diff --git a/falco.yaml b/falco.yaml index 4f79be4e2b6..451e71d03d3 100644 --- a/falco.yaml +++ b/falco.yaml @@ -65,6 +65,8 @@ # metrics # Falco performance tuning (advanced) # base_syscalls +# Falco libs +# falco_libs ################################ # Falco command-line arguments # @@ -1100,6 +1102,29 @@ base_syscalls: custom_set: [] repair: false +############## +# Falco libs # +############## + +# [Experimental] `falco_libs` - Potentially subject to more frequent changes +# +# `thread_table_size` +# +# Set the maximum number of entries (the absolute maximum value can only be MAX UINT32) +# for Falco's internal threadtable (process cache). Please note that Falco operates at a +# granular level, focusing on individual threads. Falco rules reference the thread leader +# as the process. The size of the threadtable should typically be much higher than the +# number of currently alive processes. The default value should work well on modern +# infrastructures and be sufficient to absorb bursts. +# +# Reducing its size can help in better memory management, but as a consequence, your +# process tree may be more frequently disrupted due to missing threads. You can explore +# `metrics.state_counters_enabled` to measure how the internal state handling is performing, +# and the fields called `n_drops_full_threadtable` or `n_store_evts_drops` will inform you +# if you should increase this value for optimal performance. +falco_libs: + thread_table_size: 262144 + # [Stable] Guidance for Kubernetes container engine command-line args settings # # Modern cloud environments, particularly Kubernetes, heavily rely on diff --git a/userspace/engine/falco_common.h b/userspace/engine/falco_common.h index b33695d7d26..704ea044a29 100644 --- a/userspace/engine/falco_common.h +++ b/userspace/engine/falco_common.h @@ -28,6 +28,8 @@ limitations under the License. // #define DEFAULT_OUTPUTS_QUEUE_CAPACITY_UNBOUNDED_MAX_LONG_VALUE std::ptrdiff_t(~size_t(0) / 2) +#define DEFAULT_FALCO_LIBS_THREAD_TABLE_SIZE 262144 + // // Most falco_* classes can throw exceptions. Unless directly related // to low-level failures like inability to open file, etc, they will diff --git a/userspace/falco/app/actions/helpers_inspector.cpp b/userspace/falco/app/actions/helpers_inspector.cpp index 5e34786f6c8..a170c2aaac4 100644 --- a/userspace/falco/app/actions/helpers_inspector.cpp +++ b/userspace/falco/app/actions/helpers_inspector.cpp @@ -53,6 +53,12 @@ falco::app::run_result falco::app::actions::open_live_inspector( inspector->set_sinsp_stats_v2_enabled(); } + if(s.config->m_falco_libs_thread_table_size > 0) + { + // Default value is set in libs as part of the sinsp_thread_manager setup + inspector->m_thread_manager->set_max_thread_table_size(s.config->m_falco_libs_thread_table_size); + } + if (source != falco_common::syscall_source) /* Plugin engine */ { for (const auto& p: inspector->get_plugin_manager()->plugins()) diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index 35bcc6cf093..fde926a88d6 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -70,6 +70,7 @@ falco_configuration::falco_configuration(): m_syscall_evt_drop_max_burst(1), m_syscall_evt_simulate_drops(false), m_syscall_evt_timeout_max_consecutives(1000), + m_falco_libs_thread_table_size(DEFAULT_FALCO_LIBS_THREAD_TABLE_SIZE), m_base_syscalls_repair(false), m_metrics_enabled(false), m_metrics_interval_str("5000"), @@ -443,6 +444,8 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h throw std::logic_error("Error reading config file(" + config_name + "): the maximum consecutive timeouts without an event must be an unsigned integer > 0"); } + m_falco_libs_thread_table_size = config.get_scalar("falco_libs.thread_table_size", DEFAULT_FALCO_LIBS_THREAD_TABLE_SIZE); + m_base_syscalls_custom_set.clear(); config.get_sequence>(m_base_syscalls_custom_set, std::string("base_syscalls.custom_set")); m_base_syscalls_repair = config.get_scalar("base_syscalls.repair", false); diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index d8603731bda..95cae62659b 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -136,6 +136,8 @@ class falco_configuration uint32_t m_syscall_evt_timeout_max_consecutives; + uint32_t m_falco_libs_thread_table_size; + // User supplied base_syscalls, overrides any Falco state engine enforcement. std::unordered_set m_base_syscalls_custom_set; bool m_base_syscalls_repair;