New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[QA] Modulesd is using too much memory on dev branch 4.1.0 #6997
Comments
We've detected that these "leak" logs are recurrent and seems to be in a loop. In this release the changes to SCA module are minimal. The problem may be that we've changed the way threads and processes are executed and we're executing a problematic code on a loop. We're investigating this. Also, we've detected anotherb bigger leak with Valgrind:
That could explain the final memory increasing. |
Hello team, Chema has created a new branch to solve this or: Packages: https://ci.wazuh.info/view/Packages/job/Packages_builder_tier/1012/parameters/
Results:40 min |
Hi team, After deeper investigation, it seems the test is reporting the memory leak produced by the child process when a command fails due to the use of Running SCA on 4.1.0 (agent) with a policy where some commands fail
Running SCA on 4.0.3 with a policy where some commands fail
Running SCA on 4.1.0 with a policy from 4.0.3 (with no commands failling)
Running the wodle command with SCA disabled
<wodle name="command">
<disabled>no</disabled>
<tag>test-memleak</tag>
<command>fake-command</command>
<interval>2s</interval>
<ignore_output>no</ignore_output>
<run_on_start>yes</run_on_start>
<timeout>30</timeout>
<skip_verification>yes</skip_verification>
</wodle> The results are:
Final conclusionsThe addition of new SCA policies includes the following commands in different checks for the Linux policies:
However, the
This can make the tests report a memory leak since the RSS memory seems to be including the memory for the child process which is running the command. In that case, the memory leak doesn't exist since the memory is reclaimed by the OS once the child process dies. The solution for this could be to find a workaround for the In addition, #7028 makes the report to be attenuated when SCA is evaluated since the dynamic buffer of 64KB was interpreted as a memory leak as well. |
Hi team, After an exhaustive analysisd of the memory usage by Modulesd, we concluded that it is produced by a memory fragmentation issue in the SCA scan, when running the CIS check "Ensure XD/NX support is enabled". Affected installation types:
Affected platforms:
RationaleThat check runs We observed this behavior is prone to occur when multiple modules are running, like SCA and Syscollector. Therefore, though the memory usage is much higher in manager than in agent, there is no guarantee that it cannot happen in the agent. Action items
- 'c:sh -c "journalctl | grep protection" -> r:^kernel:\s+NX \(Execute Disable\) protection: active'
|
Finally, |
Hello team,
Do you want to request a feature or report a bug?
What is the current behavior?
We've detected a memory leak on modulesd while testing the development tag
v4.1.0-alpha1
using a stress test.Results of the tests
We've also run these tests with Valgrind and got the confirmation of a memory leak, apparently related with SCA.
The text was updated successfully, but these errors were encountered: