Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mdfind: Reduce table overhead and support quick interruption #7738

Merged
merged 1 commit into from
Aug 18, 2022
Merged

mdfind: Reduce table overhead and support quick interruption #7738

merged 1 commit into from
Aug 18, 2022

Conversation

Smjert
Copy link
Member

@Smjert Smjert commented Aug 17, 2022

  • Run the RunLoop for 1 second each time instead of a single pass
    to then check the spotlight queries status,
    since this means that we are checking the queries status and re-running
    the loop thousands of times per second.
    This causes the osquery worker to use a full core for the duration of
    the query and the watchdog to kill it.

  • Support quick interruption of a mdfind query if a shutdown is requested

@Smjert Smjert requested review from a team as code owners August 17, 2022 15:25
@Smjert Smjert force-pushed the stefano/improvement/mdfind-overhead-and-interruption branch from 5ffc5ed to 0954726 Compare August 17, 2022 15:26
@Smjert Smjert changed the title mdfind: Reduce mdfind table overhead and support quick interruption mdfind: Reduce table overhead and support quick interruption Aug 17, 2022
@Smjert
mdfind: Reduce table overhead and support quick interruption
ed9150e 
- Run the RunLoop for 1 second each time instead of a single pass
  to then check the spotlight queries status,
  since this means that we are checking the queries status and re-running
  the loop thousands of times per second.
  This causes the osquery worker to use a full core for the duration of
  the query and the watchdog to kill it.

- Support quick interruption of a mdfind query if a shutdown is requested
@Smjert Smjert force-pushed the stefano/improvement/mdfind-overhead-and-interruption branch from 0954726 to ed9150e Compare August 17, 2022 15:28
directionless
directionless approved these changes Aug 17, 2022
View reviewed changes
Copy link
Member

@directionless directionless left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably fine? I assume you tested this

@Smjert
Copy link
Member Author

Smjert commented Aug 17, 2022
edited

Probably fine? I assume you tested this

I did; on the performance side the CPU usage over one core went down from 100% to 1%.
The interruption works too.

For both I've tested with a scheduled query:

{
  "schedule": {
    "mdfind": {
      "query": "SELECT * FROM mdfind WHERE query = 'kMDItemFSName = \"*.*\"'",
      "interval": 10
    }
  }
}

@mike-myers-tob mike-myers-tob merged commit 645a178 into osquery:master Aug 18, 2022
@mike-myers-tob mike-myers-tob deleted the stefano/improvement/mdfind-overhead-and-interruption branch August 18, 2022 16:57
@mike-myers-tob mike-myers-tob added this to the 5.6.0 milestone Aug 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@directionless directionless directionless approved these changes

Assignees
No one assigned
Labels
macOS performance virtual tables
Projects
None yet
Milestone
5.6.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Smjert @directionless @mike-myers-tob