 0.0 \
si, 0.0 st<u></u><u></u></span></p> <p class="MsoNormal" \
style="margin-left:.5in"><span style="font-family:"Courier New"">KiB Mem : \
5945696 total, 655640 free, 2367592 used, 2922464 \
buff/cache<u></u><u></u></span></p> <p class="MsoNormal" \
style="margin-left:.5in"><span style="font-family:"Courier New"">KiB Swap: \
1048572 total, 575228 free, 473344 used. 2793068 avail Mem \
<u></u><u></u></span></p> <p class="MsoNormal" style="margin-left:.5in"><span \
style="font-family:"Courier New""><u></u> <u></u></span></p> <p \
class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier \
New""> PID USER PR NI VIRT RES SHR S %CPU %MEM \
TIME+ COMMAND <u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier \
New"">29756 root 20 0 175200 22168 5816 S 23.9 0.4 \
0:00.72 firewall-cmd <u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier \
New"">22900 root 20 0 362560 29332 5816 R 8.3 0.5 \
13699:23 firewalld <u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier \
New""> 2228 gdm 20 0 763624 34964 2448 S 1.3 0.6 \
889:23.65 gsd-color <u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier \
New""> 7169 root 20 0 162012 2340 1592 S 1.0 0.0 \
9:29.47 top <u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"Courier \
New""> 753 dbus 20 0 69832 2868 1356 S 0.3 \
0.0 717:41.42 dbus-daemon <u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I have run strace against the fwknop process and can see the \
polling every 2 seconds or so, and I have also found that if I update my config to \
include ‘RULES_CHECK_THRESHOLD 200;' then the polling is significantly more \
bearable. Is there an issue with the polling interval here, or should I disable \
the rules check entirely as only fwknop is modifying iptables?<u></u><u></u></p> <p \
class="MsoNormal"><u></u> <u></u></p> <p class="MsoNormal">Spot the difference since \
15:41 when the threshold was commented out of my config and fwknopd \
restarted:<u></u><u></u></p> <p class="MsoNormal" style="margin-left:.5in"><br>
<span style="font-family:"Courier New"">14:40:02 CPU \
%user %nice %system %iowait %steal \
%idle<u></u><u></u></span></p> <p class="MsoNormal" style="margin-left:.5in"><span \
style="font-family:"Courier New"">14:50:01 all 4.37 \
0.00 2.02 0.00 0.00 \
93.61<u></u><u></u></span></p> <p class="MsoNormal" style="margin-left:.5in"><span \
style="font-family:"Courier New"">15:00:01 all 3.94 \
0.00 2.06 0.00 0.00 \
93.99<u></u><u></u></span></p> <p class="MsoNormal" style="margin-left:.5in"><span \
style="font-family:"Courier New"">15:10:01 all 4.64 \
0.00 2.08 0.01 0.00 \
93.27<u></u><u></u></span></p> <p class="MsoNormal" style="margin-left:.5in"><span \
style="font-family:"Courier New"">15:20:01 all 4.09 \
0.00 1.97 0.00 0.00 \
93.94<u></u><u></u></span></p> <p class="MsoNormal" style="margin-left:.5in"><span \
style="font-family:"Courier New"">15:30:02 all 4.05 \
0.00 1.89 0.00 0.00 \
94.06<u></u><u></u></span></p> <p class="MsoNormal" style="margin-left:.5in"><span \
style="font-family:"Courier New"">15:40:01 all 5.71 \
0.00 2.29 0.02 0.00 \
91.97<u></u><u></u></span></p> <p class="MsoNormal" style="margin-left:.5in"><span \
style="font-family:"Courier New"">15:50:02 all 16.00 \
0.00 3.44 0.01 0.00 \
80.56<u></u><u></u></span></p> <p class="MsoNormal" style="margin-left:.5in"><span \
style="font-family:"Courier New"">16:00:01 all 17.70 \
0.00 3.47 0.01 0.00 \
78.83<u></u><u></u></span></p> <p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">System is Centos 7.6.1810, kernel 3.10.0-862.14.4.el7.x86_64, \
fwknop version 2.6.7 from the EPEL repository.<u></u><u></u></p> <p \
class="MsoNormal"><u></u> <u></u></p> <p class="MsoNormal">Thanks,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Paul.<u></u><u></u></p>
</div>
</div>
_______________________________________________<br>
Fwknop-discuss mailing list<br>
<a href="mailto:Fwknop-discuss@lists.sourceforge.net" target="_blank" \
rel="noreferrer">Fwknop-discuss@lists.sourceforge.net</a><br> <a \
href="https://lists.sourceforge.net/lists/listinfo/fwknop-discuss" rel="noreferrer \
noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/fwknop-discuss</a><br>
</blockquote></div>
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic