Skip to content

HS: Prune stale cache files from disk v3 #14270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

HS: Prune stale cache files from disk v3 #14270

wants to merge 10 commits into from
+489 −37

Conversation

@lukashino
Copy link
Contributor

@lukashino lukashino commented Nov 4, 2025

Follow-up of #14212

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7830

Describe changes:
v3:

  • cache stats added as an independent component for MPM cache stats
  • sensor name removed from the cache file name
  • humantime Rust crate
  • warning added about one cache folder for simultaneously running multiple instances

v2:

  • Hyperscan cache files are now hashed using SHA256 and stored in the hex of a full length (256 bits -> 64 characters)
  • Sensor name is now part of the cache file names, individual instances can now be distinguished with the sensor name
  • The time parsing C function was replaced with a Rust crate
  • In HS: Prune stale cache files from disk v1.1 #13850, Jason asked about the immediate pruning - that is possible, just set the max age to (e.g. 2) seconds.
  • In HS: Prune stale cache files from disk v1.1 #13850, Jason pointed out a synchronization problem of multiple instances sharing one cache folder, e.g., over NFS. This is not addressed here and is currently easily solved by, e.g., sensor name or per-instance folder.

v1:

  • time parsing function from config,
  • "touch" files to signal actively used files,
  • pruning function to remove the HS MPM cache files older than the age specified in the config.

The logic to determine a stale file is currently based on the modification timestamp in the file systems. The accessed time stamp was not used as it may be switched off. Alternatively, we could use a local DB/notekeeping file of the last used files/caches but this approach seemed simpler.

I can also add GitHub CI tests, I thought of some scenarios.

Lukas Sismis added 10 commits November 4, 2025 12:50
@lukashino
hs: remove extra space
640f860
@lukashino
hs: update the file description
4fea628
@lukashino
hs: reduce cache filename size to max file limit
33e628a
@lukashino
hs: change hash in the cache name to SHA256
95ea39d
@lukashino
misc: time unit parsing function
02158bf
@lukashino
conf: add time parsing conf function
461d7e0
@lukashino
path: signal last use of the file (touch)
7713f6d 
To have a system-level overview of when was the last time the file was
used, update the file modification timestamp to to the current time.

This is needed to remove stale cache files of the system.

Access time is not used as it may be, on the system level, disabled.

Ticket: 7830
@lukashino
hs: touch cache files on use to signal activity
dbf95c2 
Ticket: 7830
@lukashino
hs: prune stale MPM cache files
9c4ed5f 
Hyperscan MPM can cache the compiled contexts to files.
This however grows as rulesets change and leads to bloating
the system. This addition prunes the stale cache files based
on their modified file timestamp.

Part of this work incorporates new model for MPM cache stats
to split it out from the cache save function and aggregate
cache-related stats in one place (newly added pruning).

Ticket: 7830
@lukashino
hs: warn about the same cache directory
076b491 
This is especially relevant for multi-instance simultaneous setups
as we might risk read/write races.
@lukashino lukashino mentioned this pull request Nov 4, 2025
Closed
@codecov
Copy link

codecov bot commented Nov 4, 2025

Codecov Report

❌ Patch coverage is 62.75304% with 92 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.14%. Comparing base (bb1ed16) to head (076b491).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #14270      +/-   ##
==========================================
- Coverage   84.14%   84.14%   -0.01%     
==========================================
  Files        1013     1013              
  Lines      262354   262574     +220     
==========================================
+ Hits       220764   220930     +166     
- Misses      41590    41644      +54
Flag Coverage Δ
fuzzcorpus 63.29% <5.00%> (-0.03%) ⬇️
livemode 18.71% <5.00%> (-0.01%) ⬇️
pcap 44.59% <5.00%> (-0.04%) ⬇️
suricata-verify 64.85% <5.00%> (-0.05%) ⬇️
unittests 59.20% <62.75%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@suricata-qa
Copy link

suricata-qa commented Nov 5, 2025

Information: QA ran without warnings.

Pipeline = 28312

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lukashino @suricata-qa