Suricata set-cpu-affinity?

KAMALKUMARM · February 11, 2025, 6:44pm

Please include the following information with your help request:

Suricata version : 7.0.X

Operating system and/or Linux distribution : Linux 6.6.52-yocto-standard+

How you installed Suricata (from source, packages, something else) : source

My current threading config is DISABLED.
threading:
set-cpu-affinity: no

cpu-affinity:*
- management-cpu-set:*

   cpu: [ 0 ]  # include only these CPUs in affinity settings*

- receive-cpu-set:*

   cpu: [ 0 ]  # include only these CPUs in affinity settings*

- worker-cpu-set:*
```
   cpu: [ "all" ]*
```
```
   mode: "exclusive"*
```

   # Use explicitly 3 threads and don't compute number by using*

```
   # detect-thread-ratio variable:*
```
```
   # threads: 3*
```
```
   prio:*
```
```
     low: [ 0 ]*
```
```
     medium: [ "1-2" ]*
```
```
     high: [ 3 ]*
```
```
     default: "medium"*
```

And the suricata thread behavior is as below:
/home/admin# ps -T -p 45320

PID SPID TTY TIME CMD*
45320 45320 ? 00:00:02 Suricata-Main*
45320 45383 ? 00:00:00 W#01-ids*
45320 45384 ? 00:00:00 W#02-ids*
45320 45385 ? 00:00:00 W#03-ids*
45320 45386 ? 00:00:00 W#04-ids*
45320 45387 ? 00:00:00 FM#01*
45320 45388 ? 00:00:00 FR#01*

My requirement is to run suricata with 2 worker threads and rest of the things should match with above output (ps -T -p 45320), what changes shall I do as part of threading other than set-cpu-set to yes and thread to 2.
And my query is when set-cpu-affinity was disabled (set-cpu-affinity: no), suricata had 4 worker threads running on 4 different CPU Cores, whether these cores were exclusive for suricata ?

Kindly answer the queries.

Thanks,
Kamal

Andreas_Herz · February 12, 2025, 9:51pm

If you want 2 workers in that case set it in worker-cpu-set to specific CPU cores and make sure affinity is enabled. Also set the threads value to 2 in your af-packet section for that interface.

KAMALKUMARM · February 13, 2025, 4:31am

@Andreas_Herz , Thank you.
when config was disabled(set-cpu-affinity: no), I can see 4 worker threads and they were not exclusive to any cores. The taskset on SPID of thread(s) shows 0-3, which means they are NOT exclusively bonded to any cores and can run on any core from 0-3.
Correct me if I am wrong.

Now I got a requirement to restrict worker threads to 2, as part if it I enabled set-cpu-affinity, thread count to 2 but mode was exclusive, after these changes I can see 2 worker threads running but they were exclusive to 0 and 1 cores. Which I don’t want.
I want 2 worker threads but they should not be exclusive to any cores.
How can I achieve this ?

Andreas_Herz · February 13, 2025, 8:35am

Set threads to 2 in the af-packet section for the interface.

Topic		Replies	Views
How to enable more capture threads in autofp mode? Help suricata	2	431	May 19, 2023
Control of threads for pcap-file ingestion with unix socket Help	3	24	February 12, 2025
Suricata 6.0.4 behavior on threads CPU affnity wrong on some hardware Help	5	712	August 9, 2023
How to resolve one CPU usage 100% when running suricata Help	17	2784	October 2, 2021
Cpu affinity and 1 receive/management core 100% Help suricata	10	697	August 15, 2023

Suricata set-cpu-affinity?

Related topics