Seccomp default policy is missing clock_nanosleep

Elastic Stack Beats
,
1

On some ubuntu hosts I'm facing high CPU consumption by auditbeat(7.16.3&8.5.1) and journalbeat(7.15.2) with default config.

During investigation with strace found out:

clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted)

Fixed by adding to beat config:

seccomp:
  syscalls:
  - action: allow
    names:
    - clock_nanosleep
2

Thanks for the report. Can you open an an issue on github for this.

Can you include the OS version and glibc deb pkg version there too.

3
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.