High CPU usage from processes with file operations on a large number of files or directories in the /tmp (tmpfs) file system
|Article:TECH192788|||||Created: 2012-07-11|||||Updated: 2012-07-16|||||Article URL http://www.symantec.com/docs/TECH192788|
|NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.|
High CPU utilization can result from IPS monitoring tmpfs file systems (usually /tmp) when there are >10K files and directories present on the tmpfs file system. With very large numbers of files and directories, performance degradation should be expected in the /tmp file system.
- Solaris 9: Release 5.2.8 MP3 or earlier.
- Solaris 10: Release 5.2.8 MP4 or earlier.
The Symantec Critical System Protection IPS driver requires the real or absolute path of the files and directories that are being checked against an IPS policy for access. The IPS driver makes a call to the Solaris readdir() function to get the real path at each level of the directory structure, where readdir() unexpectedly returns all of the entries under the entire tmpfs filesystem being traversed. Large numbers of files or directories worsen the performance impact of these calls and they can, in extreme conditions, consume most or all of the available CPU.
Commands that call chdir(), like find, rm, etc. on files under the /tmp filesystem will also trigger the issue.
Optimize the IPS driver code to get rid of the readdir() calls which were causing the large performance impact.
Solaris 9: Resolved in 5.2.8 MP4
Article URL http://www.symantec.com/docs/TECH192788