[ca] Limit the size of the response back from the external CA#2300
Merged
aaronlehmann merged 1 commit intomoby:masterfrom Jul 7, 2017
Merged
[ca] Limit the size of the response back from the external CA#2300aaronlehmann merged 1 commit intomoby:masterfrom
aaronlehmann merged 1 commit intomoby:masterfrom
Conversation
Collaborator
|
LGTM Is there a similar issue when a new node downloads the root certificate over gRPC without any authentication? |
Codecov Report
@@ Coverage Diff @@
## master #2300 +/- ##
=========================================
- Coverage 61.08% 61% -0.09%
=========================================
Files 128 128
Lines 20549 20550 +1
=========================================
- Hits 12553 12536 -17
- Misses 6615 6643 +28
+ Partials 1381 1371 -10 |
Contributor
Author
|
@aaronlehmann It looks like GRPC by default limits the maximum message size to 4MB?
If I'm understanding this correctly, that should limit the response size to 4MB. |
Collaborator
|
Ok, I think this is ready to merge, but let me ping @riyazdf for an extra review. |
riyazdf
approved these changes
Jul 7, 2017
ca/external.go
Outdated
| "sync" | ||
| "time" | ||
|
|
||
| "io" |
There was a problem hiding this comment.
super nit: this is odd in its own block
Contributor
Author
There was a problem hiding this comment.
Ah yeah, goimport doesn't always put stuff with other blocks. Thanks!
ca/external.go
Outdated
| // While there is no upper limit on the length of certificate chains, long chains are impractical. | ||
| // To be conservative, and to also account for external CA certificate responses in JSON format | ||
| // from CFSSL, we'll set the max to be 256KiB. | ||
| CertificateMaxSize int64 = 1 << 18 |
There was a problem hiding this comment.
👍 on size. Wondering if 256 << 10 is more readable but this is fine as-is
Contributor
Author
There was a problem hiding this comment.
Agree, much more readable.
4baff73 to
693c9da
Compare
Collaborator
|
I think a rebase will fix the CI problem. |
Signed-off-by: Ying Li <ying.li@docker.com>
693c9da to
4f02b92
Compare
This was referenced Jul 11, 2017
andrewhsu
pushed a commit
to docker-archive/docker-ce
that referenced
this pull request
Jul 14, 2017
- moby/swarmkit#2266 (support for templating Node.Hostname in docker executor) - moby/swarmkit#2281 (change restore action on objects to be update, not delete/create) - moby/swarmkit#2285 (extend watch queue with timeout and size limit) - moby/swarmkit#2253 (version-aware failure tracking in the scheduler) - moby/swarmkit#2275 (update containerd and port executor to container client library) - moby/swarmkit#2292 (rename some generic resources) - moby/swarmkit#2300 (limit the size of the external CA response) - moby/swarmkit#2301 (delete global tasks when the node running them is deleted) Minor cleanups, dependency bumps, and vendoring: - moby/swarmkit#2271 - moby/swarmkit#2279 - moby/swarmkit#2283 - moby/swarmkit#2282 - moby/swarmkit#2274 - moby/swarmkit#2296 (dependency bump of etcd, go-winio) Signed-off-by: Ying Li <ying.li@docker.com> Upstream-commit: 4509a00 Component: engine
silvin-lubecki
pushed a commit
to silvin-lubecki/docker-ce
that referenced
this pull request
Feb 3, 2020
- moby/swarmkit#2281 - fixes an issue where some cluster updates could be missed if a manager receives a catch-up snapshot from another manager - moby/swarmkit#2300 - fixes a possible memory issue if an external CA sends an overlarge response Signed-off-by: Ying <ying.li@docker.com>
silvin-lubecki
pushed a commit
to silvin-lubecki/engine-extract
that referenced
this pull request
Feb 3, 2020
- moby/swarmkit#2281 - fixes an issue where some cluster updates could be missed if a manager receives a catch-up snapshot from another manager - moby/swarmkit#2300 - fixes a possible memory issue if an external CA sends an overlarge response Signed-off-by: Ying <ying.li@docker.com>
silvin-lubecki
pushed a commit
to silvin-lubecki/engine-extract
that referenced
this pull request
Mar 10, 2020
- moby/swarmkit#2281 - fixes an issue where some cluster updates could be missed if a manager receives a catch-up snapshot from another manager - moby/swarmkit#2300 - fixes a possible memory issue if an external CA sends an overlarge response Signed-off-by: Ying <ying.li@docker.com>
silvin-lubecki
pushed a commit
to silvin-lubecki/engine-extract
that referenced
this pull request
Mar 16, 2020
- moby/swarmkit#2266 (support for templating Node.Hostname in docker executor) - moby/swarmkit#2281 (change restore action on objects to be update, not delete/create) - moby/swarmkit#2285 (extend watch queue with timeout and size limit) - moby/swarmkit#2253 (version-aware failure tracking in the scheduler) - moby/swarmkit#2275 (update containerd and port executor to container client library) - moby/swarmkit#2292 (rename some generic resources) - moby/swarmkit#2300 (limit the size of the external CA response) - moby/swarmkit#2301 (delete global tasks when the node running them is deleted) Minor cleanups, dependency bumps, and vendoring: - moby/swarmkit#2271 - moby/swarmkit#2279 - moby/swarmkit#2283 - moby/swarmkit#2282 - moby/swarmkit#2274 - moby/swarmkit#2296 (dependency bump of etcd, go-winio) Signed-off-by: Ying Li <ying.li@docker.com> Upstream-commit: 4509a00 Component: engine
silvin-lubecki
pushed a commit
to silvin-lubecki/engine-extract
that referenced
this pull request
Mar 23, 2020
- moby/swarmkit#2281 - fixes an issue where some cluster updates could be missed if a manager receives a catch-up snapshot from another manager - moby/swarmkit#2300 - fixes a possible memory issue if an external CA sends an overlarge response Signed-off-by: Ying <ying.li@docker.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Clean up some of the external CA signing code.