disable THP by default in system-probe and the security-agent

[paulcacheux]

What does this PR do?

This PR disables THP usage in the system-probe and the security-agent by default. After running a lot of benchmarks and internal deployments, we showed that the impact of disabling THPs was neutral or positive, especially in the SMP environment.

Internally we deploy the agent on nodes configured with transparent huge pages configed in madvise mode. This means that only pages that have an additional madvise call on them with MADV_HUGEPAGE will make use of huge pages. The go runtime does not make this call in the general case, meaning that we have deployed the agent internally with THP disabled since basically forever.

In SMP benchmarks, the impact of disabling THP allows the system-probe and the security agent to not exhibit extra memory usage at the end of the 10 min run:
baseline:

comparison:

in this particular benchmark the maximum PSS for the total container going from 545MiB to 517MiB with THPs disabled.

Re-enabling THP usage is still possible using the system_probe_config.disable_thp or security_agent.disable_thp configuration options.

Motivation

Describe how you validated your changes

Possible Drawbacks / Trade-offs

Additional Notes

[cit-pr-commenter]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 3683b7ab-90e0-449b-ac3d-1127cc5f6428

Baseline: 664666f
Comparison: 3dd5b5a
Diff

Optimization Goals: ✅ No significant changes detected

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	quality_gate_logs	% cpu utilization	+0.56	[-2.19, +3.31]	1	Logs bounds checks dashboard
➖	ddot_metrics	memory utilization	+0.29	[+0.17, +0.40]	1	Logs
➖	quality_gate_idle	memory utilization	+0.26	[+0.19, +0.34]	1	Logs bounds checks dashboard
➖	docker_containers_cpu	% cpu utilization	+0.19	[-2.86, +3.24]	1	Logs
➖	tcp_syslog_to_blackhole	ingress throughput	+0.18	[+0.12, +0.23]	1	Logs
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	+0.13	[+0.09, +0.18]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	+0.10	[-0.57, +0.77]	1	Logs
➖	otlp_ingest_logs	memory utilization	+0.09	[-0.03, +0.21]	1	Logs
➖	file_to_blackhole_1000ms_latency_linear_load	egress throughput	+0.09	[-0.14, +0.31]	1	Logs
➖	file_to_blackhole_0ms_latency_http2	egress throughput	+0.08	[-0.51, +0.66]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	+0.01	[-0.60, +0.62]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	+0.01	[-0.29, +0.31]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	+0.00	[-0.02, +0.03]	1	Logs
➖	file_to_blackhole_300ms_latency	egress throughput	-0.04	[-0.65, +0.58]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	-0.05	[-0.60, +0.50]	1	Logs
➖	docker_containers_memory	memory utilization	-0.07	[-0.16, +0.02]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	-0.08	[-0.69, +0.54]	1	Logs
➖	file_to_blackhole_0ms_latency_http1	egress throughput	-0.14	[-0.69, +0.41]	1	Logs
➖	otlp_ingest_metrics	memory utilization	-0.15	[-0.29, -0.01]	1	Logs
➖	uds_dogstatsd_to_api_cpu	% cpu utilization	-0.30	[-1.13, +0.53]	1	Logs
➖	ddot_logs	memory utilization	-0.48	[-0.57, -0.38]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	-1.32	[-1.37, -1.26]	1	Logs bounds checks dashboard
➖	file_tree	memory utilization	-2.66	[-2.75, -2.57]	1	Logs

Bounds Checks: ❌ Failed

perf	experiment	bounds_check_name	replicates_passed	links
❌	file_to_blackhole_0ms_latency_http2	lost_bytes	9/10
✅	docker_containers_cpu	simple_check_run	10/10
✅	docker_containers_memory	memory_usage	10/10
✅	docker_containers_memory	simple_check_run	10/10
✅	file_to_blackhole_0ms_latency	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency	memory_usage	10/10
✅	file_to_blackhole_0ms_latency_http1	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency_http1	memory_usage	10/10
✅	file_to_blackhole_0ms_latency_http2	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency_linear_load	memory_usage	10/10
✅	file_to_blackhole_100ms_latency	lost_bytes	10/10
✅	file_to_blackhole_100ms_latency	memory_usage	10/10
✅	file_to_blackhole_300ms_latency	lost_bytes	10/10
✅	file_to_blackhole_300ms_latency	memory_usage	10/10
✅	file_to_blackhole_500ms_latency	lost_bytes	10/10
✅	file_to_blackhole_500ms_latency	memory_usage	10/10
✅	quality_gate_idle	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_logs	lost_bytes	10/10	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.

