Backport CP-43755 - rate limits for PAM logins #5484
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Backport 0dc9939 The codepaths are completely independent. Rename `serialize` to `throttle`. This prepares the code for parallel authentication, with independently tunable thresholds. No functional change. Signed-off-by: Edwin Török <[email protected]> Signed-off-by: Christian Lindig <[email protected]>
Backport of 8aa69bb. This required to introduce a Semaphore_vendored to have access to the Counting sub-module. Small wrapper around OCaml's Semaphore module. It doesn't yet use Thread_state to avoid potential performance issues. The semaphore is initialized with a count of 1, and its maximum can be changed at runtime using [set_max] in a safe way that takes into account threads that already use the semaphore: we store the current max in the record and call [acquire] or [release] the appropriate number of times to make it match the new desired max. This always works, even if there are threads currently using the semaphore: if we decrease it below max then 'set_max' will block until sufficient number of threads have released the semaphore. [set_max] will be useful for implementing the semaphore maximum value as a datamodel field, and won't require restarting XAPI to change it. Even reading this value from a config file would be difficult otherwise because the semaphore needs to be initialized with a count at the time it is created, which is before any configuration files are read. No functional change. Signed-off-by: Edwin Török <[email protected]> Signed-off-by: Christian Lindig <[email protected]>
Backport of 4903400 The default count is still 1, so the behaviour is equivalent to Mutex. Internally Semaphore uses a Mutex + Condition and its performance is very similar to Mutex. No functional change. Signed-off-by: Edwin Török <[email protected]> Signed-off-by: Christian Lindig <[email protected]>
We are backporting this from the master branch but are taking the changes to the datamodel that allows to adjust thread counts at runtime. Instead, we create a fixed number upon creation. Signed-off-by: Christian Lindig <[email protected]>
Signed-off-by: Christian Lindig <[email protected]>
psafont
reviewed
Mar 4, 2024
Comment on lines
+29
to
+30
| let with_lock = Xapi_stdext_threads.Threadext.Mutex.execute | ||
|
|
There was a problem hiding this comment.
This binding isn't needed, all the users were changed to semaphores
psafont
approved these changes
Mar 4, 2024
|
The vendored module can't be located, easiest thing is probably to move it to ocaml/xapi |
|
Sorry - I pushed to the wrong branch. This needs still reviewing |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We are backporting a list of commits from master but drop the changes to the datamodel and instead use a hard-coded value.