Re: [openstack-dev] [Openstack-dev][nova] Disable per-user rate limiting by default
On Fri, Jul 26, 2013 at 1:01 PM, Jay Pipes jaypi...@gmail.com wrote: On 07/25/2013 08:24 PM, Joshua Harlow wrote: You mean process/forking API right? Honestly I'd sort of think the whole limits.py that is this rate-limiting could also be turned off by default (or a log warn message occurs) when multi-process nova-api is used since the control for that paste module actually returns the currently enforced limits (and how much remaining) and on repeated calls to different processes those values will actually be different . This adds to the confusion that this rate-limiting in-memory/process solution creates which does also seem bad. https://github.com/openstack/**nova/blob/master/nova/api/** openstack/compute/limits.pyhttps://github.com/openstack/nova/blob/master/nova/api/openstack/compute/limits.py Maybe we should not have that code in nova in the future, idk Agreed +10. Like using SSL in the Python daemons, it doesn't belong in a production Nova deployment. This kind of thing is more appropriate to handle in some external terminator, IMO Strongly disagree about SSL. Anything that talks on the network should be able to do so securely. It is valid to want to abstract that away for someone else to deal with but if that is the case it should be done explicitly, like writing WSGI apps and requiring a server to do network communications. -Jon ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Openstack-dev][nova] Disable per-user rate limiting by default
On 07/26/2013 01:59 PM, Jonathan Proulx wrote: On Fri, Jul 26, 2013 at 1:01 PM, Jay Pipes jaypi...@gmail.com mailto:jaypi...@gmail.com wrote: On 07/25/2013 08:24 PM, Joshua Harlow wrote: You mean process/forking API right? Honestly I'd sort of think the whole limits.py that is this rate-limiting could also be turned off by default (or a log warn message occurs) when multi-process nova-api is used since the control for that paste module actually returns the currently enforced limits (and how much remaining) and on repeated calls to different processes those values will actually be different . This adds to the confusion that this rate-limiting in-memory/process solution creates which does also seem bad. https://github.com/openstack/__nova/blob/master/nova/api/__openstack/compute/limits.py https://github.com/openstack/nova/blob/master/nova/api/openstack/compute/limits.py Maybe we should not have that code in nova in the future, idk Agreed +10. Like using SSL in the Python daemons, it doesn't belong in a production Nova deployment. This kind of thing is more appropriate to handle in some external terminator, IMO Strongly disagree about SSL. Anything that talks on the network should be able to do so securely. It is valid to want to abstract that away for someone else to deal with but if that is the case it should be done explicitly, like writing WSGI apps and requiring a server to do network communications. ? I think you're missing my point... I was saying that having the Python daemons themselves terminate the SSL is a bad idea for scaling and performance reasons, not that using SSL is a bad practice. :) The SSL configurations options for Nova/Glance/Cinder/Neutron should only be used in development/testing. -jay ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Openstack-dev][nova] Disable per-user rate limiting by default
I'd like to turn it off by default, as already pointed in [1] I think the rate limiting should be managed by something else (for example load balancers) in front of the API. Regards -- Andrea Rosa [1] http://www.gossamer-threads.com/lists/openstack/operators/28599 From: Joe Gordon [mailto:joe.gord...@gmail.com] Sent: 24 July 2013 23:39 To: OpenStack Development Mailing List Subject: [openstack-dev] [Openstack-dev][nova] Disable per-user rate limiting by default Hi all I have proposed a patch to disable per-user rate limiting by default: https://review.openstack.org/#/c/34821/. And on Russell's request does anyone care or prefer this to be enabled by default? Here is some more context: Earlier rate limiting discussion: http://www.gossamer-threads.com/lists/openstack/operators/28599 Related bug: https://bugs.launchpad.net/tripleo/+bug/1178529 rate limiting is per process, and doesn't act as expected in a multi-process environment: https://review.openstack.org/#/c/36516/ best, Joe Gordon ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Openstack-dev][nova] Disable per-user rate limiting by default
+1 to turning it off. Having something that doesn't really work on by default now we have a threaded API is just wrong From: Rosa, Andrea (HP Cloud Services) Sent: 25 July 2013 09:35 To: OpenStack Development Mailing List Subject: Re: [openstack-dev] [Openstack-dev][nova] Disable per-user rate limiting by default I'd like to turn it off by default, as already pointed in [1] I think the rate limiting should be managed by something else (for example load balancers) in front of the API. Regards -- Andrea Rosa [1] http://www.gossamer-threads.com/lists/openstack/operators/28599 From: Joe Gordon [mailto:joe.gord...@gmail.com] Sent: 24 July 2013 23:39 To: OpenStack Development Mailing List Subject: [openstack-dev] [Openstack-dev][nova] Disable per-user rate limiting by default Hi all I have proposed a patch to disable per-user rate limiting by default: https://review.openstack.org/#/c/34821/. And on Russell's request does anyone care or prefer this to be enabled by default? Here is some more context: Earlier rate limiting discussion: http://www.gossamer-threads.com/lists/openstack/operators/28599 Related bug: https://bugs.launchpad.net/tripleo/+bug/1178529 rate limiting is per process, and doesn't act as expected in a multi-process environment: https://review.openstack.org/#/c/36516/ best, Joe Gordon ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Openstack-dev][nova] Disable per-user rate limiting by default
