Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring CPU Affinity for a cSRX Container Firewall Container

A cSRX Container Firewall instance requires two CPU cores in the Linux server. To help schedule the Linux server tasks and adjust performance of the cSRX Container Firewall container running on a Linux host, you can launch the cSRX Container Firewall container and assign its control and data processes (or daemons) to a specific CPU. In a cSRX Container Firewall container, srxpfe is the data plane daemon and all other daemons (such as nsd, mgd, nstraced, utmd, and so on) are control plane daemons.

CPU affinity ensures that the cSRX Container Firewall control and data plane daemons are pinned to a specific physical CPU, which can improve the cSRX Container Firewall container performance by using the CPU cache efficiently. By default, there is not a defined CPU affinity for the cSRX Container Firewall control and data plane daemons; the CPU on which the control and data plane daemons run depends on Linux kernel scheduling.

To assign cSRX Container Firewall container control and data daemons to a specific CPU, include the environment variables CSRX_CTRL_CPU and CSRX_DATA_CPU in the docker run command.

For example, to configure the cSRX Container Firewall container to launch the control plane daemons on CPU 1 and the data plane daemon on CPU 2:

root@csrx-ubuntu3:~/csrx# docker run -d --privileged --network=mgt_bridge -e CSRX_CTRL_CPU="0x1" -e CSRX_DATA_CPU="0x2" --name=<csrx-container-name> <csrx-image-name>