Fork me on GitHub
#datomic
<
2024-04-11
>
msolli13:04:32

A couple of question about sizing datomic.objectCacheMax on Peers that run as Docker containers: The https://docs.datomic.com/pro/configuration/system-properties.html#peer-properties says the default value is "50% of VM RAM, min 32m". In containers, how is that value computed? Is it from the memory reported by the Docker runtime, which can be limited using resource constrains? Or are we talking about the JVM memory (`-Xmx`/`-XX:MaxRAMPercentage`)?

msolli13:04:45

Is the Object Cache allocated on the Java heap, or off-heap? This matters when configuring the container resource constraints versus the Java heap size.

Joe Lane13:04:08

Xmx, on heap

bhurlow20:04:26

we’re in k8s but basically the same thing, we’re using:

bhurlow20:04:29

-XX:MaxRAMPercentage=80

bhurlow20:04:38

-XX:InitialRAMPercentage=70

bhurlow20:04:06

keep in mind that JVM heap ≠ container memory usage, since java classes are not part of the runtime memory slice

👍 1
bhurlow21:04:19

I think older JVM versions were lacking container memory awareness, but new JVMs are fine

joshkh17:04:25

In the context of Datomic Ions, is there a way to: 1. disable sending the Server: Jetty (<version>) header in the response 2. override the “Ion execution failed” message with a custom one thanks!

Joe Lane17:04:03

Hey @U0H46T23C , can I ask what you’re trying to achieve?

joshkh17:04:40

we’d prefer not to reveal our architecture details

joshkh17:04:27

or more that we’d like to be compliant with our customers 🙂

Joe Lane17:04:32

Are the requests going through the automatically created HTTP API Gateway for ions? Or are you talking about lambda?

joshkh17:04:36

HTTP API Gateway. i think we can map/rewrite the headers and output there, but i thought i’d check to see first if there was a config at the HTTP Direct level. i don’t know of a JVM flag that we could use either.

Joe Lane17:04:39

(Congrats on the customers by the way!)

🚀 1
Joe Lane17:04:21

Let me think about it and get back to you. You may be in “ run your own API Gateway” territory

👍 1
Joe Lane17:04:23

What do your customers want you to respond with in order to be compliant?

joshkh17:04:45

anything other than the server type and version, and the predictable catch-all error message

tvaughan18:04:12

For what it’s worth, this is a request I’ve encountered too way too frequently

Joe Lane18:04:46

"this is a request" wdym? A feature request?

joshkh18:04:29

> You may be in ” run your own API Gateway” territory so a solution here would be to run our own gateway and then rewrite the gateway output?

Joe Lane19:04:22

Yes, for example. Another would be to run your own http server in the VPC under the "apps" security group and do whatever you'd like

tvaughan00:04:30

I mean from enterprise customers. They were spending close to a million dollars on software and service contracts and stipulated that the software had to at least adhere to a checklist of “best practices“ they read somewhere which always included not sending the server name and version

👍 1
mloughlin09:04:51

It's a standard low risk finding in most penetration tests, less exposed info=better

joshkh16:04:11

hi @U0CJ19XAM, just revisiting this briefly. what are the actual conditions in which a 500 Ion execution failed response is produced?

joshkh16:04:43

(by the way, remapping the Server response header via the API Gateway was a success, although tedious because it requires an individual mapping per possible status code)

Joe Lane16:04:44

Happy to hear remapping was successful. I’m not sure off the top of my head all the possible scenarios for that 500 error. Is there something you’re looking for specifically?

joshkh16:04:52

to recap the original problem, we never want to expose the Ion execution failed error message to our users. API Gateway does not support remapping the response body (just headers as far as i can tell), and we don’t want the additional overhead of maintaining a proxy to intercept responses and rewrite them. if we know the conditions that produce the Ions execution error then perhaps we can never produce them.

Joe Lane16:04:31

And you're only concerned about http-direct here?

Joe Lane16:04:05

You should see a 500 error from any uncaught exception encountered while servicing the http-direct handler (which includes decoding the inputstream and encoding the output stream that wrap the http-direct handler-fn you provide) You can identify the cause by looking for "event" messages cast to cloudwatch log group with the :msg of IonHttpDirectException. There should be an attached throwable included on the CW log message.

joshkh18:04:52

thanks a lot Joe, that should be everything we need

👍 1