+1 to turn it off -- dims On Thu, Jul 25, 2013 at 12:07 PM, Day, Phil philip@hp.com wrote: +1 to turning it off. Having something that doesn’t really work on by default now we have a threaded API is just wrong From: Rosa, Andrea (HP Cloud Services) Sent: 25 July 2013 09:35 To: OpenStack Development Mailing List Subject: Re: [openstack-dev] [Openstack-dev][nova] Disable per-user rate limiting by default I’d like to turn it off by default, as already pointed in [1] I think the rate limiting should be managed by something else (for example load balancers) in front of the API. Regards -- Andrea Rosa [1] http://www.gossamer-threads.com/lists/openstack/operators/28599 From: Joe Gordon [mailto:joe.gord...@gmail.com] Sent: 24 July 2013 23:39 To: OpenStack Development Mailing List Subject: [openstack-dev] [Openstack-dev][nova] Disable per-user rate limiting by default Hi all I have proposed a patch to disable per-user rate limiting by default: https://review.openstack.org/#/c/34821/. And on Russell's request does anyone care or prefer this to be enabled by default? Here is some more context: Earlier rate limiting discussion: http://www.gossamer-threads.com/lists/openstack/operators/28599 Related bug: https://bugs.launchpad.net/tripleo/+bug/1178529 rate limiting is per process, and doesn't act as expected in a multi-process environment: https://review.openstack.org/#/c/36516/ best, Joe Gordon ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Davanum Srinivas :: http://davanum.wordpress.com ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Openstack-dev][nova] Disable per-user rate limiting by default
You mean process/forking API right? Honestly I'd sort of think the whole limits.py that is this rate-limiting could also be turned off by default (or a log warn message occurs) when multi-process nova-api is used since the control for that paste module actually returns the currently enforced limits (and how much remaining) and on repeated calls to different processes those values will actually be different . This adds to the confusion that this rate-limiting in-memory/process solution creates which does also seem bad. https://github.com/openstack/nova/blob/master/nova/api/openstack/compute/limits.py Maybe we should not have that code in nova in the future, idk. -Josh From: Day, Phil philip@hp.commailto:philip@hp.com Reply-To: OpenStack Development Mailing List openstack-dev@lists.openstack.orgmailto:openstack-dev@lists.openstack.org Date: Thursday, July 25, 2013 9:07 AM To: OpenStack Development Mailing List openstack-dev@lists.openstack.orgmailto:openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [Openstack-dev][nova] Disable per-user rate limiting by default +1 to turning it off. Having something that doesn’t really work on by default now we have a threaded API is just wrong From: Rosa, Andrea (HP Cloud Services) Sent: 25 July 2013 09:35 To: OpenStack Development Mailing List Subject: Re: [openstack-dev] [Openstack-dev][nova] Disable per-user rate limiting by default I’d like to turn it off by default, as already pointed in [1] I think the rate limiting should be managed by something else (for example load balancers) in front of the API. Regards -- Andrea Rosa [1]http://www.gossamer-threads.com/lists/openstack/operators/28599 From: Joe Gordon [mailto:joe.gord...@gmail.com] Sent: 24 July 2013 23:39 To: OpenStack Development Mailing List Subject: [openstack-dev] [Openstack-dev][nova] Disable per-user rate limiting by default Hi all I have proposed a patch to disable per-user rate limiting by default: https://review.openstack.org/#/c/34821/. And on Russell's request does anyone care or prefer this to be enabled by default? Here is some more context: Earlier rate limiting discussion: http://www.gossamer-threads.com/lists/openstack/operators/28599 Related bug: https://bugs.launchpad.net/tripleo/+bug/1178529 rate limiting is per process, and doesn't act as expected in a multi-process environment: https://review.openstack.org/#/c/36516/ best, Joe Gordon ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Openstack-dev][nova] Disable per-user rate limiting by default
I would personally like it off, since it appears to me to offer a false sense of security for the reasons mentioned in that review (doesn't stop DOS, doesn't work across processes/API nodes). Even though, I would recommend/think before its turned off that there should be a detailed document on what to replace it with since even though it does provide a minimal rate limiting capabilities, it does provide more than zero. So there should be some docs or thought put into a replacement and explanation on how to use said replacement/s. -josh Sent from my really tiny device... On Jul 24, 2013, at 3:42 PM, Joe Gordon joe.gord...@gmail.commailto:joe.gord...@gmail.com wrote: Hi all I have proposed a patch to disable per-user rate limiting by default: https://review.openstack.org/#/c/34821/. And on Russell's request does anyone care or prefer this to be enabled by default? Here is some more context: Earlier rate limiting discussion: http://www.gossamer-threads.com/lists/openstack/operators/28599 Related bug: https://bugs.launchpad.net/tripleo/+bug/1178529 rate limiting is per process, and doesn't act as expected in a multi-process environment: https://review.openstack.org/#/c/36516/ best, Joe Gordon ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.orgmailto:OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
