Page MenuHomePhabricator
Create Task
Maniphest T106452

Composer activity from Cloud VPS hosts can be rate limited by GitHub
Open, LowPublic
Actions

Description

Issues like T106339 are caused by GitHub's API rate limiting. The limit for anon access to the GitHub api is 60 requests per IP per hour.

The current rate limit can be checked with curl:

$ curl -sD - https://api.github.com/rate_limit | grep '^X-RateLimit'
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 60
X-RateLimit-Reset: 1437527145

The generic solution to this issue would be to document the process of creating a GitHub auth token and configuring Composer to use it. A possibly nicer solution would be to talk to GitHub and see if we can get a higher limit for the IP address range that is seen by GitHub as the origin of Labs Composer requests.

Details

SubjectRepoBranchLines +/-
jjb: Inject GitHub OAuth token as a default for all jobsintegration/configmaster+226 -102
dockerfiles: [composer-php70] Inject GitHub OAuth token into composer runtimeintegration/configmaster+212 -6
Customize query in gerrit

Related Objects

Event Timeline

bd808 created this task.Jul 22 2015, 12:09 AM
bd808 raised the priority of this task from to Low.
bd808 updated the task description. (Show Details)
bd808 added projects: Cloud-VPS, Composer, Upstream.
bd808 added subscribers: bd808, Jdlrobson, yuvipanda.
Restricted Application added a project: Cloud-Services. · View Herald TranscriptJul 22 2015, 12:09 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Sitic merged a task: T100196: Ask Github nicely to whitelist Tool Labs.Jul 22 2015, 12:59 AM
Sitic added a subscriber: MC8.
yuvipanda added a comment.Jul 22 2015, 12:59 AM

We clearly need someone with the word 'Manager' in their title to ask GitHub.

Jdlrobson added a comment.EditedJul 22 2015, 1:00 AM

@dr0ptp4kt this would be a great use of twitter :)

Jdlrobson set Security to None.Jul 22 2015, 1:01 AM
Jdlrobson added a subscriber: dr0ptp4kt.
bd808 added a comment.Jul 22 2015, 1:05 AM
In T106452#1469572, @yuvipanda wrote:

We clearly need someone with the word 'Manager' in their title to ask GitHub.

What are the CIDRs for our outbound IPv4 traffic? I can certainly send an email or two.

bd808 added a comment.Jul 22 2015, 3:55 PM

Here's an example of the rate limit being exhausted:

$ date; curl -sD - https://api.github.com/rate_limit | grep '^X-RateLimit'
Wed Jul 22 15:52:55 UTC 2015
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1437580844

$ date -d '@1437580844'
Wed Jul 22 16:00:44 UTC 2015

$ curl https://api.ipify.org
208.80.155.255
dr0ptp4kt added a comment.Jul 22 2015, 4:47 PM
In T106452#1469573, @Jdlrobson wrote:

@dr0ptp4kt this would be a great use of twitter :)

@Jdlrobson, got some proposed text?

yuvipanda added a comment.Jul 23 2015, 7:10 PM

@bd808 208.80.155.128/25 is the labs CIDR

bd808 added a comment.Jul 23 2015, 10:09 PM

I sent this to GitHub:

Before I get to whining and asking for favors, thanks for making such a great platform for the FLOSS community.

The Wikimedia Foundation [0] runs a hosting platform for volunteer created projects related to Wikipedia and the rest of the Wikimedia movement projects [1] called Wikimedia Labs [2]. Many of the projects within this hosting environment are PHP applications that make use of Composer. As use of Composer has increased we have had more and more reports of people hitting the GitHub anonymous API rate limit of 60 requests per IP per hour [3].

The outbound addresses of these virtual machines map the the 208.80.155.128/25 CIDR block. Before we try to do something more heroic in the way of end-user education and work arounds, I thought it would be worthwhile to see if it is possible for GitHub to raise the anon API rate limit [4] for requests originating in this particular IP range.

Here's an example of the rate limit being exhausted:

$ date; curl -sD - https://api.github.com/rate_limit | grep '^X-RateLimit'
Wed Jul 22 15:52:55 UTC 2015
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1437580844
$ date -d '@1437580844'
Wed Jul 22 16:00:44 UTC 2015
$ curl https://api.ipify.org
208.80.155.255

[0]: https://wikimediafoundation.org/wiki/Home
[1]: https://wikimediafoundation.org/wiki/Our_projects
[2]: https://wikitech.wikimedia.org/wiki/Help:FAQ
[3]: https://phabricator.wikimedia.org/T106339
[4]: https://developer.github.com/v3/#rate-limiting

Thanks,
Bryan

I'll report back when I hear from them.

bd808 claimed this task.Jul 23 2015, 10:12 PM
bd808 removed bd808 as the assignee of this task.Jul 24 2015, 3:23 PM

GitHub does not have a whitelist capability for anonymous API requests. They suggest that we use authenticated requests to bypass the limitation.