[agent-platform-auto-pr]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor 664666f

Successful checks

Info

	Quality gate	Delta	On disk size (MiB)	Delta	On wire size (MiB)
✅	agent_deb_amd64	$${0}$$	$${696.11}$$ < $${700.55}$$	$${+0.01}$$	$${175.87}$$ < $${177.62}$$
✅	agent_deb_amd64_fips	$${0}$$	$${694.37}$$ < $${699.75}$$	$${-0.05}$$	$${175.33}$$ < $${177.04}$$
✅	agent_heroku_amd64	$${0}$$	$${349.11}$$ < $${362.84}$$	$${-0.01}$$	$${93.55}$$ < $${98.91}$$
✅	agent_msi	$${0}$$	$${971.14}$$ < $${974.5}$$	$${-0.02}$$	$${147.25}$$ < $${148.11}$$
✅	agent_rpm_amd64	$${0}$$	$${696.1}$$ < $${700.53}$$	$${+0.01}$$	$${177.53}$$ < $${179.2}$$
✅	agent_rpm_amd64_fips	$${0}$$	$${694.35}$$ < $${699.74}$$	$${-0.01}$$	$${177.28}$$ < $${178.75}$$
✅	agent_rpm_arm64	$${0}$$	$${686.32}$$ < $${690.5}$$	$${+0.03}$$	$${161.14}$$ < $${162.56}$$
✅	agent_rpm_arm64_fips	$${0}$$	$${684.63}$$ < $${689.8}$$	$${-0}$$	$${160.13}$$ < $${161.61}$$
✅	agent_suse_amd64	$${0}$$	$${696.1}$$ < $${700.54}$$	$${+0.01}$$	$${177.53}$$ < $${179.2}$$
✅	agent_suse_amd64_fips	$${0}$$	$${694.35}$$ < $${699.74}$$	$${-0.01}$$	$${177.28}$$ < $${178.93}$$
✅	agent_suse_arm64	$${0}$$	$${686.32}$$ < $${690.43}$$	$${+0.03}$$	$${161.14}$$ < $${162.57}$$
✅	agent_suse_arm64_fips	$${0}$$	$${684.63}$$ < $${689.78}$$	$${-0}$$	$${160.13}$$ < $${161.61}$$
✅	docker_agent_amd64	$${+0}$$	$${779.9}$$ < $${784.33}$$	$${-0}$$	$${268.63}$$ < $${270.56}$$
✅	docker_agent_arm64	$${0}$$	$${793.57}$$ < $${797.68}$$	$${+0}$$	$${256.02}$$ < $${257.84}$$
✅	docker_agent_jmx_amd64	$${-0}$$	$${971.09}$$ < $${975.52}$$	$${-0}$$	$${337.59}$$ < $${339.53}$$
✅	docker_agent_jmx_arm64	$${-0}$$	$${973.36}$$ < $${977.47}$$	$${-0}$$	$${320.96}$$ < $${322.81}$$
✅	docker_agent_windows1809	$${-0}$$	$${1184.0}$$ < $${1190.0}$$	$${+0}$$	$${417.5}$$ < $${422.66}$$
✅	docker_agent_windows1809_core	$${+0}$$	$${5913.96}$$ < $${5919.41}$$	$${0}$$	$${2048.0}$$ < $${2049.0}$$
✅	docker_agent_windows1809_core_jmx	$${+0.23}$$	$${6035.76}$$ < $${6063.56}$$	$${0}$$	$${2048.0}$$ < $${2049.0}$$
✅	docker_agent_windows1809_jmx	$${-0}$$	$${1305.63}$$ < $${1311.1}$$	$${+0.01}$$	$${459.81}$$ < $${464.35}$$
✅	docker_agent_windows2022	$${+0.26}$$	$${1203.36}$$ < $${1208.75}$$	$${+0.01}$$	$${430.28}$$ < $${434.91}$$
✅	docker_agent_windows2022_core	$${-0.12}$$	$${5887.02}$$ < $${5892.66}$$	$${0}$$	$${2048.0}$$ < $${2049.0}$$
