hawkbit icon indicating copy to clipboard operation
hawkbit copied to clipboard
verified publisher icon eclipse

Limitations on Deployment HTTP Range Request Download

Open Bastian-Krause opened this issue 3 years ago • 6 comments

Hi,

we are using hawkBit with RAUC in rauc-hawkbit-updater. In a recent PR, streaming installation of update bundles is implemented: rauc-hawkbit-updater passes the authentication header and the hawkBit deployment download URL to RAUC. RAUC performs HTTP Range Requests (~128 KB range per request, due to NBD reads per squashfs block, see RAUC's streaming docs) while installing the update bundle.

While testing this, I hit these hawkBit errors:

Registered DOS attack! Client [0:0:0:0:0:0:0:1] is above configured READ request threshold (200)!
Cannot assign 1 ActionStatus entities to Action '1' because of the configured quota limit 1000. Currently, there are 1000 ActionStatus entities assigned.

That means hawkBit's default configuration limits HTTP Range Requests effectively to ~1000 requests per action and 200 requests per second. For the time being, I disabled both limitations via:

--hawkbit.server.security.dos.filter.enabled=false
--hawkbit.server.security.dos.maxStatusEntriesPerAction=-1

While this works, I am not so sure if this is the desired approach for our use case. What do you think?

Furthermore, one ActionStatus entity per Range Request is generated, meaning a medium sized update bundle of 150 MB generates >1000 ActionStatuses when requested in 128 KB chunks. Could you elaborate why hawkBit needs to generate an ActionStatus per Range Request? I could not find reasoning in the commits/PRs. Could these Range Request ActionStatuses be dropped maybe? Or made configurable somehow?

Bastian-Krause avatar Apr 21 '22 16:04 Bastian-Krause

Can anyone comment on the questions above?

Bastian-Krause avatar Jun 07 '22 09:06 Bastian-Krause

A comment on this issue would still be very welcome.

I'd be willing to create a PR to change the ActionStatus behavior for HTTP Range Requests, but only if you tell me whether to drop ActionStatuses for this case entirely or make them configurable.

Bastian-Krause avatar Aug 29 '22 09:08 Bastian-Krause

@Bastian-Krause Is this still a limitation? Would be great to get a comment from the responsible maintainers!

I don't see any issue with dropping the Range Request ActionStatuses so I will change this should I end up deploying hawkbit.

MartB avatar Oct 31 '22 14:10 MartB

@MartB I did not hear back since I opened this issue and I did not see any changes relevant to these issues. A comment would be welcome.

Bastian-Krause avatar Nov 01 '22 10:11 Bastian-Krause

I've also hit this limitation. I think logging action status makes no sense.

In general I would also say that having hawkbit serve the range requests would be best avoided. Ideally there would be a way to provide an URL to a CDN service, to keep the application server out of the loop.

zyga avatar Nov 23 '22 13:11 zyga