SCOSS

DOAJ reaches its SCOSS funding target within 18 months and sets its sights on new work

(Repost from the SCOSS website.)

We are delighted to announce that the Directory of Open Access Journals (DOAJ) has reached its funding target to cover its operational costs as were outlined in its SCOSS application. Eight consortia and 175 institutions/organisations from 18 different countries have committed support to DOAJ. “We’d like to thank our supporters. That this many organisations stand behind this initiative and promised this amount of funding shows how important sustaining open access infrastructure is,” said Lars Bjørnshauge, DOAJ Managing Director.

There are organisations that have already made the decision to help fund DOAJ, but are still deliberating over the details of their financial commitment. Though the funding goal has now been met, these organisations may still commit financial support. Furthermore, the SCOSS Board has allowed DOAJ to present a new work package, both to these organisations and any additional organisations that come forward in 2019. The package describes additional activities that DOAJ would like to pursue with the extra funding, should it be granted.

The Board has supported the second work package on the conditions that DOAJ reports on progress made in a progress report on the activities delineated in the SCOSS application form, and that DOAJ describes the new work package in detail and includes a budget for the amount of funding needed. For details see the financial overview and the new work package.

SCOSS endorses this plan through the end of 2019.

All University of California campuses commit to DOAJ

Ten institutions from the University of California – all ten campuses – commit €90,000 to DOAJ, the largest US consortium to support DOAJ via the SCOSS initiative so far.

DOAJ is very pleased for the support received from the University of California towards a sustainable funding model promoted by SCOSS.

Swiss consortium pledges 216,000 Eur to DOAJ and SHERPA/RoMEO

We are delighted to announce that the Consortium of Swiss Academic Libraries, comprising sixteen libraries and the Swiss National Science Foundation, is the third national consortium to commit to the SCOSS initiative.

swissuniversities, the Rectors’ Conference of Swiss Higher Education Institutions, contributes approximately 50% of the total costs in the framework of the Swiss National Strategy for Open Access.

Thank you very much for your support!

DOAJ’s New Governance Model

FOR IMMEDIATE RELEASE 18th December 2018 DOAJ will implement a new governance model in 2019 which will see DOAJ financers having a role in the organisation’s Board and Council. All organisations funding DOAJ with €1500 or more will be eligible for nomination.

In January 2019 DOAJ will inaugurate a new governance model providing the structure and transparency that it needs to meet its strategic goals, and ensure the organisation is fit-for-purpose for at least the next 5 years.

Today, DOAJ is run by the DOAJ Team with help provided as and when we need it—and always willingly—by our Advisory Board. Over the last 5 years, DOAJ has grown in size and importance and has come to a point where the existing model is no longer fit for purpose. DOAJ needs to be more formally structured and transparent if it is to meet the needs of the academic community, as well as its funders and sponsors.

DOAJ's governance model

The model for DOAJ’s governance was first drafted in October 2017 and has been reviewed and updated after input from the current Advisory Board. When the SCOSS model for funding DOAJ and other services was announced at the end of 2017, we decided that it is only fitting that the donors get some input into how DOAJ is run. We are proposing an Advisory Board of a maximum of 9 seats, and a Council with a maximum of 15 seats. Their role is to provide expert advice to the DOAJ Team and help us meet our strategic goals. We are also establishing an editorial subcommittee to assist us with questions around editorial process and content quality.

An organisational chart, showing how the Board, Council and Subcommittee interact with each other and with the DOAJ Team will be published shortly.

All organisations and publishers donating €1500 or more to DOAJ every year are eligible for nominations and will be invited to submit candidates for election to the new Advisory Board and the Council. Specific invitations will be sent out early in the New Year.

Université de Lorraine, the first French institution to provide sustainable funding based on SCOSS recommendations

This image has an empty alt attribute; its file name is logo-universite-de-lorraine1.png
We are very happy to be able to announce Université de Lorraine as the first French institution to join our growing list of institutions who have committed to provide sustainable funding to DOAJ for a period of three years as recommended by SCOSS.
Frédéric Villiéras, vice-provost for research at Université de Lorraine says: “We are delighted to strengthen our support to the DOAJ. This choice is in line with other financial supports towards open platforms that were decided earlier this year. We are fully committed to supporting open science infrastructures such as the DOAJ and we hope that other french research institutions and libraries will follow. “
Please, contact lars@doaj.org for further information.

Infrastructure and why sustainable funding so important to services like DOAJ

You can’t run a service like DOAJ on a shoestring, or fund it on a hand-to-mouth basis, which is how DOAJ has been funded until last year, so large amounts of sustained funding are really crucial to the database’s security, stability, scalability and, ultimately, survival. Last month, DOAJ came under attack and the whole process from diagnosing the problem to resolution revealed just how fragile the DOAJ ecosystem can be under those circumstances.

Below is a guest blog post is by Steven Eardley, the DevOps Engineer at our technology partner, Cottage Labs.  You may remember that the SCOSS initiative was launched last year to provide DOAJ and Sherpa/RoMEO with levels of sustainable funding that would ensure the survival of 2 services which had been earmarked as vital to the open access movement. I asked Steven to write this post because, after DOAJ took a battering, I thought it would be useful for our community to understand exactly what happens when DOAJ becomes unresponsive, what it takes to keep DOAJ up and running, and what a difference sustainable funding can make for a service like DOAJ.

