-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why is 0.0.0.0 the default host? #8510
Comments
Previous discussion can be found on #6151. If I recall correctly ultimately we decided on a SIG meeting around that time not to change the default for backwards compatibility reasons. |
If we were to change it, what default value would you suggest? |
If we believe the default value is unsafe, it should be changed (despite backwards compatibility concerns). If it is safe (and appropriate in some scenarios) it should not log the warning. The current situation is a bad user experience. |
I believe 127.0.0.1 should be default. There is no good reason to have warnings show up on the default setting. |
We don't support this (maybe we should), see #4384 for a related feature request. |
Filed open-telemetry/opentelemetry-collector-releases#408 so we can address the Docker case independently from the general default. A quick search on contrib reveals at least the following components in that repository are affected:
But there may be others, e.g. the sapm receiver which sets the endpoint to |
While I think that would be a nice addition to the Making some configuration fields take input from the environment in the absence of explicit configuration would be a much more significant change and one that I worry would make it even more difficult to reason about the effective configuration that would result from any given collector invocation. |
I agree, fallback env var seems like an overkill, and a slippery slope. Hopefully most people manage configurations as code / programmatically, so they can always do this themselves by reusing some base var={desired-ip} in their configs. This issue is about the warning, we can either change the default or remove the warning. I personally would be fine with just removing the warning, because 0.0.0.0 is a reasonable default in many cases (e.g. |
For context (see issue linked on my first message) the main rationale for the warning was that this is a known security weakness (CWE-1327) and that we had a specific vulnerability (GHSA-69cg-p879-7622) where the current default made the security implications worse than they could have been. Since this is ultimately a security-related decision I would be interested in what the @open-telemetry/sig-security-maintainers think. |
GHSA-69cg-p879-7622 doesn't look like it's related at all: "HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error" CWE-1327 - just because it exists doesn't make it a valid one. Starting a server that does not require TLS is also not the best practice, but it's important for dev usability. 0.0.0.0 doesn't seem any different. Do we log a warning when starting servers with Insecure settings? |
We could and should :) |
This is described in more detail in #6151 and was discussed on the SIG meeting at the time. Copying from the issue:
So the relationship is that because of binding to all network interfaces the vulnerability was easier to exploit.
The fact that is listed as CWE should count as some evidence that this is important; it's fair to argue against it but you should provide equivalent evidence against it.
Actually this is a good case for doing something for 0.0.0.0. We enable TLS by default (see here), so I don't think that's a good argument against nudging users to be secure by default when it comes to choosing what network interfaces to bind to. The equivalent to the approach we took for TLS would be to change the default to |
I think we warned users long enough already, we could indeed consider using localhost as the default host to bind the port to. |
Inspired by #7769 (comment) I want to vote on what we should do here. What should we do with this issue? 🚀 Do nothing, leave the warning as is, don't change the default Vote for all options that are acceptable to you |
@mx-psi another option would be to make this a feature-gate to give people a chance to change over more smoothly |
I'd say we can use the poll to decide what the end result should be and we can discuss the process to get there once we know that. Does that sound okay? |
Well, if we're voting, so far "change default to localhost" is winning, leaning towards additionally removing the warning. |
Indeed. I think doing this with a feature gate as @codeboten suggested makes sense. There is one slight inconvenience, which is that this feature gate must be shared across core and contrib modules. One way to work around this is to, on contrib, |
PTAL at #8622 as a first step, I am working on the contrib PR but would want to validate the design here first. I ended up exposing this as part of the public API since otherwise it is hard to reason about initialization and registration order. |
Hi, just wanted to suggest that you have somewhere in the docs a warning about the case where |
…ocalhost defaults for server-like components (#8622) **Description:** - Define `component.UseLocalHostAsDefaultHost` in the `internal/localhostgate` package. - Define `featuregate.ErrIsAlreadyRegistered` error, returned by `Register` when a gate is already registered. - Adds support for the localhost gate on the OTLP receiver. This PR does not remove the current warning in any way, we can remove this separately. **Link to tracking Issue:** Updates #8510 **Testing:** Adds unit tests **Documentation:** Document on OTLP receiver template and add related logging.
