diff options
| author | Andrew Moss <1043609+amoss@users.noreply.github.com> | 2019-10-24 20:44:56 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-10-24 20:44:56 +0200 |
| commit | 01aaa909393a48d9db83c22dc95fffdd1cc074c9 (patch) | |
| tree | 5ee12b67a8a570c3c5f009243cde336e4650c974 /registry | |
| parent | 88f966593abc5c7888e7c0be83780a97d4326ac2 (diff) | |
Fixing DNS-lookup performance issue on FreeBSD. (#7132)
Our default configuration includes:
allow connections from = localhost *
allow management from = localhost
The problem occurs when a connection is received that passes the `allow connections` pattern
match, but fails the ACL check for `allow management`. During the failure processing path the
DNS lookup is triggered to allow the FQDN to be checked against the pattern. On a FreeBSD
system this lookup fails more slowly than linux and causes a visible performance problem
during stress-testing.
The fix adds a heuristic to analyse the patterns and determine if it is possible to match a DNS name,
or only match a numeric IP address (either IPv4 or IPv6), or only match a constant value. This
heuristic is used to disable the DNS checks when they cannot produce anything that may match
the pattern. Each heuristic is evaluated once, when the configuration is loaded, not per-connection to the agent.
Because the heuristic is not exact it can be overridden using the new config options for each of the ACL connection filters to set it to "yes", "no" or "heuristic". The default for everything *except* the netdata.conf ACL is "heuristic". Because of the numeric-patterns in the netdata.conf ACL the default is set to "no".
Diffstat (limited to 'registry')
| -rw-r--r-- | registry/README.md | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/registry/README.md b/registry/README.md index f852809bec..205937ba40 100644 --- a/registry/README.md +++ b/registry/README.md @@ -122,6 +122,23 @@ Netdata v1.9+ support limiting access to the registry from given IPs, like this: Keep in mind that connections to Netdata API ports are filtered by `[web].allow connections from`. So, IPs allowed by `[registry].allow from` should also be allowed by `[web].allow connection from`. +The patterns can be matches over IP addresses or FQDN of the host. +In order to check the FQDN of the connection without opening the Netdata agent to DNS-spoofing, a reverse-dns record +must be setup for the connecting host. At connection time the reverse-dns of the peer IP address is resolved, and +a forward DNS resolution is made to validate the IP address against the name-pattern. + +Please note that this process can be expensive on a machine that is serving many connections. The behaviour of +the pattern matching can be controlled with the following setting: +``` +[registry] + allow by dns = heuristic +``` + +The settings are: +* `yes` allows the pattern to match DNS names. +* `no` disables DNS matching for the patterns (they only match IP addresses). +* `heuristic` will estimate if the patterns should match FQDNs by the presence or absence of `:`s or alpha-characters. + ### Where is the registry database stored? `/var/lib/netdata/registry/*.db` |