Commit graph

273 commits

Author SHA1 Message Date
Sam Chow
9024419896 Modify ldap validator to just check user existence
Remove auth user check from updating config app config

remove duplicate certs install script
2018-07-11 16:49:13 -04:00
Joseph Schorr
33a8099f35 Temporarily double the request limit. We'll start ratcheting it down over time. 2018-06-20 14:31:51 -04:00
Joseph Schorr
1d94e4d605 Audit out endpoints and ensure everything has a defined rate limit (even if quite large)
For registry operations, these were the numbers found at time the PR was written:

download_blob 108 per second across fleet
v2_auth 180 per second across fleet
catalog 1 per second across fleet
fetch_manifest 205 per second across fleet
list_all_tags 150 per second across fleet

With an average fleet size of 25. As a result, we went with a registry limit of 10r/s (10 * 25 = 250 requests) to bound even the most prolific puller.

Fixes https://jira.coreos.com/browse/QUAY-976
2018-06-20 13:36:24 -04:00
Joseph Schorr
ef167ab7e3 Rate limit the catalog endpoint by auth token and IP address 2018-06-05 18:24:31 -04:00
Jimmy Zelinskie
e542de7e65 nginx: temporarily disable catalog for production 2018-06-05 16:06:10 -04:00
josephschorr
7722721396
Merge pull request #3064 from quay/joseph.schorr/QUAY-928/fix-worker-count
Fix worker count to  use CPU affinity correctly and be properly bounded
2018-05-07 20:45:26 +03:00
Joseph Schorr
b26a131085 Fix worker count to use CPU affinity correctly and be properly bounded
We were using the `cpu_count`, which doesn't respect container affinity. Now, we use `cpu_affinity` and also bound to make sure we don't start a million workers

Fixes https://jira.coreos.com/browse/QUAY-928
2018-05-03 11:57:20 +03:00
Joseph Schorr
e20295f573 Fix Kubernetes config provider for recent changes in Kub API
Kubernetes secret volumes are now mounted as read-only, so we have to write the files *only* via the Kub API

Fixes https://jira.coreos.com/browse/QUAY-911
2018-04-22 17:22:28 +03:00
Joseph Schorr
ab0172d2fd Switch Quay to using an in-container memcached for data model caching 2018-02-27 16:55:22 -05:00
Joseph Schorr
8bc55a5676 Make namespace deletion asynchronous
Instead of deleting a namespace synchronously as before, we now mark the namespace for deletion, disable it, and rename it. A worker then comes along and deletes the namespace in the background. This results in a *significantly* better user experience, as the namespace deletion operation now "completes" in under a second, where before it could take 10s of minutes at the worse.

