falco icon indicating copy to clipboard operation
falco copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

new: configure syscall buffer dimension from Falco

Open Andreagit97 opened this issue 2 years ago • 3 comments

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

What this PR does / why we need it:

As discussed in various places (https://github.com/falcosecurity/falco/pull/2164#issuecomment-1220479171, https://github.com/falcosecurity/falco/pull/2164#issuecomment-1220792012, https://github.com/falcosecurity/falco/issues/2208) this PR adds the possibility to change the syscall buffer dimension through the Falco configuration file.

The approach used is the one described here https://github.com/falcosecurity/falco/issues/2208#issuecomment-1248354349. Users will have an array of indexes that map to precise buffer dimensions in bytes. You can find more information in the falco.yaml file, but just for simplicity I report them here:

# --- [Description]
#
# This is an index that controls the dimension of the syscall buffers.
# The syscall buffer is the shared space between Falco and its drivers where all the syscall events
# are stored.
# Falco uses a syscall buffer for every online CPU, and all these buffers share the same dimension.
# So this parameter allows you to control the size of all the buffers!
#
# --- [Usage]
#
# You can choose between different indexes: from `1` to `10` (`0` is reserved for future uses).
# Every index corresponds to a dimension in bytes:
#
# [(*), 1 MB, 2 MB, 4 MB, 8 MB, 16 MB, 32 MB, 64 MB, 128 MB, 256 MB, 512 MB]
#   ^    ^     ^     ^     ^     ^      ^      ^       ^       ^       ^
#   |    |     |     |     |     |      |      |       |       |       |
#   0    1     2     3     4     5      6      7       8       9       10
#
# As you can see the `0` index is reserved, while the index `1` corresponds to
# `1 MB` and so on.
#
# These dimensions in bytes derive from the fact that the buffer size must be:
# (1) a power of 2.
# (2) a multiple of your system_page_dimension.
# (3) greater than `2 * (system_page_dimension)`.
#
# According to these constraints is possible that sometimes you cannot use all the indexes, let's consider an
# example to better understand it:
# If you have a `page_size` of 1 MB the first available buffer size is 4 MB because 2 MB is exactly
# `2 * (system_page_size)` -> `2 * 1 MB`, but this is not enough we need more than `2 * (system_page_size)`!
# So from this example is clear that if you have a page size of 1 MB the first index that you can use is `3`.
#
# Please note: this is a very extreme case just to let you understand the mechanism, usually the page size is something
# like 4 KB so you have no problem at all and you can use all the indexes (from `1` to `10`).
#
# To check your system page size use the Falco `--page-size` command line option. The output on a system with a page
# size of 4096 Bytes (4 KB) should be the following:
#
# "Your system page size is: 4096 bytes."
#
# --- [Suggestions]
#
# Before the introduction of this param the buffer size was fixed to 8 MB (so index `4`, as you can see
# in the default value below).
# You can increase the buffer size when you face syscall drops. A size of 16 MB (so index `5`) can reduce
# syscall drops in production-heavy systems without noticeable impact. Very large buffers however could
# slow down the entire machine.
# On the other side you can try to reduce the buffer size to speed up the system, but this could
# increase the number of syscall drops!
# As a final remark consider that the buffer size is mapped twice in the process' virtual memory so a buffer of 8 MB
# will result in a 16 MB area in the process virtual memory.
# Please pay attention when you use this parameter and change it only if the default size doesn't fit your use case.

syscall_buf_size_preset: 4

I added also a new command line option --page-size to let the user easily obtain the page size of their system

If you have any suggestions I'm all ears :)

Which issue(s) this PR fixes:

Fixes #2208

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

new: configure syscall buffer dimension from Falco

Andreagit97 avatar Sep 20 '22 12:09 Andreagit97

@incertum @leogr @FedeDP @jasondellaluce

Andreagit97 avatar Sep 20 '22 12:09 Andreagit97

LGTM label has been added.

Git tree hash: 5c95ce7172deeca86625ee937bbb3f6d92d7354a

poiana avatar Sep 20 '22 15:09 poiana

Rebased on actual master just to have this fix https://github.com/falcosecurity/falco/pull/2215 I've also fixed the case in which we are not able to get the page system size in the last commit (fix(syscall_buffer): set dimension if page size not available)

Andreagit97 avatar Sep 24 '22 17:09 Andreagit97

/milestone 0.33.0

jasondellaluce avatar Sep 27 '22 08:09 jasondellaluce

LGTM label has been added.

Git tree hash: 450a6f8a38ed518bcd8fc9921aa2ee755470b0e0

poiana avatar Sep 27 '22 08:09 poiana

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • ~~OWNERS~~ [Andreagit97,FedeDP,leogr]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

poiana avatar Sep 27 '22 08:09 poiana