| danfai_ | Hi, are there plans to support tarpit or silent-drop for l7policy? For some LB owner this can be helpful to configure rules to prevent certain DoS scenarios, where the LB owner has identified patterns already. | 08:28 |
|---|---|---|
| danfai_ | related docs: https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#4.4-tarpit https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#4-silent-drop | 08:29 |
| tweining | hi danfai_ , you seem to be talking about rate limiting features. We merged a spec for this new feature in this cycle. https://review.opendev.org/c/openstack/octavia/+/923318 | 11:12 |
| tweining | I will be working during the E on this feature, and note that queue/tarpit and silent drop are part of the spec already. That is no guarantee that the first implementation in the amphora driver will support that already, however. | 11:16 |
| tweining | *E cycle | 11:16 |
| tweining | also, note that it will be a new API, independent of L7policy | 11:17 |
| danfai_ | tweining: ah, ok. Thanks, I'll have a look at the spec and see if the use-case we have is matched then. | 11:35 |
| danfai_ | From what I see this will allow rate limiting regardless of the source. Is it possible to enable the rate limiting only for a number of users. e.g. have a whitelist that bypasses the rate limiting or have a different rate limiter applied for certain users? | 11:41 |
| tweining | with users you mean clients? | 11:42 |
| danfai_ | yes, either by source IP and/or by user agent | 11:43 |
| tweining | you can have different limits for different URL paths, but not for different clients | 11:43 |
| danfai_ | from what I wonder, maybe it would make sense to have a l7policy target which is a rate limiter. but haven't checked in detail how feasible this would even be. Probably also too complex | 11:44 |
| danfai_ | ok, thanks for clarifying | 11:44 |
| danfai_ | nevermind, just saw this was mentioned in the alternatives | 11:44 |
| tweining | if you have different URL parameters for different clients it might be doable though https://www.haproxy.com/blog/four-examples-of-haproxy-rate-limiting#rate-limit-by-url-parameter | 11:45 |
| danfai_ | might be possible by using l7policy to put redirects for certain clients that then trigger the different URL, seems a bit hacky for me though | 11:46 |
| tweining | also, that per-url-parameter feature was not part of the spec yet, and I will not implement it in the first version of rate limiting. It would be an interesting addition, however. as usual, patches are welcome. :) | 11:53 |
| opendevreview | Gregory Thiemonge proposed openstack/octavia master: DNM/WIP Testing c9s image build https://review.opendev.org/c/openstack/octavia/+/929797 | 14:33 |
| gthiemonge | #startmeeting Octavia | 16:00 |
| opendevmeet | Meeting started Wed Sep 18 16:00:22 2024 UTC and is due to finish in 60 minutes. The chair is gthiemonge. Information about MeetBot at http://wiki.debian.org/MeetBot. | 16:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 16:00 |
| opendevmeet | The meeting name has been set to 'octavia' | 16:00 |
| gthiemonge | o/ | 16:00 |
| tweining | o/ | 16:00 |
| johnsom | o/ | 16:00 |
| gthiemonge | #topic Announcements | 16:01 |
| gthiemonge | * 2024.2 Dalmatian Release Schedule: R-2 | 16:01 |
| gthiemonge | 2 weeks before Dalmatian Release! | 16:02 |
| gthiemonge | we delivered RC1 for the Octavia projects | 16:02 |
| gthiemonge | next week is the Final RCs and intermediary releases | 16:02 |
| gthiemonge | but we are good with RC1 I believe | 16:02 |
| tweining | yeah, probably | 16:03 |
| johnsom | I think so too, but I haven't done a bug scrub | 16:03 |
| gthiemonge | * 2025.1 Epoxy Release Schedule | 16:04 |
| gthiemonge | The schedule for Epoxy is available | 16:04 |
| gthiemonge | https://releases.openstack.org/epoxy/schedule.html | 16:04 |
| gthiemonge | and the PTG is in one month! | 16:04 |
| gthiemonge | I haven't created an etherpad yet but please start thinking about topics you would like to discuss there | 16:05 |
| johnsom | Wow, time flies | 16:05 |
| tweining | that is what I thought too | 16:05 |
| gthiemonge | yeah | 16:06 |
| gthiemonge | any other announcements? | 16:06 |
| johnsom | I don't have anything | 16:06 |
| tweining | no | 16:06 |
| gthiemonge | ok | 16:07 |
| gthiemonge | #topic CI Status | 16:07 |
| gthiemonge | johnsom is fixing the periodic job that builds the amphora image, patch is in review and tests look good | 16:08 |
| johnsom | Yeah, that patch should be good to go | 16:08 |
| gthiemonge | https://review.opendev.org/c/openstack/octavia/+/928952 | 16:08 |
| gthiemonge | approved! | 16:09 |
| gthiemonge | thanks johnsom | 16:09 |
| gthiemonge | #topic Brief progress reports / bugs needing review | 16:11 |
| tweining | no upstream work from me apart from doing reviews | 16:12 |
| johnsom | I have been working on the latest SRBAC changes from oslo policy 4.4. The Octavia patch is posted WIP. I did get some feedback in IRC that the release note is not clear enough, so if you have thoughts, please add a comment. | 16:12 |
| johnsom | I am still working on the tempest side of this change | 16:13 |
| johnsom | Just to review, this change means Octavia will default to the "keystone default roles" aka SRBAC instead of the advanced RBAC scheme it has had since Pike | 16:13 |
| gthiemonge | johnsom: I'll tke a look, thanks for working on that | 16:15 |
| gthiemonge | #topic Open Discussion | 16:17 |
| johnsom | I don't think I have anything additional this week. | 16:18 |
| gthiemonge | ok! | 16:19 |
| gthiemonge | thank you guys! have a good week | 16:19 |
| gthiemonge | #endmeeting | 16:19 |
| opendevmeet | Meeting ended Wed Sep 18 16:19:37 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 16:19 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/octavia/2024/octavia.2024-09-18-16.00.html | 16:19 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/octavia/2024/octavia.2024-09-18-16.00.txt | 16:19 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/octavia/2024/octavia.2024-09-18-16.00.log.html | 16:19 |
| opendevreview | Merged openstack/octavia master: Fix amphora image builds to use DIB bindep https://review.opendev.org/c/openstack/octavia/+/928952 | 17:55 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!