Hash namespace+proxy ID when creating socket path#17204
Merged
Conversation
github-actions
Bot
added
the
theme/cli
freddygv
force-pushed
the
cc-4929-cap-socket-path
branch
2 times, most recently
from
f00ccd3 to
4616e69
Compare
freddygv
added
the
pr/no-changelog
freddygv
force-pushed
the
cc-4929-cap-socket-path
branch
from
4616e69 to
6849c65
Compare
freddygv
commented
May 8, 2023
Achooo
reviewed
May 8, 2023
Contributor
There was a problem hiding this comment.
this makes sense, based on my napkin math:
- sha1 output => 160 bits => 20 bytes
- base64 => 4*20/3 = 26.6 so 27 bytes but round up to multiple of 4 => 28
So 104 - (5+28) = 71 , where:
- 28 is file name length
- 5 is extension length
So we have 71 chars remaining for the dir length
Achooo
approved these changes
May 8, 2023
freddygv
requested review from
a team,
kyhavlov and
ndhanushkodi
and removed request for
a team
ndhanushkodi
approved these changes
May 9, 2023
UNIX domain socket paths are limited to 104-108 characters, depending on the OS. This limit was quite easy to exceed when testing the feature on Kubernetes, due to how proxy IDs encode the Pod ID eg: metrics-collector-59467bcb9b-fkkzl-hcp-metrics-collector-sidecar-proxy To ensure we stay under that character limit this commit makes a couple changes: - Use a b64 encoded SHA1 hash of the namespace + proxy ID to create a short and deterministic socket file name. - Add validation to proxy registrations and proxy-defaults to enforce a limit on the socket directory length.
freddygv
force-pushed
the
cc-4929-cap-socket-path
branch
from
158be9c to
7bb0dcf
Compare
4 tasks
freddygv
added a commit
that referenced
this pull request
May 9, 2023
UNIX domain socket paths are limited to 104-108 characters, depending on the OS. This limit was quite easy to exceed when testing the feature on Kubernetes, due to how proxy IDs encode the Pod ID eg: metrics-collector-59467bcb9b-fkkzl-hcp-metrics-collector-sidecar-proxy To ensure we stay under that character limit this commit makes a couple changes: - Use a b64 encoded SHA1 hash of the namespace + proxy ID to create a short and deterministic socket file name. - Add validation to proxy registrations and proxy-defaults to enforce a limit on the socket directory length.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
UNIX domain socket paths are limited to 104-108 characters depending on the OS. This limit was quite easy to exceed when testing the feature on Kubernetes, due to how proxy IDs encode the Pod ID eg:
metrics-collector-59467bcb9b-fkkzl-hcp-metrics-collector-sidecar-proxyTo ensure we stay under the lower 104 character limit this commit makes a couple changes:
Testing & Reproduction steps
PR Checklist