Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DOS warning about binding to 0.0.0.0 does not apply to serverless environments #9753

Closed
richard-bain opened this issue Mar 13, 2024 · 5 comments · Fixed by #9852
Closed

DOS warning about binding to 0.0.0.0 does not apply to serverless environments #9753

richard-bain opened this issue Mar 13, 2024 · 5 comments · Fixed by #9852

Comments

@richard-bain
Copy link

Describe the bug
Same issue as #7488 and #6938 but for serverless environments. We heavily utilise Google Cloud Run for our Collectors and the google docs explicitly require you to listen on 0.0.0.0.

The ingress container within an instance must listen for requests on 0.0.0.0 on the port to which requests are sent. By default, requests are sent to 8080, but you can configure Cloud Run to send requests to the port of your choice. Cloud Run injects the PORT environment variable into the ingress container.

Previously it was asked if a flag can be set to disable this warning and there were reasonable objections due to the ability to set a specific port on bare-metal and k8s environments, however this is not possible in Cloud Run.

Steps to reproduce
When the collector binds ports to 0.0.0.0, it displays warnings that inform the user that 0.0.0.0 is open to any network interface and may be a problem for DoS attacks.

What did you expect to see?
No warning for use cases where this is required and unavoidable.

What did you see instead?

{
    "kind": "receiver",
    "msg": "Using the 0.0.0.0 address exposes this server to every network interface, which may facilitate Denial of Service attacks",
    "level": "warn",
    "ts": 1710310970.3374474,
    "collector": "some-collector",
    "caller": "internal@v0.93.0/warning.go:40",
    "name": "otlp",
    "data_type": "metrics",
    "documentation": "https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/security-best-practices.md#safeguards-against-denial-of-service-attacks"
}

What version did you use?
v0.93.0

What config did you use?
N/A

Environment
Google Cloud Run

Additional context

@richard-bain richard-bain added the bug Something isn't working label Mar 13, 2024
@mx-psi
Copy link
Member

mx-psi commented Mar 13, 2024

Thanks for your issue! We will be removing the warning as part of dealing with #8510. Starting with v0.94.0 you can enable the component.UseLocalHostAsDefaultHost to change the defaults and remove this warning. Read more about how to set the feature gate here.

@mx-psi mx-psi added area:documentation area:receiver and removed bug Something isn't working labels Mar 13, 2024
@dashpole
Copy link
Contributor

/cc

@dashpole
Copy link
Contributor

@mx-psi It doesn't look like setting the feature gate currently removes the warning when using 0.0.0.0. Do you know when you plan to implement that?

@mx-psi
Copy link
Member

mx-psi commented Mar 26, 2024

@dashpole my bad, we said we would implement it but didn't. #9852 should fix this

mx-psi added a commit that referenced this issue Mar 27, 2024
@richard-bain
Copy link
Author

Thanks @mx-psi and @dashpole.

@richard-bain richard-bain changed the title Dos warning about binding to 0.0.0.0 does not apply to serverless environments DOS warning about binding to 0.0.0.0 does not apply to serverless environments Jul 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants