Skip to content

[CWS] Add configurable RT scheduling for ring buffer reader thread#48854

Draft
YoannGh wants to merge 5 commits intomainfrom
yoanngh/eventstream-rt-scheduling
Draft

[CWS] Add configurable RT scheduling for ring buffer reader thread#48854
YoannGh wants to merge 5 commits intomainfrom
yoanngh/eventstream-rt-scheduling

Conversation

@YoannGh
Copy link
Copy Markdown
Contributor

@YoannGh YoannGh commented Apr 3, 2026
edited
Loading

What does this PR do?

Adds a configurable realtime scheduling policy (SCHED_FIFO or SCHED_RR) for the OS thread running the eBPF ring buffer reader goroutine in the eventmonitor module.

Motivation

Under heavy syscall load, the ring buffer reader goroutine can be starved by the kernel's default CFS scheduler, causing the ring buffer to fill and security events to be dropped. By applying a realtime scheduling policy to the reader thread, it gets priority over normal workloads, reducing event loss and improving runtime security coverage.

Describe how you validated your changes

  • Unit tests for config validation (TestSanitizeSchedulingConfig, 9 cases covering valid/invalid policy and priority combinations)
  • Integration build with local ebpf-manager checkout containing the RT scheduling changes
  • Verified graceful degradation: when CAP_SYS_NICE is missing, sched_setattr fails and the reader continues with default scheduling, logging a warning via ErrChan

Additional Notes

  • Depends on DataDog/ebpf-manager#271 (RT scheduling support in RingBufferOptions)
  • New config keys: event_monitoring_config.event_stream.scheduling_policy (string, default "") and event_monitoring_config.event_stream.scheduling_priority (int, default 0)
  • Requires CAP_SYS_NICE in containerized environments when enabled
  • Feature is disabled by default (no scheduling policy change)

@github-actions github-actions Bot added the medium review PR review might take time label Apr 3, 2026
@YoannGh YoannGh added qa/rc-required Only for a PR that requires validation on the Release Candidate changelog/no-changelog No changelog entry needed labels Apr 3, 2026
@YoannGh YoannGh changed the title CWS: Add configurable RT scheduling for ring buffer reader thread [CWS] Add configurable RT scheduling for ring buffer reader thread Apr 3, 2026
@agent-platform-auto-pr
Copy link
Copy Markdown
Contributor

agent-platform-auto-pr Bot commented Apr 3, 2026
edited
Loading

Files inventory check summary

File checks results against ancestor 00ba5786:

Results for datadog-agent_7.79.0~devel.git.473.2fdead3.pipeline.106413747-1_amd64.deb:

No change detected

@agent-platform-auto-pr
Copy link
Copy Markdown
Contributor

agent-platform-auto-pr Bot commented Apr 3, 2026
edited
Loading

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor 00ba578
📊 Static Quality Gates Dashboard
🔗 SQG Job

Successful checks

Info

Quality gate Change Size (prev → curr → max)
agent_deb_amd64 +3.69 KiB (0.00% increase) 753.303 → 753.307 → 753.380
agent_deb_amd64_fips +7.69 KiB (0.00% increase) 710.215 → 710.223 → 713.900
agent_heroku_amd64 +4.0 KiB (0.00% increase) 313.459 → 313.462 → 320.580
agent_msi +3.0 KiB (0.00% increase) 605.191 → 605.193 → 651.440
agent_rpm_amd64 +3.69 KiB (0.00% increase) 753.287 → 753.291 → 753.350
agent_rpm_amd64_fips +7.69 KiB (0.00% increase) 710.199 → 710.206 → 713.880
agent_rpm_arm64 +3.09 KiB (0.00% increase) 731.663 → 731.666 → 735.290
agent_rpm_arm64_fips +7.09 KiB (0.00% increase) 691.627 → 691.634 → 696.840
agent_suse_amd64 +3.69 KiB (0.00% increase) 753.287 → 753.291 → 753.350
agent_suse_amd64_fips +7.69 KiB (0.00% increase) 710.199 → 710.206 → 713.880
agent_suse_arm64 +3.09 KiB (0.00% increase) 731.663 → 731.666 → 735.290
agent_suse_arm64_fips +7.09 KiB (0.00% increase) 691.627 → 691.634 → 696.840
docker_agent_amd64 +3.69 KiB (0.00% increase) 813.575 → 813.579 → 815.700
docker_agent_arm64 +3.09 KiB (0.00% increase) 816.753 → 816.756 → 821.970
docker_agent_jmx_amd64 +3.69 KiB (0.00% increase) 1004.491 → 1004.494 → 1006.580
docker_agent_jmx_arm64 +3.1 KiB (0.00% increase) 996.447 → 996.450 → 1001.570
15 successful checks with minimal change (< 2 KiB)
Quality gate Current Size
docker_cluster_agent_amd64 204.103 MiB
docker_cluster_agent_arm64 218.547 MiB
docker_cws_instrumentation_amd64 7.142 MiB
docker_cws_instrumentation_arm64 6.689 MiB
docker_dogstatsd_amd64 39.262 MiB
docker_dogstatsd_arm64 37.507 MiB
dogstatsd_deb_amd64 29.913 MiB
dogstatsd_deb_arm64 28.062 MiB
dogstatsd_rpm_amd64 29.913 MiB
dogstatsd_suse_amd64 29.913 MiB
iot_agent_deb_amd64 43.297 MiB
iot_agent_deb_arm64 40.344 MiB
iot_agent_deb_armhf 41.092 MiB
iot_agent_rpm_amd64 43.298 MiB
iot_agent_suse_amd64 43.298 MiB
On-wire sizes (compressed)
Quality gate Change Size (prev → curr → max)
agent_deb_amd64 +66.95 KiB (0.04% increase) 174.781 → 174.846 → 178.360
agent_deb_amd64_fips -34.52 KiB (0.02% reduction) 165.449 → 165.415 → 172.790
agent_heroku_amd64 -5.68 KiB (0.01% reduction) 75.044 → 75.038 → 79.970
agent_msi +4.0 KiB (0.00% increase) 138.469 → 138.473 → 146.220
agent_rpm_amd64 +4.2 KiB (0.00% increase) 177.607 → 177.611 → 181.830
agent_rpm_amd64_fips -5.38 KiB (0.00% reduction) 167.736 → 167.731 → 173.370
agent_rpm_arm64 -40.75 KiB (0.02% reduction) 159.633 → 159.593 → 163.060
agent_rpm_arm64_fips -8.18 KiB (0.01% reduction) 151.509 → 151.501 → 156.170
agent_suse_amd64 +4.2 KiB (0.00% increase) 177.607 → 177.611 → 181.830
agent_suse_amd64_fips -5.38 KiB (0.00% reduction) 167.736 → 167.731 → 173.370
agent_suse_arm64 -40.75 KiB (0.02% reduction) 159.633 → 159.593 → 163.060
agent_suse_arm64_fips -8.18 KiB (0.01% reduction) 151.509 → 151.501 → 156.170
docker_agent_amd64 -4.31 KiB (0.00% reduction) 268.257 → 268.252 → 272.480
docker_agent_arm64 +3.39 KiB (0.00% increase) 255.447 → 255.450 → 261.060
docker_agent_jmx_amd64 -4.6 KiB (0.00% reduction) 336.907 → 336.903 → 341.100
docker_agent_jmx_arm64 -6.26 KiB (0.00% reduction) 320.084 → 320.078 → 325.620
docker_cluster_agent_amd64 neutral 71.418 MiB → 72.920
docker_cluster_agent_arm64 neutral 67.039 MiB → 68.220
docker_cws_instrumentation_amd64 neutral 2.999 MiB → 3.330
docker_cws_instrumentation_arm64 neutral 2.729 MiB → 3.090
docker_dogstatsd_amd64 neutral 15.175 MiB → 15.820
docker_dogstatsd_arm64 +2.03 KiB (0.01% increase) 14.495 → 14.497 → 14.830
dogstatsd_deb_amd64 neutral 7.897 MiB → 8.790
dogstatsd_deb_arm64 neutral 6.782 MiB → 7.710
dogstatsd_rpm_amd64 neutral 7.908 MiB → 8.800
dogstatsd_suse_amd64 neutral 7.908 MiB → 8.800
iot_agent_deb_amd64 neutral 11.407 MiB → 13.040
iot_agent_deb_arm64 +2.68 KiB (0.03% increase) 9.721 → 9.724 → 11.450
iot_agent_deb_armhf neutral 9.944 MiB → 11.620
iot_agent_rpm_amd64 neutral 11.423 MiB → 13.060
iot_agent_suse_amd64 neutral 11.423 MiB → 13.060

@cit-pr-commenter-54b7da
Copy link
Copy Markdown

cit-pr-commenter-54b7da Bot commented Apr 3, 2026
edited
Loading

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 34f83c96-77ae-4543-810e-2b409e048871

Baseline: 118f309
Comparison: 2fdead3
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf experiment goal Δ mean % Δ mean % CI trials links
docker_containers_cpu % cpu utilization +1.53 [-1.61, +4.67] 1 Logs

Fine details of change detection per experiment

perf experiment goal Δ mean % Δ mean % CI trials links
docker_containers_cpu % cpu utilization +1.53 [-1.61, +4.67] 1 Logs
tcp_syslog_to_blackhole ingress throughput +0.71 [+0.55, +0.86] 1 Logs
quality_gate_metrics_logs memory utilization +0.68 [+0.44, +0.91] 1 Logs bounds checks dashboard
otlp_ingest_logs memory utilization +0.41 [+0.31, +0.52] 1 Logs
ddot_logs memory utilization +0.36 [+0.29, +0.43] 1 Logs
ddot_metrics_sum_delta memory utilization +0.28 [+0.10, +0.46] 1 Logs
quality_gate_idle memory utilization +0.18 [+0.13, +0.23] 1 Logs bounds checks dashboard
file_to_blackhole_500ms_latency egress throughput +0.13 [-0.26, +0.52] 1 Logs
ddot_metrics memory utilization +0.04 [-0.15, +0.23] 1 Logs
file_to_blackhole_0ms_latency egress throughput +0.03 [-0.47, +0.52] 1 Logs
file_to_blackhole_1000ms_latency egress throughput +0.02 [-0.42, +0.46] 1 Logs
uds_dogstatsd_to_api_v3 ingress throughput +0.01 [-0.19, +0.22] 1 Logs
tcp_dd_logs_filter_exclude ingress throughput +0.01 [-0.10, +0.12] 1 Logs
uds_dogstatsd_to_api ingress throughput -0.00 [-0.21, +0.20] 1 Logs
file_to_blackhole_100ms_latency egress throughput -0.01 [-0.14, +0.11] 1 Logs
ddot_metrics_sum_cumulativetodelta_exporter memory utilization -0.04 [-0.26, +0.19] 1 Logs
file_tree memory utilization -0.10 [-0.16, -0.05] 1 Logs
docker_containers_memory memory utilization -0.16 [-0.25, -0.08] 1 Logs
ddot_metrics_sum_cumulative memory utilization -0.30 [-0.44, -0.16] 1 Logs
uds_dogstatsd_20mb_12k_contexts_20_senders memory utilization -0.46 [-0.51, -0.40] 1 Logs
quality_gate_idle_all_features memory utilization -0.57 [-0.61, -0.54] 1 Logs bounds checks dashboard
otlp_ingest_metrics memory utilization -0.79 [-0.94, -0.63] 1 Logs
quality_gate_logs % cpu utilization -2.76 [-4.41, -1.12] 1 Logs bounds checks dashboard

Bounds Checks: ✅ Passed

perf experiment bounds_check_name replicates_passed observed_value links
docker_containers_cpu simple_check_run 10/10 715 ≥ 26
docker_containers_memory memory_usage 10/10 273.81MiB ≤ 370MiB
docker_containers_memory simple_check_run 10/10 680 ≥ 26
file_to_blackhole_0ms_latency memory_usage 10/10 0.19GiB ≤ 1.20GiB
file_to_blackhole_0ms_latency missed_bytes 10/10 0B = 0B
file_to_blackhole_1000ms_latency memory_usage 10/10 0.23GiB ≤ 1.20GiB
file_to_blackhole_1000ms_latency missed_bytes 10/10 0B = 0B
file_to_blackhole_100ms_latency memory_usage 10/10 0.19GiB ≤ 1.20GiB
file_to_blackhole_100ms_latency missed_bytes 10/10 0B = 0B
file_to_blackhole_500ms_latency memory_usage 10/10 0.21GiB ≤ 1.20GiB
file_to_blackhole_500ms_latency missed_bytes 10/10 0B = 0B
quality_gate_idle intake_connections 10/10 3 = 3 bounds checks dashboard
quality_gate_idle memory_usage 10/10 173.35MiB ≤ 181MiB bounds checks dashboard
quality_gate_idle_all_features intake_connections 10/10 3 = 3 bounds checks dashboard
quality_gate_idle_all_features memory_usage 10/10 489.49MiB ≤ 550MiB bounds checks dashboard
quality_gate_logs intake_connections 10/10 4 ≤ 6 bounds checks dashboard
quality_gate_logs memory_usage 10/10 202.95MiB ≤ 220MiB bounds checks dashboard
quality_gate_logs missed_bytes 10/10 0B = 0B bounds checks dashboard
quality_gate_metrics_logs cpu_usage 10/10 340.90 ≤ 2000 bounds checks dashboard
quality_gate_metrics_logs intake_connections 10/10 4 ≤ 6 bounds checks dashboard
quality_gate_metrics_logs memory_usage 10/10 410.04MiB ≤ 475MiB bounds checks dashboard
quality_gate_metrics_logs missed_bytes 10/10 0B = 0B bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

  • ✅ = significantly better comparison variant performance
  • ❌ = significantly worse comparison variant performance
  • ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

  1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

  2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

  3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

Passed. All Quality Gates passed.

  • quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.

YoannGh added 5 commits April 7, 2026 16:54
@YoannGh
Update ebpf-manager to v0.7.17-0.20260402145614-14db7084c2aa
7627d19 
Picks up RT scheduling support for the ring buffer reader goroutine
(SchedPolicy/SchedPriority fields in RingBufferOptions).
@YoannGh
Register event_stream scheduling_policy and scheduling_priority confi…
b047344 
…g keys

These new keys under event_monitoring_config.event_stream allow
configuring a realtime scheduling policy for the ring buffer reader
thread. Disabled by default (empty policy, priority 0).
@YoannGh
Add event stream RT scheduling config fields and validation
29c2b19 
Add EventStreamSchedulingPolicy and EventStreamSchedulingPriority to
the security probe config. Validation rejects invalid policy strings,
priorities outside 1-99, and mismatched policy/priority settings.
@YoannGh
Plumb RT scheduling config to ebpf-manager ring buffer options
d88c96a 
When event_stream.scheduling_policy is configured, convert the policy
string to the unix constant, set up an ErrChan with a drain goroutine
for warning on sched_setscheduler failures, and pass both policy and
priority to ebpf-manager's RingBufferOptions.
@YoannGh
Prefix config parameter names with event_monitoring_config in error m…
2fdead3 
…essages

Align error messages in sanitize() with the full config key path so
users can find the exact parameter to fix.
@YoannGh YoannGh force-pushed the yoanngh/eventstream-rt-scheduling branch from 648e7c8 to 2fdead3 Compare April 7, 2026 14:55
@dd-octo-sts
Copy link
Copy Markdown
Contributor

dd-octo-sts Bot commented Apr 23, 2026

This pull request has been automatically marked as stale because it has not had activity in the past 15 days.

It will be closed in 30 days if no further activity occurs. If this pull request is still relevant, adding a comment or pushing new commits will keep it open. Also, you can always reopen the pull request if you missed the window.

Thank you for your contributions!

@dd-octo-sts dd-octo-sts Bot added the stale label Apr 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

changelog/no-changelog No changelog entry needed component/system-probe internal Identify a non-fork PR medium review PR review might take time qa/rc-required Only for a PR that requires validation on the Release Candidate stale team/agent-configuration team/agent-security team/ebpf-platform

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@YoannGh