thanos-io · bwplotka · Aug 2, 2022 · Jul 20, 2022 · Jul 20, 2022 · Jul 21, 2022
diff --git a/cmd/thanos/receive.go b/cmd/thanos/receive.go
@@ -198,22 +198,25 @@ func runReceive(
 	)
 	writer := receive.NewWriter(log.With(logger, "component", "receive-writer"), dbs)
 	webHandler := receive.NewHandler(log.With(logger, "component", "receive-handler"), &receive.Options{
-		Writer:            writer,
-		ListenAddress:     conf.rwAddress,
-		Registry:          reg,
-		Endpoint:          conf.endpoint,
-		TenantHeader:      conf.tenantHeader,
-		TenantField:       conf.tenantField,
-		DefaultTenantID:   conf.defaultTenantID,
-		ReplicaHeader:     conf.replicaHeader,
-		ReplicationFactor: conf.replicationFactor,
-		RelabelConfigs:    relabelConfig,
-		ReceiverMode:      receiveMode,
-		Tracer:            tracer,
-		TLSConfig:         rwTLSConfig,
-		DialOpts:          dialOpts,
-		ForwardTimeout:    time.Duration(*conf.forwardTimeout),
-		TSDBStats:         dbs,
+		Writer:                writer,
+		ListenAddress:         conf.rwAddress,
+		Registry:              reg,
+		Endpoint:              conf.endpoint,
+		TenantHeader:          conf.tenantHeader,
+		TenantField:           conf.tenantField,
+		DefaultTenantID:       conf.defaultTenantID,
+		ReplicaHeader:         conf.replicaHeader,
+		ReplicationFactor:     conf.replicationFactor,
+		RelabelConfigs:        relabelConfig,
+		ReceiverMode:          receiveMode,
+		Tracer:                tracer,
+		TLSConfig:             rwTLSConfig,
+		DialOpts:              dialOpts,
+		ForwardTimeout:        time.Duration(*conf.forwardTimeout),
+		TSDBStats:             dbs,
+		WriteSeriesLimit:      conf.writeSeriesLimit,
+		WriteSamplesLimit:     conf.writeSamplesLimit,
+		WriteRequestSizeLimit: conf.writeRequestSizeLimit,
 	})
 
 	grpcProbe := prober.NewGRPC()
@@ -763,6 +766,10 @@ type receiveConfig struct {
 
 	reqLogConfig      *extflag.PathOrContent
 	relabelConfigPath *extflag.PathOrContent
+
+	writeSeriesLimit      int
+	writeSamplesLimit     int
+	writeRequestSizeLimit int
 }
 
 func (rc *receiveConfig) registerFlag(cmd extkingpin.FlagClause) {
@@ -853,6 +860,18 @@ func (rc *receiveConfig) registerFlag(cmd extkingpin.FlagClause) {
 		Default("false").Hidden().BoolVar(&rc.allowOutOfOrderUpload)
 
 	rc.reqLogConfig = extkingpin.RegisterRequestLoggingFlags(cmd)
+
+	cmd.Flag("receive.request-limits.max-series",
+		"The maximum amount of series accepted in remote write requests.").
+		Default("0").IntVar(&rc.writeSeriesLimit)
+
+	cmd.Flag("receive.request-limits.max-samples",
+		"The maximum amount of samples accepted in remote write requests.").
+		Default("0").IntVar(&rc.writeSamplesLimit)
+
+	cmd.Flag("receive.request-limits.max-size-bytes",
+		"The maximum size (in bytes) of remote write requests.").
+		Default("0").IntVar(&rc.writeRequestSizeLimit)
 }
 
 // determineMode returns the ReceiverMode that this receiver is configured to run in.

diff --git a/docs/components/receive.md b/docs/components/receive.md
@@ -77,6 +77,29 @@ The example content of `hashring.json`:
 
 With such configuration any receive listens for remote write on `<ip>10908/api/v1/receive` and will forward to correct one in hashring if needed for tenancy and replication.
 
+## Limiting
+
+### Request limits
+
+Thanos Receive supports setting limits on the incoming remote write request sizes.
+These limits should help you to prevent a single tenant from being able to send
+big requests and possibly crash the Receive.
+
+These limits are applied per request and can be configured with the following
+command line arguments:
+
+- `--receive.request-limits.max-size-bytes`: the maximum body size.
+- `--receive.request-limits.max-series`: the maximum amount of series in a single
+  remote write request.
+- `--receive.request-limits.max-samples`: the maximum amount of samples in a single
+  remote write request (summed from all series).
+
+Any request above these limits will cause an 413 HTTP response (_Entity Too Large_)
+and should not be retried without modifications. It's up to remote write clients to
+split up the data and retry or completely drop it.
+
+By default all these limits are disabled.
+
 ## Flags
 
 ```$ mdox-exec="thanos receive --help"

diff --git a/pkg/receive/handler.go b/pkg/receive/handler.go
@@ -83,22 +83,25 @@ var (
 
 // Options for the web Handler.
 type Options struct {
-	Writer            *Writer
-	ListenAddress     string
-	Registry          *prometheus.Registry
-	TenantHeader      string
-	TenantField       string
-	DefaultTenantID   string
-	ReplicaHeader     string
-	Endpoint          string
-	ReplicationFactor uint64
-	ReceiverMode      ReceiverMode
-	Tracer            opentracing.Tracer
-	TLSConfig         *tls.Config
-	DialOpts          []grpc.DialOption
-	ForwardTimeout    time.Duration
-	RelabelConfigs    []*relabel.Config
-	TSDBStats         TSDBStats
+	Writer                *Writer
+	ListenAddress         string
+	Registry              *prometheus.Registry
+	TenantHeader          string
+	TenantField           string
+	DefaultTenantID       string
+	ReplicaHeader         string
+	Endpoint              string
+	ReplicationFactor     uint64
+	ReceiverMode          ReceiverMode
+	Tracer                opentracing.Tracer
+	TLSConfig             *tls.Config
+	DialOpts              []grpc.DialOption
+	ForwardTimeout        time.Duration
+	RelabelConfigs        []*relabel.Config
+	TSDBStats             TSDBStats
+	WriteSeriesLimit      int
+	WriteSamplesLimit     int
+	WriteRequestSizeLimit int
 }
 
 // Handler serves a Prometheus remote write receiving HTTP endpoint.
@@ -120,8 +123,11 @@ type Handler struct {
 	replications      *prometheus.CounterVec
 	replicationFactor prometheus.Gauge
 
-	writeSamplesTotal    *prometheus.HistogramVec
-	writeTimeseriesTotal *prometheus.HistogramVec
+	writeSamplesTotal        *prometheus.HistogramVec
+	writeTimeseriesTotal     *prometheus.HistogramVec
+	writeSamplesLimitHit     *prometheus.CounterVec
+	writeTimeseriesLimitHit  *prometheus.CounterVec
+	writeRequestSizeLimitHit *prometheus.CounterVec
 }
 
 func NewHandler(logger log.Logger, o *Options) *Handler {
@@ -183,6 +189,30 @@ func NewHandler(logger log.Logger, o *Options) *Handler {
 				Buckets:   []float64{10, 50, 100, 500, 1000, 5000, 10000},
 			}, []string{"code", "tenant"},
 		),
+		writeSamplesLimitHit: promauto.With(registerer).NewCounterVec(
+			prometheus.CounterOpts{
+				Namespace: "thanos",
+				Subsystem: "receive",
+				Help:      "The number of times a request was refused due ot hiting the samples limit.",
+				Name:      "write_samples_limit_hit_total",
+			}, []string{"tenant"},
+		),
+		writeTimeseriesLimitHit: promauto.With(registerer).NewCounterVec(
+			prometheus.CounterOpts{
+				Namespace: "thanos",
+				Subsystem: "receive",
+				Help:      "The number of times a request was refused due ot hiting the series limit.",
+				Name:      "write_series_limit_hit_total",
+			}, []string{"tenant"},
+		),
+		writeRequestSizeLimitHit: promauto.With(registerer).NewCounterVec(
+			prometheus.CounterOpts{
+				Namespace: "thanos",
+				Subsystem: "receive",
+				Help:      "The number of times a request was refused due ot hiting the request size limit.",
+				Name:      "write_request_size_limit_hit_total",
+			}, []string{"tenant"},
+		),
 	}
 
 	h.forwardRequests.WithLabelValues(labelSuccess)
@@ -401,6 +431,14 @@ func (h *Handler) receiveHTTP(w http.ResponseWriter, r *http.Request) {
 	// Since this is receive hot path, grow upfront saving allocations and CPU time.
 	compressed := bytes.Buffer{}
 	if r.ContentLength >= 0 {
+		// If the content length is known, we can block the request based on
+		// max size limit here already and avoid growing the buffer.
+		sizeLimit := int64(h.options.WriteRequestSizeLimit)
+		if sizeLimit > 0 && r.ContentLength > sizeLimit {
+			h.writeRequestSizeLimitHit.WithLabelValues(tenant)
+			http.Error(w, "write request too large", http.StatusRequestEntityTooLarge)
+			return
+		}
 		compressed.Grow(int(r.ContentLength))
 	} else {
 		compressed.Grow(512)
@@ -410,14 +448,20 @@ func (h *Handler) receiveHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, errors.Wrap(err, "read compressed request body").Error(), http.StatusInternalServerError)
 		return
 	}
-
 	reqBuf, err := s2.Decode(nil, compressed.Bytes())
 	if err != nil {
 		level.Error(tLogger).Log("msg", "snappy decode error", "err", err)
 		http.Error(w, errors.Wrap(err, "snappy decode error").Error(), http.StatusBadRequest)
 		return
 	}
 
+	sizeLimit := int64(h.options.WriteRequestSizeLimit)
+	if sizeLimit > 0 && int64(len(reqBuf)) > sizeLimit {
+		h.writeRequestSizeLimitHit.WithLabelValues(tenant)
+		http.Error(w, "write request too large", http.StatusRequestEntityTooLarge)
+		return
+	}
+
 	// NOTE: Due to zero copy ZLabels, Labels used from WriteRequests keeps memory
 	// from the whole request. Ensure that we always copy those when we want to
 	// store them for longer time.
@@ -449,6 +493,23 @@ func (h *Handler) receiveHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	seriesLimit := h.options.WriteSeriesLimit
+	if seriesLimit > 0 && len(wreq.Timeseries) > seriesLimit {
+		h.writeTimeseriesLimitHit.WithLabelValues(tenant)
+		http.Error(w, "too many timeseries", http.StatusRequestEntityTooLarge)
+		return
+	}
+
+	totalSamples := 0
+	for _, timeseries := range wreq.Timeseries {
+		totalSamples += len(timeseries.Samples)
+	}
+	samplesLimit := h.options.WriteSamplesLimit
+	if samplesLimit > 0 && totalSamples > samplesLimit {
+		http.Error(w, "too many samples", http.StatusRequestEntityTooLarge)
+		return
+	}
+
 	// Apply relabeling configs.
 	h.relabel(&wreq)
 	if len(wreq.Timeseries) == 0 {
@@ -475,10 +536,6 @@ func (h *Handler) receiveHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), responseStatusCode)
 	}
 	h.writeTimeseriesTotal.WithLabelValues(strconv.Itoa(responseStatusCode), tenant).Observe(float64(len(wreq.Timeseries)))
-	totalSamples := 0
