gitpod icon indicating copy to clipboard operation
gitpod copied to clipboard

Published 20 hours ago verified publisher icon gitpod-io

Limit connections

Open Furisto opened this issue 2 years ago • 1 comments

Description

Introduce limiting of new connections created per minute.

Related Issue(s)

Fixes #https://github.com/gitpod-io/gitpod/issues/10651

How to test

  • Open a workspace in the preview environment
  • Run roblox scanner

Release Notes

Limit the rate at which network connections can be made by a workspace

Werft options:

  • [x] /werft with-preview

Furisto avatar Jul 09 '22 19:07 Furisto

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Aug 10 '22 03:08 stale[bot]

Based on the discussion in the RFC the following changes have been made.

  • Limiting is now setup by ws-daemon instead of workspacekit
  • We use an annotation (gitpod.io/netConnLimit) to detect workspaces that should be limited
  • The helper functions for nsinsider have been moved to to their own package so that they can be used outside of IWS.
  • The go library for nftables recently gained support for dynsets, so using nft is not necessary anymore
  • Metrics for dropped bytes/packets have been added
  • The network limiting annotation is now set by ws-manager if the WORKSPACE_CONNECTION_LIMITING feature is send as part of the request. The decision to send the flag will be made based on the plan that the user is on. This part is not yet fully implemented because we do need to deploy this PR first, so that the flag can be handled by ws-manager.

Furisto avatar Aug 22 '22 12:08 Furisto

/werft run

:+1: started the job as gitpod-build-fo-connlimit.29 (with .werft/ from main)

Furisto avatar Aug 22 '22 13:08 Furisto

:wave: @Furisto I've added this to our project for team visibility, and changed the description from "fixes" to "related to" (assuming merging this PR won't necessarily close the epic).

Will this audit connections (which we would have limited), or, will it actually limit? I assume audit, but wanted to double check.

kylos101 avatar Aug 22 '22 20:08 kylos101

@kylos101

Will this audit connections (which we would have limited), or, will it actually limit? I assume audit, but wanted to double check.

It will only audit them

Furisto avatar Aug 22 '22 20:08 Furisto

/werft run

:+1: started the job as gitpod-build-fo-connlimit.32 (with .werft/ from main)

Furisto avatar Aug 23 '22 12:08 Furisto

/werft run with-clean-slate-deployment

:+1: started the job as gitpod-build-fo-connlimit.37 (with .werft/ from main)

Furisto avatar Aug 23 '22 13:08 Furisto

@utam0k PTAL

Furisto avatar Aug 23 '22 16:08 Furisto

/unhold

Furisto avatar Aug 24 '22 12:08 Furisto