new(config): add falco_libs.thread_table_size

Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>

falco.yaml

@@ -65,6 +65,8 @@
 #     metrics
 # Falco performance tuning (advanced)
 #     base_syscalls
+# Falco libs
+#     falco_libs
 
 ################################
 # Falco command-line arguments #
@@ -1100,6 +1102,29 @@ base_syscalls:
   custom_set: []
   repair: false
 
+##############
+# Falco libs #
+##############
+
+# [Experimental] `falco_libs` - Potentially subject to more frequent changes
+#
+# `thread_table_size`
+#
+# Set the maximum number of entries (the absolute maximum value can only be MAX UINT32) 
+# for Falco's internal threadtable (process cache). Please note that Falco operates at a 
+# granular level, focusing on individual threads. Falco rules reference the thread leader 
+# as the process. The size of the threadtable should typically be much higher than the 
+# number of currently alive processes. The default value should work well on modern 
+# infrastructures and be sufficient to absorb bursts.
+#
+# Reducing its size can help in better memory management, but as a consequence, your 
+# process tree may be more frequently disrupted due to missing threads. You can explore 
+# `metrics.state_counters_enabled` to measure how the internal state handling is performing, 
+# and the fields called `n_drops_full_threadtable` or `n_store_evts_drops` will inform you
+# if you should increase this value for optimal performance.
+falco_libs:
+  thread_table_size: 262144
+
 # [Stable] Guidance for Kubernetes container engine command-line args settings
 #
 # Modern cloud environments, particularly Kubernetes, heavily rely on

userspace/engine/falco_common.h

@@ -28,6 +28,8 @@ limitations under the License.
 //
 #define DEFAULT_OUTPUTS_QUEUE_CAPACITY_UNBOUNDED_MAX_LONG_VALUE std::ptrdiff_t(~size_t(0) / 2)
 
+#define DEFAULT_FALCO_LIBS_THREAD_TABLE_SIZE 262144
+
 //
 // Most falco_* classes can throw exceptions. Unless directly related
 // to low-level failures like inability to open file, etc, they will

userspace/falco/app/actions/helpers_inspector.cpp

@@ -53,6 +53,12 @@ falco::app::run_result falco::app::actions::open_live_inspector(
 			inspector->set_sinsp_stats_v2_enabled();
 		}
 
+		if(s.config->m_falco_libs_thread_table_size > 0)
+		{
+			// Default value is set in libs as part of the sinsp_thread_manager setup
+			inspector->m_thread_manager->set_max_thread_table_size(s.config->m_falco_libs_thread_table_size);
+		}
+
 		if (source != falco_common::syscall_source) /* Plugin engine */
 		{
 			for (const auto& p: inspector->get_plugin_manager()->plugins())

userspace/falco/configuration.cpp

@@ -70,6 +70,7 @@ falco_configuration::falco_configuration():
 	m_syscall_evt_drop_max_burst(1),
 	m_syscall_evt_simulate_drops(false),
 	m_syscall_evt_timeout_max_consecutives(1000),
+	m_falco_libs_thread_table_size(DEFAULT_FALCO_LIBS_THREAD_TABLE_SIZE),
 	m_base_syscalls_repair(false),
 	m_metrics_enabled(false),
 	m_metrics_interval_str("5000"),
@@ -443,6 +444,8 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h
 		throw std::logic_error("Error reading config file(" + config_name + "): the maximum consecutive timeouts without an event must be an unsigned integer > 0");
 	}
 
+	m_falco_libs_thread_table_size = config.get_scalar<std::uint32_t>("falco_libs.thread_table_size", DEFAULT_FALCO_LIBS_THREAD_TABLE_SIZE);
+
 	m_base_syscalls_custom_set.clear();
 	config.get_sequence<std::unordered_set<std::string>>(m_base_syscalls_custom_set, std::string("base_syscalls.custom_set"));
 	m_base_syscalls_repair = config.get_scalar<bool>("base_syscalls.repair", false);

userspace/falco/configuration.h

@@ -136,6 +136,8 @@ public:
 
 	uint32_t m_syscall_evt_timeout_max_consecutives;
 
+	uint32_t m_falco_libs_thread_table_size;
+
 	// User supplied base_syscalls, overrides any Falco state engine enforcement.
 	std::unordered_set<std::string> m_base_syscalls_custom_set;
 	bool m_base_syscalls_repair;