Hi Bryan,

Thanks for reaching out and for the kind words. <3

Currently, we can't offer permanent rate limit increases, especially for anonymous requests, even for a single IP address. The current rate limits help us keep the API fast and reliable for all our users.

However, as you noticed, there's an easy way to get around that 60 reqs/hour limit (which is per IP address) and get a much better 5000 reqs/hour limit (which is per user), and that is by making authenticated requests.

https://developer.github.com/v3/#rate-limiting

Anonymous (unauthenticated) requests are good for drive-by testing but shouldn't be used in production-type environments because you'll hit the rate limit quickly. Most tools, including Composer, which depend on GitHub allow you to pass it a token (which every user can create at https://github.com/settings/tokens/new) which the tool can then use to make authenticated requests. I recommend you consider the same approach for those projects. GitHub accounts are free and easy to create, so there's no roadblock there if you want a better rate limit.

There are some other ways to optimize rate limit usage, such as making conditional requests [1] and using webhooks instead of polling the API [2], so that's something to look into as well.

I hope these notes are helpful and let me know if you have any other questions.

Cheers,
Ivan

[1] https://developer.github.com/v3/#conditional-requests
[2] https://developer.github.com/webhooks/

One thing we could do to help with this would be to add some MediaWiki-Vagrant plugin tooling to prompt the user for a GitHub OAuth token similarly to the prompt we give for Gerrit credentials and then store it in the VM's Composer config file -- composer config -g github-oauth.github.com <oauthtoken>

bd808 mentioned this in T127660: Add plugin support and setup.sh prompt for GitHub OAuth token.Feb 21 2016, 6:54 PM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:48 PM
GTirloni edited projects, added cloud-services-team (Kanban); removed Cloud-Services.Mar 24 2019, 10:27 AM
Bstorm edited projects, added MediaWiki-Vagrant; removed Cloud-VPS.Nov 27 2019, 4:11 PM
Bstorm subscribed.

Changing the project tags on this. This is really for mediawiki-vagrant.
Anything else should use github auth to avoid ratelimiting

Bstorm moved this task from Inbox to Watching on the cloud-services-team (Kanban) board.Nov 27 2019, 4:12 PM
Reedy subscribed.Mar 25 2020, 8:08 PM

Might be causing problems for CI now T248387: Could not authenticate against github.com :(

gerritbot added a comment.Mar 25 2020, 11:32 PM

Change 583483 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[integration/config@master] Inject GitHub OAuth token into composer runtime

https://gerrit.wikimedia.org/r/583483

gerritbot added a project: Patch-For-Review.Mar 25 2020, 11:32 PM
gerritbot added a comment.Apr 2 2020, 9:48 PM

Change 585609 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[integration/config@master] jjb: Update composer docker images and inject GitHub OAuth token

https://gerrit.wikimedia.org/r/585609

gerritbot added a comment.Apr 2 2020, 9:55 PM

Change 583483 merged by jenkins-bot:
[integration/config@master] dockerfiles: [composer-php70] Inject GitHub OAuth token into composer runtime

https://gerrit.wikimedia.org/r/583483

Stashbot added a comment.Apr 2 2020, 10:00 PM

Mentioned in SAL (#wikimedia-releng) [2020-04-02T21:59:59Z] <James_F> Docker: [composer-php70] Inject GitHub OAuth token into composer runtime T106452 T248387

Stashbot mentioned this in T248387: Could not authenticate against github.com.Apr 2 2020, 10:00 PM
Jdforrester-WMF subscribed.Apr 2 2020, 11:13 PM

CI (running on the integration WMCS project) is now configured to use a custom GitHub token, but this isn't fixed at large for other WMCS-hosted users.

gerritbot added a comment.Apr 2 2020, 11:15 PM

Change 585609 merged by jenkins-bot:
[integration/config@master] jjb: Inject GitHub OAuth token as a default for all jobs

https://gerrit.wikimedia.org/r/585609

bd808 renamed this task from Composer activity from Labs hosts can be rate limited by GitHub to Composer activity from Cloud VPS hosts can be rate limited by GitHub.Apr 5 2020, 8:45 PM
bd808 mentioned this in T249461: Update Composer >=1.9.3 for CI jobs.Apr 5 2020, 8:56 PM
Reedy removed a project: Patch-For-Review.Feb 2 2021, 2:05 AM
Reedy moved this task from Backlog to Bugs on the Composer board.Feb 2 2021, 2:27 AM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:40 PM
fnegri moved this task from Kanban to Watching on the cloud-services-team board.
bd808 mentioned this in T329679: Set up mirror of the docker hub registry for gitlab-runners.Feb 15 2023, 8:55 PM
bd808 mentioned this in T329216: GitLab CI jobs failing with "You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit".Feb 15 2023, 9:20 PM
bd808 mentioned this in T329798: Secret storage for CI jobs.Feb 15 2023, 9:41 PM
dr0ptp4kt unsubscribed.Jul 28 2023, 3:56 PM
Reedy mentioned this in T362426: CI depending on GitHub results in numerous failures outside our control.Fri, Apr 12, 3:53 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL