New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP 503 MISP to PyMISP client #3305
Comments
Please note that HTTP is a connectionless protocol. I don’t think the python requests library (that pymisp uses) keeps the connection open at all (using HTTP 1.1 keep-alive). So the only server resource you are using when not making an actual request is an entry in the CakePHP session table. |
Thx... Good point. So that eliminates item 4 in #3305 (comment) |
Could you check the error.log output when a 503 happens? |
Also, please share the script that you are using.
does this mean you try to simultaneously run 500 of threads with add_hashes? |
I've tested on two hosts. The ingestion runs through a set of events, creating events, tags, and attributes as per the feed input (i.e. it's not exclusively
In both cases, the 503 occurs frequently. Are there any suggested tuning parameters to play with to help with this load issue, e.g. with the server-side MISP, Apache, MariaDB, PHP, OS; or on the client-side; etc.? Thanks!! |
In reply to #3305 (comment) Nothing in the |
I tried reducing threads active from 32 to 8 on the 32-cpu host and still get 503s. Then tried running the ingestion single-threaded, and also got 503s. Also, ran |
In looking through my log file, for every reported 503, I notice a one minute lag between
|
Please share the script that you are using. Without seeing what you're actually doing and being able to reproduce it, we cannot do much to help you. From the error you've pasted, it looks like cakephp simply forwarded an error from php. There are a host of different reasons this could happen, but so far we can't do much with the provided information. |
Let me try to reproduce with a simpler, smaller script, and then I'll share that. Thanks. |
Thank you |
I've been able to reproduce the 503s with this test script on a VM and also an IBM-3650. Instructions for use:
|
I've been trying to reproduce it but sadly I could only test it on my puny laptop - setting it to 16 threads will not actually use that many on my dual core i7 ;) So I can't reproduce it given the above, however, something I've been curious about - what session handler are you using? Are you using php sessions in MISP and redis sessions in php.ini? If not that could cause the issue you're seeing. |
Can you help me find these settings please? I didn't do the config, but can check with that person when he gets here. In the meantime...
In
And I do see |
Btw, the test code I uploaded is not using threads (as my true code is) -- it's just separate processes started by that |
I'm told that we are using whatever the defaults were for the settings. Awaiting your next steps. Thanks Andras... really appreciate all your help as we are about to deploy our first MISP next week. |
From the serversetting description:
|
ok, we will reconfig and restest. thanks! what's the URL that describers the serversettings? |
It should be in |
OK, so someone configuring should really pay special attention to each and every description in the WebUI Settings -OR- is there also a document serves a guide also? |
Basically yeah, especially the critical settings should be read carefully and configured. |
Is there an admin guide giving more details for the various settings? Any documentation providing more details of the various settings and their effects would be extremely helpful. Thanks in advance. |
We made those 2 setting changes in
And restarted redis, httpd, and the workers. My test script (with 16 procs) is still throwing 503s )-: |
Is there any way to determine root cause for the 503? Does MISP server-side code have any way to determine that? E.g. is it Apache itself, or the db, or...? |
I've just got my new laptop, will have it set up over the weekend, can then test with twice as many threads (or throw it on my home desktop to test with 12 threads at least...) |
In the meantime, so you can get your work done, please try running the script with less processes in parallel (3-4 instead of 16), thanks. |
A + R... My current hypothesis is that the 503 is triggered by the rate of new My loose basis for this is that if I disable the creation of new Likewise, in my real app, which uses threads, if I adjust my thread start scheduler to increase wait time for starting new threads from 0.1 to 1.0 seconds, I am not seeing 503s (for smaller batches; still need to test larger datasets). So, could this be this rapid fire 3-HTTP-transactions-per new I'd also be curious if there is some method to determine the root cause for the 503s to prove/disprove this hypothesis or lead us to another. Thx!! ...M |
Btw, after I complete my
You may recall #3264 with the |
Further testing, and cannot get a clean run without 503s. I hope you are able to reproduce and try to isolate root cause. At this point, I'm not sure what's causing these 503s. HELP!!! Even when running single-threaded and sleeping 1 second between processing each event (although an event can have lots of attributes), I see 503s. Do I need to put a sleep before every |
Anything new to report here? |
update: nothing works to eliminate 503s so far. keep in mind this is not a threading issue, as we get 503s without threads. if you'd like us to try php not with fpm, please tell me how. thx. |
Ping |
Andras... interesting update. I disabled calls to So, how does this play into what you think is triggering the 503s? And does this data point help in finding some solution that will allow me to start using Thanks!! |
Let's close this issue. Although HTTP 503s persist, separate, more specific issues have been spun out from here:
|
With the refactoring of the API wondering if the issues I encountered with running an PyMISP feed ingestion app multi-threaded as per details above yielding HTTP 503s, might now work? Same for the issue of |
In #3293 (comment) I observed many
HTTP 503
error codes from the MISP server in responses back to requests from a multi-threadedPyMISP
based client.Client performs ingestion of a few thousand events, some with many attributes. The
503
s happen most often withPyMISP.add_hashes()
calls, but have also been seen with a thread's attempt to instantiatepymisp.PyMISP()
.For example, for one ingestion of about 1000 events, about 500
add_hashes()
triggered a503
.The client runs on the same server as MISP. This is an IBM 3650 with 32 cpu cores, and 64GB RAM.
Questions/Brainstorming
Is it correct to assume that the request made with a
503
reply did not transact?Is there a uniform was to handle non
200
HTTP responses inPyMISP
clients?Is there a limit to the number of active MISP client connections that might be causing the
503
s?Each new thread instantiates a
PyMISP
. Is there any call that will drop the connection before the thread completes and exits to perhaps reduce the number of active connections?I've not seen an errors in the
error.log
nor entries indebug.log
when a503
occurs. Is there another way to monitor this condition?Might there be some tuning in MISP, the
PyMISP
client, or perhaps in Apache or the OS, that would help?The text was updated successfully, but these errors were encountered: