K8s Content Cache Charm

Add a juju action to report on top visits by IP

Bug #1916748 reported by Tom Haddon on 2021-02-24

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	K8s Content Cache Charm	Confirmed	Medium	Unassigned

Bug Description

During a potential DoS attack it's useful to quickly retrieve a list of most visits by IP. During a recent issue, an SRE ran the following:

juju run --application content-cache-1ss,content-cache-gs2 -- "awk '/Feb 24 11:/{print \$6}' /var/log/haproxy.log | cut -d ':' -f 1 | sort | uniq -c | sort -rn | head " | pp

This should really be a juju action so it's very obvious and easy for anyone to do this.

Revision history for this message

Haw Loeung (hloeung) wrote on 2021-02-25:

This command would be better as it supports IPv6 as well as includes the sites or listen stanzas being hit:

| awk '/Feb 25 06:/ && $6 !~ /127.0.0.1/ {print $6 " " $8 }' /var/log/haproxy.log | sed -e 's/:[0-9]* / /' | sort | uniq -c | sort -k1 -n -r | head

We also want to replace the date/time "Feb 25 06:" with the last 20 mins or so.

Tom Haddon (mthaddon) on 2021-02-26

Changed in charm-k8s-content-cache:
status:	New → Confirmed
importance:	Undecided → Medium

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.