Meeting 2021 04 22
Rate limiting in nginx
Someone killed wiki.al.org by GETting / on repeat from a Scaleway server. We should add reasonable rate limits.
!359 (closed) TLDR (wiki, aurweb, bbs, bugs and al.org):
- 5r/s for dynamic content (PHP/Python)
- 50r/s for static content (cached dynamic content, css, js etc.)
- I think we can lower it even more, but require some research
Actionables
- Create issue for caching (done: #315 (closed))
- Caching first, then rate-limiting
Who
- wCPO (issue for caching)
- aurweb implemented a custom solution rate limitting solution, as legimate AUR helpers where doing multiple requests per
DNS
https://rspamd.com/doc/faq.html#resolver-setup
DNS resolving is a very important part of the spam filtering since a lot of information is obtained from DNS lists, e.g. IP and URL blacklists, whitelists, reputation data and so on and so forth. Hence, Rspamd will be totally broken in case: it might even refuse to start. Furthermore, if you are using your provider’s resolver or some public resolver you might be affected by blocking from the vast majority of DNS lists providers or even corrupted results.
Solutions:
-
systemd-resolvedon all hosts expect mail hosts where we useunbound(the current solution) -
systemd-resolvedeverywhere andrspamdusesunbounddirectly -
unboundeverywhere
Actionables
Who
- wCPO and jelle
The killing of git.archlinux.org (PG-13)
We need a plan!
Active projects:
- pacman
- pacman-contrib
- netctl
- mkinitcpio
- ??
Hidden projects:
- archvote (already migrated #312 (closed))
- ??
Archiving:
Nginx redirect (we can take a look at the logs):
- With and without
?h=<tag>,?id=<commit>or?id2=<something>- https://git.archlinux.org/mkinitcpio.git/
- https://git.archlinux.org/mkinitcpio.git/refs/
- https://git.archlinux.org/mkinitcpio.git/log/
- https://git.archlinux.org/mkinitcpio.git/tree/
- https://git.archlinux.org/mkinitcpio.git/commit/
- https://git.archlinux.org/mkinitcpio.git/patch/
- https://git.archlinux.org/mkinitcpio.git/diff/
Actionables
-
We already submitted some projects to the software heritage and could https://archive.softwareheritage.org/browse/origin/directory/?origin_url=git://git.archlinux.org/aif.git
-
Archive some projects which we think we should archive on Gitlab
- aif
- abs
- kde-build
- srcpac
- wpa_actiond
- server-misc
- pacbuild
- netcfg
- linux-2.6-ARCH
- klibc-extras
- installer
- initscripts
-
Migrate projects
- kde-build
- archboot
- linux
- namcap
- pacman
- pacman-contrib
- cgit
- netctl > Is still actively maintained [name=Giancarlo Razzolini]
- mkinitcpio-nfs-utils >This still is needed, we need to migrate. I plan to migrate it on the mkinitcpio group I've created on gitlab. [name=Giancarlo Razzolini]
- archboot > Is still actively maintained no? [name=Giancarlo Razzolini]
-
make tu-bylaws a proper gitlab page (create issue for this (jelle)) (done: tu-bylaws#2)
Who
- wCPO (update issue) #6 (closed)
Loki
https://grafana.com/docs/loki/latest/overview/comparisons/
Data in Elasticsearch is stored on-disk as unstructured JSON objects. Both the keys for each object and the contents of each key are indexed. Data can then be queried using a JSON object to define a query (called the Query DSL) or through the Lucene query language.
In comparison, Loki in single-binary mode can store data on-disk, but in horizontally-scalable mode data is stored in a cloud storage system such as S3, GCS, or Cassandra. Logs are stored in plaintext form tagged with a set of label names and values, where only the label pairs are indexed. This tradeoff makes it cheaper to operate than a full index and allows developers to aggressively log from their applications. Logs in Loki are queried using LogQL. However, because of this design tradeoff, LogQL queries that filter based on content (i.e., text within the log lines) require loading all chunks within the search window that match the labels defined in the query.
Actionables
None
SSO Security Tracker
There is work in progress pull request to add SSO support.