Centos – High CPU usage with systemd-journal 219 on CentOS

centosjournaldsystemd

systemd-journal seems to have hig CPU usage, compare to HAProxy that is the actual service on the node:

385   root      20   0   69948  26152  25776 S   3.0  0.2   0:04.05 systemd-journal
22509 haproxy   20   0   58264   7256   1812 S   1.3  0.0   0:00.45 haproxy

CPU:

vendor_id       : GenuineIntel
cpu family      : 6
model           : 63
model name      : Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz
stepping        : 2
microcode       : 0x25
cpu MHz         : 2400.139
cache size      : 30720 KB

OS:

Linux ip-172-33-30-32.eu-central-1.compute.internal 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Systemd:

systemd-219-30.el7_3.7.x86_64
systemd-libs-219-30.el7_3.7.x86_64
systemd-sysv-219-30.el7_3.7.x86_64

Is there a way to optimize systemd-journal to have lower CPU usage? Is this supposed to be normal for logging to use this much CPU?

Best Answer

Firstly, it doesn't seems much of high cpu-usage.

journald, has a more complex workflow than rsyslogd, since it process and keep the data in a more structured form. If you have very high log output to the journaldby your services, it is normal that journaldis overloaded.

In order to optimize journald; Journald has following settings as defaults within following file:

/etc/sysconfig/journald.conf

   #RateLimitInterval=30s
   #RateLimitBurst=1000

If your service logs are non-critical, you can lower the rate limits to suspend the logs of the service which overloads the journald. It also comes with disadvantage that you may lose your logs. Which you will be notifed by journaldstating the suspended log counts within RateLimitInterval, as an enrty instead of logs which are suspended.

Setting does to "0" will disable suspending, and you will have much higher cpu-usage.

If logs are important for you seperate service logs from journald and use rsyslogd. But again this is not high cpu-usage.

Upload server configuration

This one is actually simple, online example are correct and only need to touch one configuration file.

Use following command to install systemd-journal-remote

sudo apt-get install systemd-journal-remote

Edit /etc/systemd/journal-upload.conf.

/etc/systemd/journal-upload.conf

[Upload]
URL=http://10.0.0.1:19532
# ServerKeyFile=/etc/ssl/private/journal-upload.pem
# ServerCertificateFile=/etc/ssl/certs/journal-upload.pem
# TrustedCertificateFile=/etc/ssl/ca/trusted.pem

To make sure journal-upload auto start on boot

sudo systemctl enable systemd-journal-upload.service

Restart journal-upload after configuration.

sudo systemctl restart systemd-journal-upload.service

If you are using http, you can do as above and leave the bottom 3 lines commented. For active mode https, uncomment them and create those cert files.

The URL actually dictate the transfer protocol(http/https) and the destination port to use.

Additionally if you want to prevent accidental overwrite by future package update, you can create a /etc/systemd/journal-upload.conf.d directory and put your config file inside, as long as the file end with a .conf extension.

As a side notes, I am doing this within a LXC container and seems the service will not use /etc/hosts for dns resolution, I end up using IP address here. So if you use hostname and see error message that journal-upload cannot reach the target, try with IP address.

Receiving server configuration

The receiving server give me most of the trouble when looking for configuration information. And unlike the uploading server, configuration is scattered on this side.

Use following command to install systemd-journal-remote and enable the listening port

sudo apt-get install systemd-journal-remote
sudo systemctl enable systemd-journal-remote.socket

There are two ways, active and passive, to configure journal-remote. I am using passive mode here.

Port number

The configuration file for journal listening port is /etc/systemd/system/sockets.target.wants/systemd-journal-remote.socket as follow. ListenStream is the port number.

Unlike the uploading side, this setting has nothing to do with which protocol(http/https) to use. It only specify the listening port number.

[Unit]
Description=Journal Remote Sink Socket

[Socket]
ListenStream=19532

[Install]
WantedBy=sockets.target

Protocol(http/https) and journal/log location

To change the protocol of the journal transfer and the save location, copy /lib/systemd/system/systemd-journal-remote.service into /etc/systemd/system/, then edit /etc/systemd/system/systemd-journal-remote.service.

[Unit]
Description=Journal Remote Sink Service
Documentation=man:systemd-journal-remote(8) man:journal-remote.conf(5)
Requires=systemd-journal-remote.socket

[Service]
ExecStart=/etc/systemd/systemd-journal-remote \
          --listen-http=-3 \
          --output=/var/log/journal/remote/
User=systemd-journal-remote
Group=systemd-journal-remote
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
WatchdogSec=3min

[Install]
Also=systemd-journal-remote.socket

The --listen-http=-3 specify the incoming journal is using http. If you want to use https, change it to --listen-https=-3.

--output=/var/log/journal/remote/ specify the sink (saving directory) of incoming journal. If it does not exist, create it and change its owner to systemd-journal-remote.

sudo mkdir /var/log/journal/remote
sudo chown systemd-journal-remote /var/log/journal/remote

Restart journal-remote.socket after configuration.

sudo systemctl daemon-reload

What about the most obvious /etc/systemd/journal-remote.conf?

[Remote]
# Seal=false
# SplitMode=host
# ServerKeyFile=/etc/ssl/private/journal-remote.pem
# ServerCertificateFile=/etc/ssl/certs/journal-remote.pem
# TrustedCertificateFile=/etc/ssl/ca/trusted.pem

Since I am not using https, don't need to change anything.

Best Answer

Related Solutions

Linux – Forward systemd journal messages/Collect systemd journal messages

Systemd Journal-Remote – How to Configure Systemd Journal-Remote

Upload server configuration

Receiving server configuration

Related Topic