Seccomp default policy is missing clock_nanosleep

On some ubuntu hosts I'm facing high CPU consumption by auditbeat(7.16.3&8.5.1) and journalbeat(7.15.2) with default config.

During investigation with strace found out:

clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=100000000}, NULL) = -1 EPERM (Operation not permitted)

Fixed by adding to beat config:

seccomp:
  syscalls:
  - action: allow
    names:
    - clock_nanosleep

Thanks for the report. Can you open an an issue on github for this.

Can you include the OS version and glibc deb pkg version there too.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.