Thanks for reading!

Dom

The Directory of Open Access Journals experienced some sustained and repeated downtime events mid July to mid August, which required significant intervention from Cottage Labs. This post describes what happened and explains how we mitigated the issue, and illustrates some of the inherent vulnerability which needs to be addressed.

The system
The main DOAJ database is built on ElasticSearch which we run over a number of virtual machines. The DOAJ web application is built on the Flask web framework and is written in Python.

As well as the search interface on the website, searches to our database come from the OAI-PMH interface, our Atom feed, and ‘widgets‘ embedded on users’ sites. The DOAJ also has an API for programmatic interactions with our content allowing, for example, publishers to upload their content. To keep the ElasticSearch index performing correctly for the rest of the site, we tend to tweak the rate limit for the API during periods of high load.

The problem
The DOAJ website communicates with its database (“data store”) via the web (also know as the ‘query endpoint’), giving us control over what kinds of requests are permitted and the ability to filter responses to prevent data from being leaked unintentionally. Not all of the requests to ElasticSearch come from our own servers however because the DOAJ search pages utilise JavaScript which runs on users’ browsers. This means that the data store must be publicly accessible for our search pages to work. We keep the rate limit for this fairly high so pages are responsive.

During the period mentioned, we saw an elevated request rate via the query endpoint which resulted in all of the site functions slowing down. Eventually the index was overloaded and the DOAJ website stopped responding. Recovery tended to be fairly quick and site performance would be restored for a number of hours. However, the downtime was persistent and reoccurring, sometimes multiple times in a day.

The cause
While we could see the quantity of queries to our index had at least doubled from its normal rate, we couldn’t identify the source of the queries causing the trouble and couldn’t look for long-term trends. We will find resource to improve this in the future but monitoring of this kind is costly and is currently out of budget. Therefore, we mainly had to diagnose via inference. Our immediate action was to disable the application components one by one, endeavouring to pinpoint the source of the excess load. We turned off the API, the Atom feed, the back end editorial admin pages, and finally the OAI-PMH interface. The latter had a small impact on the index stability – we saw reduced memory use in the index and it was coping somewhat better with the load. This pointed us towards the source of the problem: deep paging.

Deep Paging – ElasticSearch’s kryptonite
Deep paging essentially means that someone or something is scrolling through a large number of objects sequentially leading to high memory commitment; the server must hold the entire context in memory to get deeper and deeper into the results. We determined that someone was sending thousands of requests per hour directly via the query endpoint, instead of through the API, and furthermore essentially trawling through all results over a long period of time. That is to say: they weren’t using a provided feature, rather bypassing the features and using a hidden route.

Each time the system went down, the traffic took a while to resume, presumably because the trawl had to be started again from the beginning.

The solution
Our next task was therefore to block these external sources of deep paging. First, we changed the permitted referral parameter (e.g. “`ref=ui“` in the request URL) and the traffic dropped off. Success? Not quite. These parameters are easy to spoof so it was of no surprise that not long later, the site went down once again amid further high traffic. We tried the same configuration change again, this time changing the referral parameter to “`please-use-our-api“` – the ‘begging’ approach to reducing system load! Unfortunately that bought us even less time than before.

At this point we categorised this as something like a denial of service attack – although the chances are it wasn’t intentionally malicious, circumvention of our countermeasures and being a direct source of instability for thousands of other users is at least inconsiderate!

User agent blocking was the next measure we attempted to reduce the load. Since the query route is really just for our use, we decided it was reasonable to block some programmatic user agents, such as the Node.js http module, or the wget and curl utilities. Again we saw a temporary alleviation of the high load.

Of course, user agent strings are sent from the client from each request, so they can be altered at source. By now we’d identified the user’s IP address, and watched a few intermittent requests come in as the user was iterating and figuring out what we’d changed. Within a couple of hours, the torrent of requests resumed and our infrastructure once again creaked under the strain.

Since we’re not keen on IP banning and other heavy-handed measures we decided to address the problem within our application code and give the query endpoint some rules to filter out the sorts of traffic that give the index trouble: we now cap the results to a reasonable number expected to be viewed from the search page; we enforce paging limits to disallow queries that page a long way into our data set; and the query endpoint will reject a request that doesn’t look like it came from a user.

The lesson
We were a little complacent about our query endpoint’s obscurity. For a long time we’d planned to tighten up the rules on the search interface but, with DOAJ’s long list of other developments, it wasn’t a priority. Our endpoint was open and available to function like a little bonus undocumented API and this was stretched to the limit when it was being used to harvest all of our data rather than just facilitating search functions. This is a lesson for the design stage of the software process: keep the roles of system components as distinct and single-purpose as feasible.

In addition, this persistent grab of our data constituted a feature request – it should be easier to download our entire DOAJ dataset and we will be implementing that over the coming weeks.

The improvements
We have a handful of improvements coming soon in response to these lessons:

  • We’ll be re-writing our OAI-PMH interface to mitigate deep paging and high memory use.
  • The Search API will also see some more restrictions to paging depth and number of results – this will more closely reflect its role as a discovery interface and not a harvest endpoint.
  • Create a dump of our entire dataset on a regular basis, that way the entirety of the DOAJ’s data is more easily accessible to the public without strain on our infrastructure.

Watch out here and on our social media channels for further announcements regarding these new developments.