Fixes https://jira.coreos.com/browse/QUAY-838
2018-02-27 13:12:51 -05:00
Joseph Schorr
d45161b120 Add a worker to automatically GC expired app specific tokens
Fixes https://jira.coreos.com/browse/QUAY-822
2018-02-12 14:56:01 -05:00
josephschorr
ccef3bffe9
Merge pull request #2978 from coreos-inc/joseph.schorr/QS-117/gunicorn-worker-count
Make gunicorn worker count scale automatically and be configurable
2018-02-02 13:46:17 -05:00
Joseph Schorr
da9b05fa4a Remove syslog check lines from all services 2018-02-02 13:38:25 -05:00
Joseph Schorr
0f49d787eb Fix syslog for updated phusion base image
Syslog is now started outside of the normal init process
2018-02-02 10:52:18 -05:00
Joseph Schorr
4cd3d110db Make gunicorn worker count scale automatically and be configurable
Fixes https://jira.coreos.com/browse/QS-117
2018-02-02 10:34:19 -05:00
Joseph Schorr
9f996a8745 Change worker processes to be auto set based on CPU count
Fixes https://jira.coreos.com/browse/QS-109
2018-01-10 11:10:57 -05:00
Joseph Schorr
6de96ee8a5 Fix the custom cert install process to install to the new certifi location, in addition to the old location
Also updates our requirements around requests
2017-12-15 17:26:44 -05:00
Jimmy Zelinskie
e36bf25a5e nginx: rate limit 1r/s
This reduces our rate limiting down to to 1 request per second.
2017-12-13 13:15:32 -05:00
josephschorr
3bef21253d Merge pull request #2695 from coreos-inc/oidc-internal-auth
OIDC internal auth support
2017-10-02 16:51:17 -04:00
Joseph Schorr
05b4a7d457 Add worker to update ipresolver data files every few hours 2017-09-28 14:40:59 -04:00
Joseph Schorr
ed897c7cb0 Change OIDC engine to not be federated
We don't need linking, just the ability to perform lookup
2017-09-12 12:26:41 -04:00
Joseph Schorr
bd67eaf856 Make SSL more resilient and cached 2017-09-05 18:02:07 -04:00
Alec Merdler
ae9bd8b727 Merge pull request #2837 from alecmerdler/QUAY-755
Fix 502 Error Page
2017-07-28 12:30:02 -04:00
Alec Merdler
fb7df1e568 fixed 502 route in Nginx config 2017-07-27 14:45:18 -04:00
Jake Moshenko
572eeca8f5 Split the runit services into interactive and batch categories. 2017-07-27 14:30:45 -04:00
Joseph Schorr
be62ede87c Pass DB connection pooling arg 2017-07-27 14:22:44 -04:00
Joseph Schorr
f79542fefb Enable connection pooling in the registry 2017-07-27 14:00:23 -04:00
josephschorr
78652de3ee Merge pull request #2766 from coreos-inc/joseph.schorr/QUAY-634/buildlogsarchiver-data-interface
Change buildlogsarchiver to use a data model interface
2017-07-19 16:40:05 -04:00
josephschorr
9bd4cee029 Merge pull request #2765 from coreos-inc/joseph.schorr/QUAY-629/globalprom-data-interface
Switch globalpromstats worker to use a data interface
2017-07-19 16:39:36 -04:00
Erica
6576965647 Merge pull request #2780 from coreos-inc/FIX-teamsync-logger
fix(init/service/teamsyncworker/log/run): log correct worker
2017-07-12 23:38:44 -04:00
josephschorr
fdb21aa5dc Merge pull request #2777 from coreos-inc/joseph.schorr/QUAY-618/notificationworker-data-interface
Change notificationworker to use data interface
2017-07-13 00:23:15 +03:00
josephschorr
2206c81a95 Merge pull request #2776 from coreos-inc/joseph.schorr/QUAY-652/servicekeyworker-data-interface
Change service key worker to use a data interface
2017-07-13 00:22:49 +03:00
EvB
67abfe7483 fix(init/service/teamsyncworker/log/run): log correct worker 2017-07-12 13:52:22 -04:00
Joseph Schorr
fbfd78532c Move notification worker to its own package 2017-07-12 17:35:09 +03:00
Joseph Schorr
3b496e2759 Move serverkeyworker into its own package 2017-07-12 15:57:02 +03:00
Joseph Schorr
e2cf2d6f2b Move teamsyncworker into its own package 2017-07-12 15:53:01 +03:00
josephschorr
dc6c6b30fc Merge pull request #2768 from coreos-inc/joseph.schorr/QUAY-653/blobuploadcleanupworker-data-interface
Change blobuploadcleanupworker to use a data interface
2017-07-12 00:32:09 +03:00
Evan Cordell
8d07bbc7af Remove volumes 2017-07-11 10:54:56 -04:00
Joseph Schorr
b87415129f Move blobuploadcleanupworker into its own package 2017-07-11 15:38:10 +03:00
Joseph Schorr
22f088d90a Move buildlogsarchiver worker to its own package 2017-07-11 14:42:18 +03:00
Joseph Schorr
265520d071 Move globalpromstats worker into its own package 2017-07-11 13:52:15 +03:00
Evan Cordell
dacb0131a5 symlink all files from /conf/stack into QUAYCONF/stack 2017-07-10 22:34:21 -04:00
Antoine Legrand
cdb3722c17 Use $QUAYPATH and $QUAYDIR in conf and init files 2017-07-05 16:23:54 +02:00
josephschorr
a96555511b Merge pull request #2743 from coreos-inc/joseph.schorr/QUAY-663/gcworker-interface
Change GC worker to use new data interface style
2017-06-29 20:54:04 +03:00
Joseph Schorr
76c9339453 Rename GC worker package to gc 2017-06-29 09:37:32 +03:00
Joseph Schorr
38f1752a2d Move gcworker into its own package 2017-06-28 15:04:10 +03:00
Joseph Schorr
1ddb09ac11 Change security worker to use data interface 2017-06-28 14:50:52 +03:00
Antoine Legrand
3bd2148abd gunicorn-conf: add quay directory to syspath 2017-06-08 20:50:42 +02:00
Antoine Legrand
3c99928a27 Add log JSON formatter 2017-06-07 00:02:52 +02:00
Evan Cordell
653cd997a1 fixes install of certs 2017-05-25 18:06:20 -04:00