-	for _, timeseries := range wreq.Timeseries {
-		totalSamples += len(timeseries.Samples)
-	}
 	h.writeSamplesTotal.WithLabelValues(strconv.Itoa(responseStatusCode), tenant).Observe(float64(totalSamples))
 }
 

diff --git a/pkg/receive/handler_test.go b/pkg/receive/handler_test.go
@@ -690,6 +690,108 @@ func TestReceiveQuorum(t *testing.T) {
 	}
 }
 
+// TODO(dougalscamata): continue here
+func TestReceiveWriteRequestLimits(t *testing.T) {
+	for _, tc := range []struct {
+		name          string
+		status        int
+		amountSeries  int
+		amountSamples int
+		appendables   []*fakeAppendable
+	}{
+		{
+			name:         "Request above limit of series",
+			status:       http.StatusRequestEntityTooLarge,
+			amountSeries: 21,
+			appendables: []*fakeAppendable{
+				{
+					appender: newFakeAppender(nil, nil, nil),
+				},
+			},
+		},
+		{
+			name:         "Request under the limit of series",
+			status:       http.StatusOK,
+			amountSeries: 20,
+			appendables: []*fakeAppendable{
+				{
+					appender: newFakeAppender(nil, nil, nil),
+				},
+			},
+		},
+		{
+			name:          "Request above limit of samples (series * samples)",
+			status:        http.StatusRequestEntityTooLarge,
+			amountSeries:  30,
+			amountSamples: 15,
+			appendables: []*fakeAppendable{
+				{
+					appender: newFakeAppender(nil, nil, nil),
+				},
+			},
+		},
+		{
+			name:          "Request under the limit of samples (series * samples)",
+			status:        http.StatusOK,
+			amountSeries:  10,
+			amountSamples: 2,
+			appendables: []*fakeAppendable{
+				{
+					appender: newFakeAppender(nil, nil, nil),
+				},
+			},
+		},
+		{
+			name:          "Request above body size limit",
+			status:        http.StatusRequestEntityTooLarge,
+			amountSeries:  300,
+			amountSamples: 150,
+			appendables: []*fakeAppendable{
+				{
+					appender: newFakeAppender(nil, nil, nil),
+				},
+			},
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			if tc.amountSamples == 0 {
+				tc.amountSamples = 1
+			}
+			handlers, _ := newTestHandlerHashring(tc.appendables, 1)
+			handler := handlers[0]
+			handler.options.WriteRequestSizeLimit = 1 * 1024 * 1024
+			handler.options.WriteSamplesLimit = 200
+			handler.options.WriteSeriesLimit = 20
+			tenant := "test"
+
+			wreq := &prompb.WriteRequest{
+				Timeseries: []prompb.TimeSeries{},
+			}
+
+			for i := 0; i < tc.amountSeries; i += 1 {
+				label := labelpb.ZLabel{Name: "foo", Value: "bar"}
+				series := prompb.TimeSeries{
+					Labels: []labelpb.ZLabel{label},
+				}
+				for j := 0; j < tc.amountSamples; j += 1 {
+					sample := prompb.Sample{Value: float64(j), Timestamp: int64(j)}
+					series.Samples = append(series.Samples, sample)
+				}
+				wreq.Timeseries = append(wreq.Timeseries, series)
+			}
+
+			// Test that the correct status is returned.
+			rec, err := makeRequest(handler, tenant, wreq)
+			if err != nil {
+				t.Fatalf("handler %d: unexpectedly failed making HTTP request: %v", tc.status, err)
+			}
+			if rec.Code != tc.status {
+				t.Errorf("handler: got unexpected HTTP status code: expected %d, got %d; body: %s", tc.status, rec.Code, rec.Body.String())
+			}
+		})
+	}
+}
+
 func TestReceiveWithConsistencyDelay(t *testing.T) {
 	appenderErrFn := func() error { return errors.New("failed to get appender") }
 	conflictErrFn := func() error { return storage.ErrOutOfBounds }