Re: [Sks-devel] reverse proxies and the pool

[Kristian Fiskerstrand]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 10/28/2013 11:00 PM, Phil Pennock wrote:
> On 2013-10-28 at 21:53 +0100, Gabor Kiss wrote:
>> These efforts with HA pool reminds me bikeshedding. Wasting time
>> with unremarkable things.
> 
> If there are three big problems, tackling them one by one while
> not tackling the hardest _yet_ is not bikeshedding: it's improving
> the state of affairs in manageable chunks, working slowly to gain
> consensus in a community project.

Thank you Phil for a (as usual) very good overview of the situation.

...

> 
> I think that the goal of making the default serving pool be as fast
> and responsive as possible, without one slow client affecting every
> other user, is a good one.  I think that switching the default to
> HA should happen at some point, the only question is "when".
> 
> If we have enough reverse-proxy servers to provide decent latency
> to every part of the world, then "any time after now" seems to be
> a technically sound choice.

Current snapshot shows that 45 of 76 servers in the active pool are
identified as being behind a reverse proxy, being roughly 60%. This
includes nearly all of the servers that are included in the
geographical pools based on a more calculated approach[0]. In
comparison we only had some 30-odd servers directly qualifying when I
first started looking into setting the minimum requirement of the pool
to 1.1.3[1], at the time of the actual switch another 10-15 operators
had upgraded, and I believe the pool results are better for it today.

So, it seems to me that asking for input,
> and if that has a rough consensus of "yes" then providing advance 
> notice, then making the change, is a very open and clear way to
> proceed in how Kristian runs the volunteer service which _he_
> runs.
> 
> To the extent that anyone other than Kristian has a vote as
> anything more than a courtesy: I vote yes, it would be good for the
> main pool to be HA-only, with a sub-pool for non-ha perhaps, and I
> think that a one month lead-time would be very generous, giving
> people who want to stay in the default pool but who haven't
> deployed a reverse proxy yet plenty of time to do so.
> 

Indeed, a months time for implementing a reverse proxy should be
sufficient for most that has a strong desire to stay in the active
pool. And I'd like to further emphasize that even if anyones server
isn't in the active pool in the front, facing clients, it is still
valuable for the pools ability to stay stable and synchronize.
Steering traffic towards the servers that are most responsive and
reliable is however the primary purpose of the pool.

PS! For those that have noticed a blue indicator on that status
page[2], this is a preliminary setup for a potential new HA pool in
the future for load-balanced servers in front of multiple SKS
instances. I do however expect the HA pool to continue in the same
manner as today for a while longer before that change happens. If
anyone is interested in my own load-balanced setup using nginx I've
written up a blog post on [3].

References:
[0] http://kfwebs.com/sks-keyservers-SRV.pdf
[1] http://lists.nongnu.org/archive/html/sks-devel/2012-06/msg00043.html
[2] http://sks-keyservers.net/status/
[3] http://blog.sumptuouscapital.com/2013/10/load-balancing-sks/
- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
"Be a yardstick of quality. Some people aren't used to an environment
where excellence is expected."
(Steve Jobs)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.0-beta255 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSbuYfAAoJEAt/i2Dj7frjfTsP/16odgd0TdNoqTbbUFgxOs/A
kqWy8TW3FnMb2hiYj3ylBNAxnhQTr99da+qUmzNdCvvF6arwJqtJF8uSNanbnxN0
YEYmPglZ/33F8hDKkitYlzHSDUeY/azx3z5oPiLL4BWdnBbLSkhnJDjvoKiL/BKS
y5n+oHiZeVmXbVJB98bxqgnoxCJCwceGRkbYzALacDBdRn3K6+UA6VDvJNIn0AYj
qjhXVI44bEQfKLCBAnAzbhVhkJ3xxBYLbd/wIwtj4Qd8t8YeAOm2GRSk7LoIJsBL
qpbTMBpBMqR4dpK8kk+DIIarL58xiPg87Fa7o/Jg7N1wlWBuHTRLoqpWzeibPq2K
xULtZ9MfyzTYBOrRDUMsw4T8jgjWOHrXIV+stbcoF84x0O41YkrZRn9/HQXdRfQe
DIJriL7g98AG4Uk74JVQ5kItk24w4LNkkBmmd2Ubp3p//qBm4HVk90EE2vuPI8RO
SpuycObyIp5K1h2tLW7nm9lRtRk+hIqz+hUsQKIVZDZsz1Ebb4RHNxhUh/a2qY89
dEPm2qKGU7FRuygYYmYiIG1JvqMmeh/wEd7/UIxyHrPmDV9nyH6motOg/xV+WHcE
i5pqmXVuXm0rlR5prWaKRNJ3TZSFNhccM3Ks7k2OSGqk+Z9gROBxSfb9lIcKG2iH
XHUFd1qTbejuAJrSCTvG
=qi4f
-----END PGP SIGNATURE-----