I am trying to find out if there are keys which have versions that are older than one year and setting their rotation period to 24 hours from now. Unfortunately, each list keyring call is counting as a key.read which there is a quota which is very small (~300/min) is there a way to work around these quotas besides increasing them? I am trying to run this code periodically in a cloud function so there is a runtime limit such that I cannot just wait for the quota to reset.
def list_keys(project):
client = kms_v1.KeyManagementServiceClient()
#this location list is based on a running of `gcloud kms locations list` and represents a where a key could be created
location_list = ['asia','asia-east1','asia-east2','asia-northeast1','asia-northeast2',
'asia-south1','asia-southeast1','australia-southeast1','eur4','europe',
'europe-north1','europe-west1','europe-west2','europe-west3','europe-west4',
'europe-west6','global','nam4','northamerica-northeast1','southamerica-east1',
'us','us-central1','us-east1','us-east4','us-west1','us-west2']
for location in location_list:
key_ring_parent = client.location_path(project,location)
key_ring_list = client.list_key_rings(key_ring_parent)
for key_ring in key_ring_list:
parent = client.key_ring_path(project,location,format_keyring_name(key_ring.name))
for key in client.list_crypto_keys(parent):
start_time = key.primary.create_time # need to use primary to get latest version of the key
now = time.time()
now_seconds = int(now)
elapsed = now_seconds - start_time.seconds
next_rotate_age =(key.next_rotation_time.seconds - now_seconds) + elapsed
days_elapsed = elapsed/3600/24
print(key.name," is this many days old: ", days_elapsed)
print(key.name," will be this many days old when it is scheduled to rotate: ", next_rotate_age/3600/24)
#if the key is a year old set it to rotate tomorrow
if days_elapsed > 364:
#client.
update_mask = kms_v1.types.UpdateCryptoKeyRequest.update_mask
#print(update_mask)
new_rotation_time = now_seconds + (3600*24) # 1 day from now because can't set less than 24 hrs notice on certain keys
key.next_rotation_time.seconds = new_rotation_time
update_mask = {'paths':{'next_rotation_time': new_rotation_time}}
print(client.update_crypto_key(key, update_mask))
Is cloud asset inventory an option? You could run something like
$ gcloud asset export --organization YOUR_ORG_ID \
--asset_types cloudkms.googleapis.com/CryptoKey \
--content-type RESOURCE \
--output-path "gs://YOUR_BUCKET/NEW_FILE"
The output file will contain the full CryptoKey resource for every single key in the organization so you don't need to send a ton of List/Get requests to the KMS API.
Having looking into your request, it would seem that it would not be possible to work around the quotas besides increasing them.
I would suggest looking at these following documentations on the following:
Resource quotas
Working with Quotas
Quotas and Limits
These documents should provide you with the information you need on quotas.
Related
I am trying to design load tests using Artillery on a computation-heavy API which typically requires at least a few seconds to send a response.
Starting from examples found in the docs, I was able to run some tests such as this one:
config:
target: "https://example.com/api"
phases:
- duration: 60
arrivalRate: 1
name: Base case
I'd now like to send requests even slower (e.g. 1 every 5 seconds) but it seems that this cannot be done using the arrivalRate parameter. Is there any way to do it that the docs do not mention?
Thanks in advance !
How can I customize interval time of virtual user creation?
You can do that with arrivalCount which spreads the creation of
virtual users evenly over a period of time (whereas arrivalRate is
always per-second). E.g.:
config:
phases:
- duration: 60
arrivalCount: 12
I am using terraform resource google_dataflow_flex_template_job to deploy a Dataflow flex template job.
resource "google_dataflow_flex_template_job" "streaming_beam" {
provider = google-beta
name = "streaming-beam"
container_spec_gcs_path = module.streaming_beam_flex_template_file[0].fully_qualified_path
parameters = {
"input_subscription" = google_pubsub_subscription.ratings[0].id
"output_table" = "${var.project}:beam_samples.streaming_beam_sql"
"service_account_email" = data.terraform_remote_state.state.outputs.sa.email
"network" = google_compute_network.network.name
"subnetwork" = "regions/${google_compute_subnetwork.subnet.region}/subnetworks/${google_compute_subnetwork.subnet.name}"
}
}
Its all working fine however without my requesting it the job seems to be using flexible resource scheduling (flexRS) mode, I say this because the job takes about ten minutes to start and during that time has state=QUEUED which I think is only applicable to flexRS jobs.
Using flexRS mode is fine for production scenarios however I'm currently still developing my dataflow job and when doing so flexRS is massively inconvenient because it takes about 10 minutes to see the effect of any changes I might make, no matter how small.
In Enabling FlexRS it is stated
To enable a FlexRS job, use the following pipeline option:
--flexRSGoal=COST_OPTIMIZED, where the cost-optimized goal means that the Dataflow service chooses any available discounted resources or
--flexRSGoal=SPEED_OPTIMIZED, where it optimizes for lower execution time.
I then found the following statement:
To turn on FlexRS, you must specify the value COST_OPTIMIZED to allow the Dataflow service to choose any available discounted resources.
at Specifying pipeline execution parameters > Setting other Cloud Dataflow pipeline options
I interpret that to mean that flexrs_goal=SPEED_OPTIMIZED will turn off flexRS mode. However, I changed the definition of my google_dataflow_flex_template_job resource to:
resource "google_dataflow_flex_template_job" "streaming_beam" {
provider = google-beta
name = "streaming-beam"
container_spec_gcs_path = module.streaming_beam_flex_template_file[0].fully_qualified_path
parameters = {
"input_subscription" = google_pubsub_subscription.ratings[0].id
"output_table" = "${var.project}:beam_samples.streaming_beam_sql"
"service_account_email" = data.terraform_remote_state.state.outputs.sa.email
"network" = google_compute_network.network.name
"subnetwork" = "regions/${google_compute_subnetwork.subnet.region}/subnetworks/${google_compute_subnetwork.subnet.name}"
"flexrs_goal" = "SPEED_OPTIMIZED"
}
}
(note the addition of "flexrs_goal" = "SPEED_OPTIMIZED") but it doesn't seem to make any difference. The Dataflow UI confirms I have set SPEED_OPTIMIZED:
but it still takes too long (9 minutes 46 seconds) for the job to start processing data, and it was in state=QUEUED for all that time:
2021-01-17 19:49:19.021 GMTStarting GCE instance, launcher-2021011711491611239867327455334861, to launch the template.
...
...
2021-01-17 19:59:05.381 GMTStarting 1 workers in europe-west1-d...
2021-01-17 19:59:12.256 GMTVM, launcher-2021011711491611239867327455334861, stopped.
I then tried explictly setting flexrs_goal=COST_OPTIMIZED just to see if it made any difference, but this only caused an error:
"The workflow could not be created. Causes: The workflow could not be
created due to misconfiguration. The experimental feature
flexible_resource_scheduling is not supported for streaming jobs.
Contact Google Cloud Support for further help. "
This makes sense. My job is indeed a streaming job and the documentation does indeed state that flexRS is only for batch jobs.
This page explains how to enable Flexible Resource Scheduling (FlexRS) for autoscaled batch pipelines in Dataflow.
https://cloud.google.com/dataflow/docs/guides/flexrs
This doesn't solve my problem though. As I said above if I deploy with flexrs_goal=SPEED_OPTIMIZED then still state=QUEUED for almost ten minutes, yet as far as I know QUEUED is only applicable to flexRS jobs:
Therefore, after you submit a FlexRS job, your job displays an ID and a Status of Queued
https://cloud.google.com/dataflow/docs/guides/flexrs#delayed_scheduling
Hence I'm very confused:
Why is my job getting queued even though it is not a flexRS job?
Why does it take nearly ten minutes for my job to start processing any data?
How can I speed up the time it takes for my job to start processing data so that I can get quicker feedback during development/testing?
UPDATE, I dug a bit more into the logs to find out what was going on during those 9minutes 46 seconds. These two consecutive log messages are 7 minutes 23 seconds apart:
2021-01-17 19:51:03.381 GMT
"INFO:apache_beam.runners.portability.stager:Executing command: ['/usr/local/bin/python', '-m', 'pip', 'download', '--dest', '/tmp/dataflow-requirements-cache', '-r', '/dataflow/template/requirements.txt', '--exists-action', 'i', '--no-binary', ':all:']"
2021-01-17 19:58:26.459 GMT
"INFO:apache_beam.runners.portability.stager:Downloading source distribution of the SDK from PyPi"
Whatever is going on between those two log records is the main contributor to the long time spent in state=QUEUED. Anyone know what might be the cause?
As mentioned in the existing answer you need to extract the apache-beam modules inside your requirements.txt:
RUN pip install -U apache-beam==<version>
RUN pip install -U -r ./requirements.txt
While developing, I prefer to use DirectRunner, for the fastest feedback.
This is my first time posting to stackoverflow, so I apologize in advance if I am not following certain protocols. I will fix and / or expand my question as needed.
I am trying to add 2 different influxdb sources that are hosted on 2 different servers to chronograf kapacitor but I cannot get it working.
Can you connect to 2 different influxdb instances through the UI?
How do you configure kapacitor.conf to read from 2 different influxdb instances?
Through the Chronograf UI I can get either source working correctly but not both at the same time. This seems to be expected through the UI so I must be missing something.
If I set the sources in kapacifor.conf, chronograf does not read from them. There are also no errors in kapacitor logs.
This is my kapacitor.conf influxdb settings that do not work:
[[influxdb]]
enabled = true
default = true
name = "localcluster"
urls = ["http://localhost:8086"]
username = ""
password = ""
timeout = 0
[[influxdb]]
enabled = true
default = false
name = "remoteCluster"
urls = ["http://remotehost:8086"]
username = ""
password = ""
timeout = 0
I have read the documentation and also have the latest TICK stack packages.
I have also searched online and found some references that look like my configuration and are said to work, but they do not seem to work for me.
TICK stack host information:
CentOS Linux release 7.6.1810 (Core)
telegraf-1.9.1-1.x86_64
influxdb-1.7.2-1.x86_64
chronograf-1.7.4-1.x86_64
kapacitor-1.5.1-1.x86_64
Any help would be greatly appreciated.
I got it working but I am not sure if the configuration is recommended:
Add a new InfluxDB connection through the Chronograf web UI.
Do not create another Kapacitor Connection as only one can be active at a time.
In the graph Queries tab, select the new
InfluxDB connection from the drop down list.
Metrics from the alternate InfluxDB instance will appear and can be queried.
I am trying to migrate a Play 2.5 version to 2.6.2. I keep getting the URI-length exceeds error. Anyone knows how to override this?
I tried below Akka setting but still no luck.
play.server.akka{
http.server.parsing.max-uri-length = infinite
http.client.parsing.max-uri-length = infinite
http.host-connection-pool.client.parsing.max-uri-length = infinite
http.max-uri-length = infinite
max-uri-length = infinite
}
Simply add
akka.http {
parsing {
max-uri-length = 16k
}
}
to your application.conf. The prefix play.server is only used for a small subset of convenience features for Akka-HTTP integration into the Playframework, e.g. play.server.akka.requestTimeout. Those are documented in the Configuring the Akka HTTP server backend documentation.
I was getting error due to header length exceeding default 8 KB(8192). Added the following to build.sbt and it worked for me :D
javaOptions += "-Dakka.http.parsing.max-header-value-length=16k"
You can try similar for uri length if other options don't work
This took me way to long to figure out. It is somehow NOT to be found in the documentation.
Here is a snippet (confirmed working with play 2.8) to put in your application.conf which is also configurable via an environment variable and works for BOTH dev and prod mode:
# Dev Mode
play.akka.dev-mode.akka.http.parsing.max-uri-length = 16384
play.akka.dev-mode.akka.http.parsing.max-uri-length = ${?PLAY_MAX_URI_LENGTH}
# Prod Mode
akka.http.parsing.max-uri-length = 16384
akka.http.parsing.max-uri-length = ${?PLAY_MAX_URI_LENGTH}
You can then edit the config or with an already deployed application just set PLAY_MAX_URI_LENGTH and it is dynamically configurable without the need to modify commandline arguments.
env PLAY_MAX_URI_LENGTH=16384 sbt run
If anyone getting this type of error in chrome browser when trying to access a site or login. [HTTP header value exceeds the configured limit of 8192 characters]
, Go to chrome
settings -> Security and Privacy -> Site Settings , View Permission and data stored across sites
Search for the specific website and on that site do Clear all data.
Have my captive portal environment setup using pfSense 2.3.4 with Freeradius 3.0.13 hosted on a Raspberry Pi 3 Model B with Rasparian Jessie. Authentication and everything is working as expected but can't get the sql counter for volume limit to work.
According to the documentation there are only examples how to set a max session time, daily usage (in time) but nothing for limiting the volume.
Have added this custom function in the sqlcounter file:
sqlcounter totalbytecounter {
sql_module_instance = sql
dialect = mysql
counter_name = Max-Volume
check_name = Acct-Output-Octets
reply_name = Session-Timeout
key = User-Name
reset = never
query = "SELECT ((SUM(`acctinputoctets`)+SUM(`acctoutputoctets`))) FROM radacct WHERE `username`='%{${key}}'"
}
But debug says
(34) totalbytecounter: WARNING: Couldn't find check attribute, control:Acct-Output-Octets, doing nothing...
Anyone that can help me in the right direction`? Thanks!
You need to provide a value for control:Acct-Output-Octets for the module to check against.
That can be in unlang with
update control {
Acct-Output-Octets := 1024
}
or in the users file with
<username> Acct-Output-Octets := 1024
or as an entry in the radcheck table.