diff --git a/CHANGES b/CHANGES index 10d00d919f..e6692ef2f5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,11 @@ +2.5-663 | 2018-06-14 12:51:28 -0500 + + * Add Broker::max_threads and Broker::max_sleep tuning options, + remove Broker::max_live_threads and Broker::max_pcap threads (Corelight) + + * Minor optimization to bro_broker::Manager::FlushPendingQueries (Corelight) + 2.5-660 | 2018-06-12 13:49:39 -0500 * Add Broker::max_live_threads and Broker::max_pcap_threads tunables diff --git a/VERSION b/VERSION index 946f73bee2..a38fa6e474 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5-660 +2.5-663 diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.bro index cfd4f06280..23a701c3ef 100644 --- a/scripts/base/frameworks/broker/main.bro +++ b/scripts/base/frameworks/broker/main.bro @@ -51,21 +51,15 @@ export { ## all peers. const ssl_keyfile = "" &redef; - ## Max number of threads to use for Broker/CAF functionality when - ## operating on a live interface. Using zero will cause this to - ## be automatically determined based on number of available CPUs. - const max_live_threads = 0 &redef; + ## Max number of threads to use for Broker/CAF functionality. + ## Using zero will cause this to be automatically determined + ## based on number of available CPUs. + const max_threads = 0 &redef; - ## Max number of threads to use for Broker/CAF functionality when - ## operating on a pcap file. Using zero will cause this to be - ## automaticallu determined based on number of available CPUs. - # TODO: on systems where number of CPUs starts exceeding ~10, - # simply creating a caf::actor_system and not using it incurs - # significant performance overhead. Can CAF be updated to - # be more efficient in the case where the application isn't - # actually making much use of most of those threads instead - # of hardcoding this to the minimal 4 threads? - const max_pcap_threads = 4 &redef; + ## Max number of microseconds for under-utilized Broker/CAF + ## threads to sleep. Using zero will cause this to be automatically + ## determined or just use CAF's default setting. + const max_sleep = 0 &redef; ## Forward all received messages to subscribing peers. const forward_messages = F &redef; diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc index 3a980d22c2..e78db804a8 100644 --- a/src/broker/Manager.cc +++ b/src/broker/Manager.cc @@ -171,20 +171,41 @@ void Manager::InitPostScript() options.use_real_time = ! reading_pcaps; BrokerConfig config{std::move(options)}; - auto max_live_threads = get_option("Broker::max_live_threads")->AsCount(); - auto max_pcap_threads = get_option("Broker::max_pcap_threads")->AsCount(); + auto max_threads = get_option("Broker::max_threads")->AsCount(); + auto max_sleep = get_option("Broker::max_sleep")->AsCount(); - if ( reading_pcaps ) - { - if ( max_pcap_threads ) - config.scheduler_max_threads = max_pcap_threads; - } + if ( max_threads ) + config.scheduler_max_threads = max_threads; else { - if ( max_live_threads ) - config.scheduler_max_threads = max_live_threads; + // On high-core-count systems, spawning one thread per core + // can lead to significant performance problems even if most + // threads are under-utilized. Related: + // https://github.com/actor-framework/actor-framework/issues/699 + if ( reading_pcaps ) + config.scheduler_max_threads = 2u; + else + { + auto hc = std::thread::hardware_concurrency(); + + if ( hc > 8u ) + hc = 8u; + else if ( hc < 4u) + hc = 4u; + + config.scheduler_max_threads = hc; + } } + if ( max_sleep ) + config.work_stealing_relaxed_sleep_duration_us = max_sleep; + else + // 64ms is just an arbitrary amount derived from testing + // the overhead of a unused CAF actor system on a 32-core system. + // Performance was within 2% of baseline timings (w/o CAF) + // when using this sleep duration. + config.work_stealing_relaxed_sleep_duration_us = 64000; + bstate = std::make_shared(std::move(config)); }