Linux Agent 8.8.x Performance Considerations
search cancel

Linux Agent 8.8.x Performance Considerations

book

Article ID: 413297

calendar_today

Updated On:

Products

Carbon Black App Control

Issue/Introduction

System resource utilization changes in the 8.8.x Agent

 

Environment

  • App Control Linux Agent: 8.8.0 and Higher

Cause

  • Previously (8.7.x and lower) the Agent operated in both kernel and user space, which resulted in the portion in a portion of the Agent being "hidden" from usage.
  • With the release of 8.8.0 this has changed and the Agent's architecture was redesigned to use an open-source kernel module that enables faster certification of minor or major OS updates.

Resolution

CPU

  • Previously, in the 8.7.x Agent, a closed-source kernel module was used for rules engine processing.
    • Due to this, the kernel module CPU utilization was hidden to tools such as "top" and did not show as part of the b9daemon.
  • In 8.8.x, all kernel processing has been moved to user mode and is done by the b9daemon resulting the higher CPU.
    • The "hidden" CPU utilization by the 8.7.x kernel module is now visible to tools like "top" as part of the b9daemon.
  • Because the workload has shifted from the kernel to user space, internal testing shows overall system-wide CPU utilization is equal to (or better) than with 8.7.x.
    • We encourage evaluating overall system throughput and application latency rather than the isolated b9daemon process.

Memory

  • The Linux 8.8.4 memory utilization under heavy load could climb to a maximum of about 2GB, where it levels off and doesn't increase anymore.
  • In contrast, the 8.7.x agent's memory could grow unlimited until it causes system instability.

Kernel Exclusions

  • Kernel Exclusions created in 8.7.x initially were not honored in early builds of 8.8.x.
  • As of Linux Agent 8.8.6 this functionality has been restored.

Evaluating Performance With 8.8.6+

Because the 8.8.x architecture makes previously "hidden" resource usage visible, direct comparisons of raw b9daemon metrics (like CPU % or Memory) against 8.7.x will naturally look higher. This is an expected shift in reporting, not necessarily a drop in performance. When evaluating your system's health and operations we recommend focusing on tangible workflow impacts, rather than isolated Agent metrics. Examples include:

  • Less Helpful: The b9daemon is using 15% more CPU than before the upgrade.
  • More Helpful: Our automated reports are now taking 7 minutes to generate with 8.8.6, whereas they historically took 2 minutes with 8.7.26.

Additional Information

Powered by Wolken Software