Skip to content

chore: add ingest request body size limit #4278

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 4, 2025
Merged

chore: add ingest request body size limit #4278

merged 5 commits into from
Jul 4, 2025

Conversation

alsoba13
Copy link
Contributor

@alsoba13 alsoba13 commented Jul 2, 2025
edited
Loading

Properly approaches #4275

alsoba13
alsoba13 commented Jul 2, 2025
View reviewed changes
pkg/ingester/pyroscope/ingest_handler.go
err = fmt.Errorf("request body too large: %w", err)
status = http.StatusRequestEntityTooLarge
validation.DiscardedBytes.WithLabelValues(string(validation.BodySizeLimit), tenantID).Add(float64(maxBytesError.Limit))
validation.DiscardedProfiles.WithLabelValues(string(validation.BodySizeLimit), tenantID).Add(float64(1))
Copy link
Contributor Author

@alsoba13 alsoba13 Jul 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For DiscardedProfiles, we don't get to read the body, so I increase it by 1, similarly to ingester.go.

For DiscardedBytes, only increased by Limit, we never get to read the rest of the message so we don't really know how big it was

alsoba13
alsoba13 commented Jul 2, 2025
View reviewed changes
pkg/validation/limits.go
@@ -139,6 +140,7 @@ func (e LimitError) Error() string {
func (l *Limits) RegisterFlags(f *flag.FlagSet) {
f.Float64Var(&l.IngestionRateMB, "distributor.ingestion-rate-limit-mb", 4, "Per-tenant ingestion rate limit in sample size per second. Units in MB.")
f.Float64Var(&l.IngestionBurstSizeMB, "distributor.ingestion-burst-size-mb", 2, "Per-tenant allowed ingestion burst size (in sample size). Units in MB. The burst size refers to the per-distributor local rate limiter, and should be set at least to the maximum profile size expected in a single push request.")
f.Float64Var(&l.IngestionBodyLimitMB, "distributor.ingestion-body-limit-mb", 0, "Per-tenant ingestion body size limit in MB, before decompressing. 0 to disable.")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I opted to disable it by default, so we make sure no existing pyroscope starts failing after an update.

@alsoba13 alsoba13 changed the title chore: limit body size for /ingest chore: add ingest request body size limit Jul 2, 2025
@alsoba13 alsoba13 marked this pull request as ready for review July 2, 2025 14:33
@alsoba13 alsoba13 requested review from korniltsev, marcsanmi, aleks-p and a team as code owners July 2, 2025 14:33
aleks-p
aleks-p reviewed Jul 2, 2025
View reviewed changes
Copy link
Contributor

@aleks-p aleks-p left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall.

Does an operator have enough information to act, in case the limit is breached? Would we easily know how often and by how much the limit is breached (e.g., will we see the actual values in the logs)?

Also, #4275 had real-world tests (exercising the actual /ingest path with profiling data). Is it possible we add that here to test the wiring itself?

@alsoba13
Copy link
Contributor Author

alsoba13 commented Jul 3, 2025

Looks good overall.

Does an operator have enough information to act, in case the limit is breached? Would we easily know how often and by how much the limit is breached (e.g., will we see the actual values in the logs)?

Also, #4275 had real-world tests (exercising the actual /ingest path with profiling data). Is it possible we add that here to test the wiring itself?

I'll work on some tests in there, thank you!

With this solution, an operator will only know that the limit was reached. This issue tries to bound the memory and CPU usage for huge incoming messages (typically from malfunctioning clients).
I can rework this to compute the original size by draining the rest of the message once we've hit the limit. Memory will be bounded, but it may still be CPU intensive.

@aleks-p
Copy link
Contributor

aleks-p commented Jul 3, 2025

With this solution, an operator will only know that the limit was reached. This issue tries to bound the memory and CPU usage for huge incoming messages (typically from malfunctioning clients).
I can rework this to compute the original size by draining the rest of the message once we've hit the limit. Memory will be bounded, but it may still be CPU intensive.

Makes sense, lets not add extra work for logging purposes, especially if we don't intend to change this limit frequently.

@alsoba13 alsoba13 merged commit 76a701b into main Jul 4, 2025
24 checks passed
@alsoba13 alsoba13 deleted the alsoba13/distributor-limit-received-msg-size branch July 4, 2025 14:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aleks-p aleks-p aleks-p approved these changes

@korniltsev korniltsev Awaiting requested review from korniltsev korniltsev is a code owner

@marcsanmi marcsanmi Awaiting requested review from marcsanmi marcsanmi is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alsoba13 @aleks-p