On Thu, Aug 28, 2014 at 10:05 AM, Paul Sokolovsky paul.sokolovsky@linaro.org wrote:
Recently, we had DoS-like episodes on the main Linaro git server, http://git.linaro.org , which affected number of Linaro users, including users of Gerrit system, http://review.linaro.org .
These episodes were related to unfriendly usage of native protocol, git:// (service port 9418). The implementation of this protocol is known to be resource-hungry and not scale to many connections and users. The issue itself is not new, it is something which affected us in waves over last 3 years, and a resolution for which was established a year ago, providing 2 HTTP-based protocols (so called "dump" and "smart" protocols) as more scalable replacement.
So, this is a gentle reminder that use of git:// protocol by is discouraged for Linaro engineers, and completely unsupported(*1) for third parties. Based on the analysis and outcome of the current DoS-like activity, we may need to make git:// access more limited and strict. So, please kindly:
So why does this affect us but not kernel.org?
- Check URLs you use for cloning and updating your local trees. If you
use "ssh://" or "http(s)://" protocols, you're ok. If you use git://, please switch to using http-based protocol instead. In most cases, this requires just replacing "git://" schema with "http://". If in doubt, please visit gitweb page for your repositories, which lists all supported URLS to clone a repository, e.g.: https://git.linaro.org/arm/arm-trusted-firmware.git
- If you set up of oversee CI or automated build jobs, please
audit and apply similar changes to them.
So this is problematic, because there are folks out there in the community who already use the git:// urls for fetching work from the Linaro repos. (The 0day build/test bot, for instance..).
While the git:// urls are now off the gitweb (which is good for future users), this wasn't the case previously.
We already went through one painful transition where our URLs got scrambled, and I've had a few situations where folks have just recently realized that we still had trees, but the URLs were just different. So its quite frustrating to have to go through that again.
What would be required to just make the git:// urls work properly?
Is this mainly an issue with the Android repos? If we reduce the git:// url load on the wort users, would that improve things enough? Do you have stats on which trees are hardest hit?
(*1) Unsupported in the current context means that "git://" URLs are not published in up-to-date information, and there's no warranty that any 3rd party will be able to complete a clone successfully using this protocol.
So as someone who has sent git pull requests in the past with the git urls, this is terrifying (and makes me hesitant to further use the linaro infrastructure). Do you have a pointer to why the git urls aren't coherent?
thanks -john