--=-eP3k5LV4Tp5Zr27AX3vY Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Le mardi 17 juin 2014 =C3=A0 15:55 +0200, Ewoud Kohl van Wijngaarden a =C3=A9crit :
On Tue, Jun 17, 2014 at 03:47:14PM +0200, Michael Scherer wrote:
Brian pinged me on a failure on lists.ovirt.org around 13h15 UTC. After scratching my head for a while ( since everything was running fine, despites regular Out of memory on the server ), it turned out to be a user trying to get the iso with a download accelerator. I first added more server, but without luck. =20 So as I am more of the kind "shoot first, ask later", I did kill the connexion with iptables, then limit it with iptables ( but with some side effect ), then installed mod_limitipconn to limit to 10 tcp connexion per IP.=20 =20 I'm all in favor of this. Maybe we should mention we have mirrors with MUCH more bandwith in our README.
Or maybe we do not need to tell that to people and use a redirector ? ( like mirrorbrain, etc ). Even if a solution that requires no maintainance is maybe a better solution for now.
in short : - yum install mod_limitipconn - add=20 <IfModule mod_limitipconn.c> MaxConnPerIP 10 </IfModule> to /etc/httpd/conf.d/resources.ovirt.org.conf =20 I guess we should add this in some puppet module somewhere ? =20 We should, but the whole apache config isn't puppetized yet. I've been slacking on that because we want to move away from that server, but maybe we should bite the bullet and do it on the current server.
Yep, and I think it would be easier to move away from the server if it is in puppet :) --=20 Michael Scherer Open Source and Standards, Sysadmin --=-eP3k5LV4Tp5Zr27AX3vY Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABAgAGBQJToE0CAAoJEE89Wa+PrSK9C34P/0MxCNC5y/FEffxjMQcIrbaY pxOZv4PYYHvPds6ZZHIaAMCAUY08g0uN8zfbz3fhIW18SmXomcaKm3C5dUyPLRjR 1TsZL6jHN+cB0uVlBhrJ1J7BHxetd7HMCBh1ggPEs7+jOUE70zDGTJKhyinfZRnC HF89eXNfwBni9Dra1fMlj0QoktBttzbo0KWUgvVQULzWpabusV9QgEA9+1uGMNcU EaKaC51wdcloX+Oru8oY/wNd50dwwqOGuRUWrVQ0zO4HU8ykx59PYdt597rA31VZ FfXy2eGxsxgQJGV8fcz6g0abk3CI7wEn+q/3UJNGv5MD4lC/vR1owYgsNH/tQ/3L gKQxdsBKZuiS8IhCym6um4pug/NIgfdUbwMQTRZ83qCoMFYGC8GxQd+rutmk+UMe Bz6V83UrlEcjrCJv+iFbRuEyHxkxpfMFDpReKGfvQkQrzhiHUhwrsg79PXwp9MXj doS8mXznLYJlsBa6jnti1DUncMln8Vec9KR76MztWq3R10yYhOT7g6BWVu2d930E i8pCGcxII0YtvzVZmfoiVGqeAugGGTM27e0q5BByMtSdOpqFhmwf+lgL2vS91xxf CHE1VmbZ4kAjJBCYlKHy+onx74REVBvezUb8wYMN4Pv0/WH4M68DJ6/ETXlJuhYF dxtYtF9fC+52c14Xovhx =bhkS -----END PGP SIGNATURE----- --=-eP3k5LV4Tp5Zr27AX3vY--