-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feat]: Per-client Rate Limit overrides #2597
Comments
@seniorquico Let me understand this better. [rate-limited src (like dockerhub)] -> [mirrors] As the list of "mirrors" grows, the load on the "src" increases? In this case, you probably want to organize like so. [rate-limited src (like dockerhub)] -> [src mirror] -> [mirrors] If "src mirror" is under your control, then you have more options. Thoughts? |
In our case, the rate-limited source is another zot server, i.e. our setup is more like It appears the zot rate limit configuration is one-size-fits-all. For now, we bumped up the rate limit to reduce the temporary synchronization failures. However, that also increases the limit for all of the public clients. If we could tell the 1st server to give, as an example, the IP of the 2nd server a higher rate limit while preserving the default lower limit for public clients- I think that's what I had in mind? 100% open to alternatives, though. None were immediately apparent with zot's current configuration, though. |
@seniorquico I see. We use this golang pkg (https://github.com/didip/tollbooth) in zot and it appears that rate-limiting by source address may be a solution that works for your case. https://github.com/project-zot/zot/blob/main/pkg/api/session.go#L40 We always encourage users of zot to get involved in the engineering/development process since it in their own best interests. In that spirit, pls do consider submitting a PR. |
Also note that we are working on zot "scale-out" and have it working for the cloud case. On-prem case should land soon. |
Maybe add a config param like so |
[I dug into this a bit further for @seniorquico] A quick recap:
The solution we are looking for is a way to set a higher rate limit for specific requests above the global value or any other values that might pertain. This will either require changes in tollbooth, or a partial re-implementation of some tollbooth functions such as tollbooth.LimitByRequest() to perform the checks in the manner we desire. The 'select-highest' change is nearly sufficient, we would also need to implement a RemoteIPRateLimiter() function and expose in zot's config file the ability to set specific rates on IP addresses. While we need both bits above they are mostly independent of each other. I have not yet designed a detailed implementation of these changes so I do not have an answer to things like how we would indicate which selection (lowest vs highest) to use in the config file. |
Also if these fields must be dynamically managed (add/remove config) based on the current situation. |
I've already been thinking about this alternative for some other use cases... We leverage Let's Encrypt for public certificates on the Internet. Every time these update, we have to recycle the zot service for the new certs to take effect. iirc, we also had to setup a workaround to get both IPv6 and IPv4 traffic routed to zot (we could only get it to bind to one stack/port?). We already leverage HAProxy as a frontend for other services, and they have solutions for rate limiting, TLS cert management, and multiple stack/port binding support. We could take a different tack and contribute a "how to" guide for running a frontend like HAProxy for more advanced configuration scenarios like these? Do you think others would find a guide like that helpful? |
Absolutely. |
Is your feature request related to a problem? Please describe.
We are using the built-in rate limiter to help mitigate the obvious concerns. We recently started using the sync plugin to mirror our repositories in different regions. The rate limits we chose are low, but more than sufficient for a standard end user. However, when we bring a new mirror online, or if there is a significant change in the content on our upstream, the mirror may hit the rate limit.
Describe the solution you'd like
It would be great to configure a rate limit override that increases the quota for our mirror server. The override could be matched to a client by the remote IP address or maybe by the bearer token's
sub
claim?Describe alternatives you've considered
I'm not sure what other alternatives might exist, but definitely open to ideas if there's something simpler we could apply.
Additional context
No response
The text was updated successfully, but these errors were encountered: