In NS7b2 I still have the problem that there is a steady increase of memory consumption.
NS7 is running in a VM with 1.5 GB RAM and 600 MB Swap space. After starting the NS VM about 4 % of Swap space is used. After 24 hours it’s 14 %, after two days around 26 %, after three days more than 50 % and so on.
NS works as it is, without additional services over the time. So, the memory consumption should stabilize after a while, unless there is a memory leak somewhere.
Does anybody else observe this behavior?
Memory management in Linux is complex, there where jokes that only Linus Torvalds knows what the kswap service does.
The amount of usage of swap does not indicate the memory usage of your system. In the swap are the memory pages which are not currently used and they stay there as long there is space. Even if you got plenty of ram, over time, your swap fills up. I’m cutting corners here, as said only Linus knows how it really works.
What we really need is a memory plugin for collected; now i’m teasing @giacomo see
Are you a little bit familiar with the command prompt and can you ssh in your server?
Yes, sure. Why?
What happens when the swap space is filled? I had to kill the NS VM once because there were only 25MB swap space left and the system was near to halt. Game over.
By the way, it seems to me that NS7 has quite some bloatware on board compared to NS6. For example there are sssd and winbind services running and I don’t know what for. Those who do not intend to connect their NS gateway with the internal lan do not use this. But both packages are a dependancy for squid. That looks very strange to me.
NethServer is empty when you install it, so software installed is there because it’s a dependency or in the same yum group.
Can you show us your software installed output?
CentOS 7 has higher requirements compared to 6. Minimum disk space increased from 1 to 10 GB.
sssd handles user authentication (I’m simplifying).
squid can be configured to authenticate users.
That’s why. There is no purpose in authenticating to a pure firewall gateway.
http://docs.nethserver.org/en/latest/web_proxy.html
Authenticated users must enter a user name and password in order to navigate
Just if you are interested:
There is a systemvalue called swappiness. The lower the value, the lower the utilization of swap.
If set to 0, swap is disabled, but is not recomended. Default value is 60.
@mark_nl there is a memory plugin for cgp:
It is not enbaled by default.
Thanks, I’ll give it a try.
Where do I find the values for swappiness? Never heard about that.
I stumbled over it randomly.
I just used goolge.
@mark_nl Plugin works also on NS7:
@flatspin Yes and soon by default:
It’s in the testing repository; they are fast!
Sorry for hijacking your post, I wanted to suggest to install collectd (Statistics) and manually add the memory plugin. I’ll guess its not something you like seen your concerns regarding memory usage.
A KISS way to inspect system’s RAM usage is to look at /proc/meminfo (cat /proc/meminfo
). Don’t be deceived by “MemFree” this says nothing about available memory.
Further reading:
a simple ps -aux
helps hunt down recourse hogs.
Okay, collectd shows me how much memory is used. But even more interesting would be which service consumes how much memory or the most. Which service produces the continuous increase? Can anybody tell how I can see that?
My personal approach to get insight in resource usage is installing (in the shell) htop.
If I suspect a application of leaking i’ll run a little script once a day (cronjob)
something like this:
ps -aux | grep "sssd" >> /root/sssd.log
amusing i suspect sssd, (and don’t forget to remove the cornjob or sssd.log will flud your HD)
There are more sophisticates ways, I like to keep it simple en stupid.
BTW: I don’t see the filling up off the swap on non of my test setups, including experiential arm (RPI)
I strongly suggest atop
According to atop/htop it’s icap - clamd. It uses more than 30% of the total memory.
Does it make sense to have clamd running side by side with suricata?
it depends… I mean that if you need mail AV scanning and web traffic scanning… yes, you need it
Mail AV scanning is done by the internal mail server.
Web traffic scanning is the NS job.
I have amavisd (for mails), c-icap, clamd and suricata running. Isn’t that a bit much?