Title
#general
p

Prateek Kumar Nischal

10/06/2020, 5:45 PM
one quick clarification,
// % of (User + System + Idle) CPU time worker can utilize
// for LATENCY_LIMIT seconds.
{WatchdogLimitType::UTILIZATION_LIMIT, {10, 5, 100}},

// Seconds of tolerable UTILIZATION_LIMIT sustained latency.
{WatchdogLimitType::LATENCY_LIMIT, {12, 6, 1000}},
This utilization limit is cpu time considering a single core right.. and utlization limit 100 means osquery is free to fully utilize a single core for itself.
z

Zach Zeid

10/06/2020, 6:12 PM
But this is only if watchdog is enabled?
p

Prateek Kumar Nischal

10/06/2020, 6:19 PM
Yes, this is what the watchdog guarantees.
--watchdog_level VALUE                           Performance limit level (0=normal, 1=restrictive, -1=off)
3 levels, 3 options
theopolis

theopolis

10/06/2020, 6:22 PM
Yes, 100% == 1 core
z

Zach Zeid

10/06/2020, 6:26 PM
so this means that in normal, it can take 100% of a single core?
p

Prateek Kumar Nischal

10/06/2020, 6:38 PM
yup.. It can cross 100% utlization, which is kind of ok as CPUs are just fine in handling spikes with their boost clocks.. The problem is with watchdog killing it 😄 on restrictive and normal settings
z

Zach Zeid

10/06/2020, 6:44 PM
so if I'm reading this correctly (https://github.com/osquery/osquery/blob/6d57dc8066031b3859a8e1da0627740150d5a24d/osquery/core/watcher.cpp#L84) does that mean that normal is
200
, restrictive is
100
and off is
10000
?
p

Prateek Kumar Nischal

10/06/2020, 7:10 PM
I guess so, 200M is the regular memory limit.. 100M is restrictive and 10000 is off
z

Zach Zeid

10/06/2020, 8:07 PM
Is there a way to trigger
watchdog
for testing purposes?
theopolis

theopolis

10/06/2020, 8:38 PM
No there isn't unfortunately. I am doing profiling for events and working on a new "how to tune osquery for eventing on high load machines" article and I wanted that feature as well.
8:39 PM
I essentially added a similar feature to a local testing branch 😛
z

Zach Zeid

10/06/2020, 8:39 PM
I'm really concerned that
watchdog
isn't triggering like it should be on some machines that I have watchdog enabled on and set to
1
theopolis

theopolis

10/06/2020, 8:41 PM
If you put together some data on why you are concerned we can triage in a GitHub issue.