Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create manual and/or automated operating procedure for dealing with binder users that abuse the free resources #229

Open
moorepants opened this issue Mar 1, 2021 · 4 comments
Open

Create manual and/or automated operating procedure for dealing with binder users that abuse the free resources #229

moorepants opened this issue Mar 1, 2021 · 4 comments
Labels
galaxy cluster medium priority

Comments

@moorepants
Copy link
Member

For example, we've had binder users launch crypto mining software a few times over the years we've run the service. The current process is to simply kill their pods when noticed. We should define a standard operating procedure for identifying this and manually dealing with it. We may also be able to deal with it automated ways too. The mybinder.org people deal with it much more and must have some solutions. At the minimum, let's setup timeouts on all binderpods. There should be no reason to run binder pods longer than a few hours. The intended use for our binder is to execute and work with a libretexts page. It may take person some time to work through a page, but we can set a max time limit on that. That would at least automatically cutoff miners.
@moorepants
Copy link
Member Author

@sandertyu found this: jupyterhub/mybinder.org-deploy#1778 Looks like there is a binder minesweeper setup.

@sandertyu
Copy link
Contributor

sandertyu commented Mar 9, 2021
edited

It looks like mybinder is simply running a kubernetes daemonset and each spawned pod will run a script minesweeper.py which can identify and kill suspicious pods through the kubernetes API. There's some secrets that they have which we may have to ask about in order to implement their version of crypto-mining security, but that seems to be their general measure.

Furthermore, you want to add a timeout to all binderhub user spawned pods after an hour or two, regardless of activity?

@sandertyu
Copy link
Contributor

We've got a serviceable script to kill crypto processes when they occur, and this has served to ward off cryptominers so far. I'll keep the issue open because it's a good idea, but will lower its priority.

@sandertyu
Copy link
Contributor

We have an automated systemd script to kill processes according to known miner names, as well as a kubernetes program which detects when pods are running at high cpu usage for a given amount of time and automatically deletes them. We have documentation for everything except for the latter method, which Kevin made.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
galaxy cluster medium priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@moorepants @sandertyu