High CPU usage from processes with file operations on a large number of files or directories in the /tmp (tmpfs) file system

Article:TECH192788  |  Created: 2012-07-11  |  Updated: 2012-07-16  |  Article URL http://www.symantec.com/docs/TECH192788
NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.
Article Type
Technical Solution

Product(s)

Issue



High CPU utilization can result from IPS monitoring tmpfs file systems (usually /tmp) when there are >10K files and directories present on the tmpfs file system.  With very large numbers of files and directories, performance degradation should be expected in the /tmp file system.


Environment



Affected operating systems: Solaris 9 and  Solaris 10
Affected Symantec Critical System Protection versions:
  • Solaris 9: Release 5.2.8 MP3 or earlier.
  • Solaris 10: Release 5.2.8 MP4 or earlier. 
Affected Symantec Critical System Protection policy: UNIX Prevention Policies

Cause



The Symantec Critical System Protection IPS driver requires the real or absolute path of the files and directories that are being checked against an IPS policy for access.  The IPS driver makes a call to the Solaris readdir() function to get the real path at each level of the directory structure, where readdir() unexpectedly returns all of the entries under the entire tmpfs filesystem being traversed.  Large numbers of files or directories worsen the performance impact of these calls and they can, in extreme conditions, consume most or all of the available CPU. 

Commands that call chdir(), like find, rm, etc. on files under the /tmp filesystem will also trigger the issue.


Solution



Optimize the IPS driver code to get rid of the readdir() calls which were causing the large performance impact. 

Solaris 9: Resolved in 5.2.8 MP4

Solaris 10: Will be addressed in the SCSP 5.2.9 release.
 



Article URL http://www.symantec.com/docs/TECH192788


Terms of use for this information are found in Legal Notices