why is eastpect locked to a single core

[johndchch]

whilst troubleshooting very uneven core loading I noticed that each eastpect instance seems to be locked to a single core

e.g.

cpuset -g -p <pid of eastpect instancle 0>
pid 17862 mask: 1
pid 17862 domain policy: first-touch mask: 0

I presume this is done to either aid latency or to allow for a multiple interfaces ( and hence multiple eastpect instances )

question is - for a single LAN interface config ( so single eastpect instance ) would setting the mask to all available cores make more sense?

A few quick experiments changing the mask to all cores seems to improve the single core overloads I was seeing, and doesn't seem to affect performance in any negative manner

[sy]

Hi,

Yes, Zenarmor performance will be better for high traffics with multicore support. It is on our roadmap and will be added next year.

[mb]

Hi @johndchch,

We intentionally pin zenarmor to a dedicated core in order to prevent CPU context-switching overhead. Because if the process is wandering around CPU cores, we start to see CPU cache misses, which will in turn negatively impact performance.

Having said that, it's very interesting that you're seeing the opposite. Can you provide a bit more information? What is the CPU model? Is there a specific server hardware you're using?

[johndchch]

it's running on a i7-6700 ( with a 1gbps internet connection ) - and yes, I expect pinning WOULD help on smaller/slower cpus ( especially ones with small L2/L3 ), guess it's one of those things where you had to make a call and obviously need to err on the side of acceptable performance on low powered systems

any chance you could expose the pin option in the UI or too esoteric to explain and too low a priority? right now I just have a cron job to check/reset the process

[mb]

Hi @johndchch,

Makes sense, thanks.

Sure thing, I think we can introduce an option to the Interface Configuration Screen.
It's a bit late for 1.12, however let's see if we can ship with 1.13.

[athurdent]

Hi @mb,
so, multi core support with RSS is off the table, or is it still being worked on?

@johndchch, would it be possible to share your configuration? I'd really like to give it a spin on my VM running on a multi core EPYC system when I find the time.

Thanks both of you!

[36thchamber]

Pinning could be specified somewhere. In the era of P+E cores, it's necessary to prioritize the cores accordingly.

[almodovaris]

RSS is allowed. It is still experimental, but it is allowed.

Multi-core easpect has been scheduled for November.

[Raptcha]

Hey @almodovaris,

Is the multi-core support still scheduled for November?

[sy]

Hi @Raptcha,

We have made some adjustments to the priority of several exciting features, including Full TLS Inspection, TLS Decryption Mirroring for External Tools (e.g., Suricata, Snort, Bro, etc.), Zero Trust Network Access (ZTNA), and Arm64 CPU support. Our plan is to continue improving these features in the mid-term period, aiming for completion around the late third quarter of 2024.

[Cljackhammer]

So, now multi-score support has been delayed for a year?

[athurdent]

So, now multi-score support has been delayed for a year?

Another year, not the first time this happened.

[Raptcha]

So, I'm currently using Zimaboard 432 with Intel Celeron N3450 Quad Core (1.1 GHz Base and 2.2 GHz Boost). I'm only getting half internet speed because of this single core usage issue. Is there no way currently to fix this on my device? If not, could someone recommend a different hardware that won't have this issue till Sunny Valley decides to make this a priority?

[athurdent]

So, I'm currently using Zimaboard 432 with Intel Celeron N3450 Quad Core (1.1 GHz Base and 2.2 GHz Boost). I'm only getting half internet speed because of this single core usage issue. Is there no way currently to fix this on my device? If not, could someone recommend a different hardware that won't have this issue till Sunny Valley decides to make this a priority?

https://forum.opnsense.org/index.php?topic=35023.msg170055#msg170055

[almodovaris]

He does not have a N100, I do.