✅	docker_agent_windows2022_core_jmx	$${+0}$$	$${6008.66}$$ < $${6014.08}$$	$${0}$$	$${2048.0}$$ < $${2049.0}$$
✅	docker_agent_windows2022_jmx	$${-0.22}$$	$${1324.8}$$ < $${1330.39}$$	$${+0}$$	$${472.56}$$ < $${477.17}$$
✅	docker_cluster_agent_amd64	$${-0}$$	$${213.63}$$ < $${214.5}$$	$${-0}$$	$${72.63}$$ < $${73.51}$$
✅	docker_cluster_agent_arm64	$${-0}$$	$${229.42}$$ < $${230.33}$$	$${-0}$$	$${68.88}$$ < $${69.77}$$
✅	docker_cws_instrumentation_amd64	$${+0}$$	$${7.07}$$ < $${7.12}$$	$${+0}$$	$${2.95}$$ < $${3.29}$$
✅	docker_cws_instrumentation_arm64	$${0}$$	$${6.69}$$ < $${6.92}$$	$${+0}$$	$${2.7}$$ < $${3.07}$$
✅	docker_dogstatsd_amd64	$${-0}$$	$${39.21}$$ < $${39.57}$$	$${+0}$$	$${15.12}$$ < $${15.76}$$
✅	docker_dogstatsd_arm64	$${0}$$	$${37.88}$$ < $${38.2}$$	$${-0}$$	$${14.54}$$ < $${14.83}$$
✅	dogstatsd_deb_amd64	$${0}$$	$${30.42}$$ < $${31.4}$$	$${+0}$$	$${8.0}$$ < $${8.95}$$
✅	dogstatsd_deb_arm64	$${0}$$	$${28.99}$$ < $${29.97}$$	$${-0}$$	$${6.94}$$ < $${7.89}$$
✅	dogstatsd_rpm_amd64	$${0}$$	$${30.42}$$ < $${31.4}$$	$${-0}$$	$${8.01}$$ < $${8.96}$$
✅	dogstatsd_suse_amd64	$${0}$$	$${30.42}$$ < $${31.4}$$	$${-0}$$	$${8.01}$$ < $${8.96}$$
✅	iot_agent_deb_amd64	$${0}$$	$${53.77}$$ < $${54.55}$$	$${+0}$$	$${13.55}$$ < $${14.45}$$
✅	iot_agent_deb_arm64	$${0}$$	$${51.11}$$ < $${51.9}$$	$${+0}$$	$${11.73}$$ < $${12.63}$$
✅	iot_agent_deb_armhf	$${0}$$	$${50.62}$$ < $${51.42}$$	$${-0}$$	$${11.83}$$ < $${12.74}$$
✅	iot_agent_rpm_amd64	$${0}$$	$${53.77}$$ < $${54.55}$$	$${-0}$$	$${13.57}$$ < $${14.47}$$
✅	iot_agent_rpm_arm64	$${0}$$	$${51.11}$$ < $${51.91}$$	$${+0}$$	$${11.75}$$ < $${12.65}$$
✅	iot_agent_suse_amd64	$${0}$$	$${53.77}$$ < $${54.55}$$	$${-0}$$	$${13.57}$$ < $${14.47}$$

[dustmop]

Approved for agent-configuration owned files

[usamasaqib]

Can you share details of the benchmarks and results from deployments?

[aliciascott]

good for docs

[usamasaqib]

Given that this is an SMP environment variability issue, I am not sure if this is the best place to solve this.
cc: @scottopell

[paulcacheux]

/merge

[dd-devflow-routing-codex]

View all feedbacks in Devflow UI.

2025-07-09 13:44:07 UTC ℹ️ Start processing command /merge

---

2025-07-09 13:44:22 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 49m (p90).

---

2025-07-09 14:46:59 UTC ℹ️ MergeQueue: This merge request was merged