Uploaded image for project: 'DC/OS'
  1. DC/OS
  2. DCOS_OSS-4654

Limit number of time-series stored in Nginx VTS module shared memory

    Details

    • Sprint:
      Security Sprint 37, Security Sprint 38
    • Story Points:
      1

      Description

      Currently doing repeated HTTP to an infinite number of URIs on Admin Router would lead to the creation and permanent storage of infinite time-series. Using the filter_by_set_key functionality of the VTS module, by default one "node" is stored referred to by set key for each value in the set. For us this means in the case of a set with key e.g.

      ,upstream=Bouncer,backend="127.0.0.1:8101,client
      

      On each occurrance of a request from a distinct $http_user_agents (client) a counter (stored in a node in shared memory) is increased and never deleted.

      Shared memory is limited by the directive:

      vhost_traffic_status_zone shared:vhost_traffic_status:16m
      

      This means the VTS module could potentially run of memory, Admin Router would crash. It would most likely restart with a wiped VTS module shared memory state, but we don't want this to happen.

      Limiting the number of total "nodes" can be done by using the directive:

      vhost_traffic_status_filter_max_node 2700
      

      This directive employs a LRU mechanism that deletes nodes with counters that have not been updated for the longest time. This way we achieve a bounded footprint for the VTS module shared memory.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                timweidner Tim Weidner
                Reporter:
                timweidner Tim Weidner
                Team:
                Security Team
                Watchers:
                Adam Dangoor, Mergebot, Tim Weidner
              • Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: