Many dropped system calls events due to page faults

[Amojow]

What happened:
I have a huge amount of dropped syscall events due to page faults (n_drops_pf).

{"output":"Falco internal: syscall event drop. 922 system calls dropped in last second.","output_fields":{"ebpf_enabled":"0","n_drops":"922","n_drops_buffer":"0","n_drops_bug":"0","n_drops_pf":"922","n_evts":"6318"},"priority":"Critical","rule":"Falco internal: syscall event drop","time":"2019-11-05T16:23:05.614728412Z"}
{"output":"Falco internal: syscall event drop. 2088 system calls dropped in last second.","output_fields":{"ebpf_enabled":"0","n_drops":"2088","n_drops_buffer":"4","n_drops_bug":"0","n_drops_pf":"2084","n_evts":"13384"},"priority":"Critical","rule":"Falco internal: syscall event drop","time":"2019-11-05T16:23:34.840496811Z"}

What you expected to happen:
I expect to have only the dropped syscall events due to the full buffer (n_drops_buffer), or at least reduce the number of dropped syscall events due to page faults "n_drops_pf".

How to reproduce it (as minimally and precisely as possible):

• Deploy the helm chart falco with k8s events enabled
• Enable json output to see the kinds of dropped syscalls events

Anything else we need to know?:

Environment:
My cluster is composed by 1 master and 3 nodes.
I have 4 VM :

• OS : Centos 7
• Kernel : 5.3.8-1.el7.elrepo.x86_64

Falco is deployed with the helm chart "falco-1.0.9" :
Versions :

• Falco 0.17.1
• Docker 19.03.4
• Kubernetes 1.14

[fntlnz]

HI @Amojow thanks for taking the time to open this!

0.18.0 was a big release, can you test this out with 0.18.0 and report back first?

[fntlnz]

/triage needs-information

[Amojow]

Oh yes with the new version i don't have dropped syscall events anymore.
Thank you for your fast answer.

[fntlnz]

Thanks for confirming @Amojow !