https://github.com/osquery/osquery logo
Join Slack
Powered by
:wave: hey friends if `--disable_events=false` and...
# ebpf
z
👋 hey friends if 
--disable_events=false
and 
--enable_bpf_events=true
are set, will this cause osquery to use significantly more memory? currently I'm testing the 5.0.0 pre-release and am seeing osquery keeps restarting because it exceeds it's memory limit, I've upped the limit to 1G with 
--watchdog_memory_limit=1000
but I am still seeing memory limits exceeded on some hosts
m
Is that memory consumption a new issue? Were you using this configuration successfully with an older osquery?
If the issue manifests on some hosts but not others, there might be a difference in the level of activity on those hosts that is affecting this
z
it became an issue after upgrading to osquery 5.0.0 and enabling bpf events, before this we were operating at the default limit of 200mb and rarely saw it get stopped from hitting the memory limit
s
That sounds strange, bpf shouldn’t cause that amount of allocations, even under high stress; CPU should be the first cause of kill. What distribution and kernel version? How many cores those machines have? What is the configuration passed (.conf and flags)?
Also, does that happen almost as soon as osquery runs, or it takes a while to get to that status?
The output of 
top -n 1 -b -p $(pgrep -d',' -f osqueryd)
would be useful too, when reproducing that issue.
m
👋 I’m working with Zac on this. these are fairly large and busy k8s nodes if that helps RE: increased memory allocation Distro/kernel is 
Debian 4.19.194-3~deb9u1
and for the nodes it’s happening on, it is shortly after osquery starts up
7 Views
Open in Slack
PreviousNext
Powered by