NewRelic Infra Agent is launching semodule -l over and over again killing the box

Hey Mario,

The default value for selinux_interval_sec is 30, which is also the floor of our SELinux sampling period.

We are too facing this issue while using newrelic-infra-1.0.859-1.x86_64

We’ve just released a new version of the Infra agent which has some fixes in this area. More information here:

https://docs.newrelic.com/docs/release-notes/infrastructure-release-notes/infrastructure-agent-release-notes/new-relic-infrastructure-agent-10872

Allow disabling inventory of SELinux modules in hosts where the associated command consumes too much CPU. Set selinux_enable_semodule configuration option to false to disable it while keeping the rest of SELinux plugin features.

Paul

1 Like

Awesome news @peraut! @vikas027 - please let us know if this addresses your issue.

Hey @peraut,

I have deployed a new version and confirm setting selinux_enable_semodule worked fine.

Thanks,
Vikas

1 Like

Hi Vikas!

Thank you for confirming that! I do appreciate the feedback on it.

Regards,

Paul

3 Likes

Hi Paul,

Can you confirm whether this setting would have any effect on hosts that don’t have SELinux? Presumably there is nothing to check and no impact.

Hi!

This setting should have no effect on hosts that don’t have SELinux aside from an error message in the log file.

1 Like

I have this issue on only one of my 16 hosts running newrelic, most of which have selinux enabled. Setting selinux_enable_semodule to false fixed it, but it is odd its only one server. It isn’t an oddball server either, its a mysql slave server. I have several others.

Hi, I’m having the same issue, but neither of the above worked for me, I’ve added selinux_enable_semodule: false into the in newrelic-infra.yml and restarted the agent again and again, the CPU only drop for a few seconds and back to 100%, and the semodule -l is still running…

Tried updated the agent to the newest as well, still not working :disappointed_relieved:

Is there anything else I can try? Thank you!

Update: I’ve figured it out later, the selinux_enable_semodule: false was misplaced under other config hierarchy. Once moved it up it worked but the CPU issue was actually caused by something else.

For me it works selinux_enable_semodule: false in /etc/newrelic-infra.yml. But this solution it this definitive ?

The patch doesnt work for a instance in my environment, can someone advice for further actions on a resolution please.