Odd. v0.104.0 release notes say:
But when I upgrade Jaeger to this version I am still getting warnings:
we use default config
|
I haven't been able to reproduce this yet, the
with this config receivers:
otlp:
protocols:
grpc:
http:
exporters:
debug:
service:
pipelines:
traces:
receivers:
- otlp
exporters:
- debug Also tested with All of those have main.gos that are generated by ocb and jaeger isn't, I wonder if that is related to the issue. |
is the feature gate |
It seems like the issue is specific to how Jaeger uses the Collector APIs, but I can't tell exactly what's going wrong. The default value is set here:
The override is passed here:
and eventually Cobra calls the This should work the same on Jaeger (you are calling If you want to override the value on Jaeger using Go code you can do |
@mx-psi I figured it out - turns out I was trying with v104 of collector but still v103 of contrib. And it turns out the same feature is defined in both core and contrib, with the same ID, and whichever one wins depends on module loading order. |
The release notes for the collector: only mention this issue, but not the PR number that changes the endpoint to localhost by default. A couple of questions:
|
@yurishkuro Ah, right, that makes sense indeed. I would argue we don't support using versions that are not aligned of core and contrib, but for future feature gates it may make sense to do this differently.
The PRs that should have closed this are #10352 and open-telemetry/opentelemetry-collector-contrib/pull/33658. There is also a long tail of older PRs working on this, see #6267, #8622, #6959, all the PRs linked on open-telemetry/opentelemetry-collector-contrib#30702, and the updates to other projects, default configs or docs made by open-telemetry/opentelemetry.io/pull/3847, open-telemetry/opentelemetry-helm-charts/pull/1012 and open-telemetry/opentelemetry-collector-releases/pull/408.
Yes! Closing :) |
Following open-telemetry/opentelemetry-collector/pull/10352 we need to update examples to use `0.0.0.0`. Relates to open-telemetry/opentelemetry-collector/issues/8510
<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> #### Description Based on the discussions from #11713 (comment) and #8510 (comment) the warning message logged when `0.0.0.0` is used, should be removed. <!-- Issue number if applicable --> #### Link to tracking issue Probably fixes #11713 <!--Describe what testing was performed and which tests were added.--> #### Testing <!--Describe the documentation added.--> #### Documentation <!--Please delete paragraphs that you did not use before submitting.--> /cc @mx-psi --------- Signed-off-by: ChrsMark <chrismarkou92@gmail.com>
…n-telemetry#11773) <!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> #### Description <!-- Issue number if applicable --> Follows open-telemetry#11235, relates to open-telemetry#8510
<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> #### Description Based on the discussions from open-telemetry#11713 (comment) and open-telemetry#8510 (comment) the warning message logged when `0.0.0.0` is used, should be removed. <!-- Issue number if applicable --> #### Link to tracking issue Probably fixes open-telemetry#11713 <!--Describe what testing was performed and which tests were added.--> #### Testing <!--Describe the documentation added.--> #### Documentation <!--Please delete paragraphs that you did not use before submitting.--> /cc @mx-psi --------- Signed-off-by: ChrsMark <chrismarkou92@gmail.com>
I am running OTLP receivers with default settings:
The start up logs are littered with these warnings:
internal@v0.85.0/warning.go:40 Using the 0.0.0.0 address exposes this server to every network interface, which may facilitate Denial of Service attacks {"kind": "receiver", "name": "otlp", "data_type": "traces", "documentation": "https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/security-best-practices.md#safeguards-against-denial-of-service-attacks"}
Why isn't the default config for those exporters is such that it follows the mentioned best practices?
The text was updated successfully, but these errors were encountered: