fapolicyd consumes 100% CPU when application keeps accessing a large number of files.

linux-application-whitelisting / fapolicyd

File Access Policy Daemon

GNU General Public License v3.0

192 stars 55 forks source link

fapolicyd consumes 100% CPU when application keeps accessing a large number of files. #233

Closed csyfek closed 1 year ago

csyfek commented 1 year ago

Hello,

Consider this situation:

## Terminal 1

# yum install fapolicyd

# systemctl restart fapolicyd

## Terminal 2

# find /usr -type f -exec cat {} > /dev/null \; &

# find /usr -type f -exec cat {} > /dev/null \; &

# find /usr -type f -exec cat {} > /dev/null \; &

## Terminal 3

# top

Seems even if we use trust list it does not help.

Any thoughts? Thanks.

Best regards, SHiNE

stevegrubb commented 1 year ago

Doing something like this does not cause problems on my system. You have to do a little tuning for the workload you expect. The object cache in this case is likely evicting lots of results. When you end fapolicyd, it will output a report that you can use for tuning.

stevegrubb commented 1 year ago

To further evaluate the issue, I'd need to see the output from the performance metrics. When the program gets into this state, use ctl-c if it's in the foreground or send it a sigusr1 if it's a daemon. It should output a report to /var/run/fapolicyd.state for sigusr1 or /var/log/fapolicyd-access.log for shutdown. From this report, I'd like to see the Object related metrics and the internal queue metrics. We don't need anything else.

stevegrubb commented 1 year ago

Closing this issue - being resolved privately. In case anyone is curious, the object cache size needs adjusting as mentioned in the performance section of README.md.