flink-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Till Rohrmann <trohrm...@apache.org>
Subject Re: Flink BLOB server port exposed externally
Date Mon, 18 May 2020 12:25:55 GMT
Hi Omar,

I think in the next couple of weeks the Flink 1.11 release should be
released. It mainly depends on the testing and bug fixing period as Xintong
said.

Cheers,
Till

On Mon, May 18, 2020 at 1:48 PM Xintong Song <tonysong820@gmail.com> wrote:

> 1.11.0 is feature freezing today. The final release date depends on the
> progress of release testing / bug fixing.
>
> Thank you~
>
> Xintong Song
>
>
>
> On Mon, May 18, 2020 at 6:36 PM Omar Gawi <omar.gawi@gmail.com> wrote:
>
>> Thanks Till!
>> Do you know what is 1.11.0 release date?
>>
>>
>> On Mon, May 18, 2020 at 12:49 PM Till Rohrmann <trohrmann@apache.org>
>> wrote:
>>
>>> Hi Omar,
>>>
>>> with FLINK-15154 [1] which will be released with the upcoming 1.11.0
>>> release, it will be possible to bind the Blob server to the hostname
>>> specified via jobmanager.bind-host. Per default it will still bind to the
>>> wildcard address but with this option you can bind it to localhost, for
>>> example. Be aware, though, that the Blob server needs to be accessible from
>>> all TaskManager processes. Hence, if you run a distributed cluster, then
>>> binding the blob server to localhost won't work.
>>>
>>> [1] https://issues.apache.org/jira/browse/FLINK-15154
>>>
>>> Cheers,
>>> Till
>>>
>>> On Wed, May 13, 2020 at 10:10 AM Dawid Wysakowicz <
>>> dwysakowicz@apache.org> wrote:
>>>
>>>> Hi Omar,
>>>>
>>>> Theoretically I think it could be possible to change the address on
>>>> which the BlobServer runs (even to localhost). There is no configuration
>>>> option for it now and the BlobServer always binds to the wildcard. One
>>>> important aspect to consider here is that the BlobServer must be accessible
>>>> from all the components of the cluster: taskmanagers, jobmanager (if I am
>>>> not mistaken).
>>>>
>>>> @Arvid  Wouldn't changing the line 192 in BlobServer:
>>>>
>>>>         this.serverSocket = NetUtils.createSocketFromPorts(ports,
>>>>                 (port) -> socketFactory.createServerSocket(port,
>>>> finalBacklog));
>>>>
>>>> to e.g.
>>>>
>>>>         this.serverSocket = NetUtils.createSocketFromPorts(ports,
>>>>               (port) -> socketFactory.createServerSocket(port,
>>>> finalBacklog, InetAddress.getByName(configuration.get(BLOB_HOSTNAME))));
>>>>
>>>> do the trick?
>>>>
>>>> That said I think for now your only option is what Arvid suggested.
>>>> Remember though that by default BlobServer is exposed on os chosen port,
so
>>>> it might change if you restart your cluster. You can set a staticport/range
>>>> with 'blob.server.port' configuration option. If you feel strong about the
>>>> requirement to configure the host as well, feel free to open a jira ticket.
>>>> On 12/05/2020 13:34, Arvid Heise wrote:
>>>>
>>>> Hi Omar,
>>>>
>>>> wouldn't it be possible to just create an iptable rule that allows
>>>> access to 1098 only from localhost? I don't think you can open a socket
>>>> just for localhost programmatically (at least not from Java).
>>>>
>>>> Best,
>>>>
>>>> Arvid
>>>>
>>>> On Tue, May 12, 2020 at 12:51 PM Omar Gawi <omar.gawi@gmail.com> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> I have Apache Flink running as part of our java program , on a linux
>>>>> machine.
>>>>> The Flink runs on thread(s) within the same java process.
>>>>> I see that the machine has the BLOB server port 1098 exposed to the
>>>>> outside :
>>>>>
>>>>> davc@sdavc:~$ netstat -anp | grep LISTEN
>>>>>
>>>>> (Not all processes could be identified, non-owned process info
>>>>>
>>>>> will not be shown, you would have to be root to see it all.)
>>>>>
>>>>> tcp        0      0 0.0.0.0:22              0.0.0.0:*
>>>>> LISTEN      -
>>>>>
>>>>> tcp        0      0 127.0.0.1:5432          0.0.0.0:*
>>>>> LISTEN      311/postgres
>>>>>
>>>>> tcp6       0      0 :::8080                 :::*
>>>>> LISTEN      -
>>>>>
>>>>> tcp6       0      0 :::21                   :::*
>>>>> LISTEN      -
>>>>>
>>>>> tcp6       0      0 :::22                   :::*
>>>>> LISTEN      -
>>>>>
>>>>> tcp6       0      0 ::1:5432                :::*
>>>>> LISTEN      311/postgres
>>>>>
>>>>> tcp6       0      0 :::8443                 :::*
>>>>> LISTEN      -
>>>>> *tcp6       0      0 :::1098                 :::*
>>>>> LISTEN      -*
>>>>>
>>>>>
>>>>> This bring to our team security concerns , when other external
>>>>> user/system open connection (for telnet or other protocols) to this port
>>>>> (accidentally or not), we get below error in the java app log:
>>>>>
>>>>> 2020-04-23 07:54:58 ERROR BlobServerConnection:131 - Error while
>>>>> executing BLOB connection.
>>>>>
>>>>> java.io.IOException: Unknown operation 3
>>>>>
>>>>>                at
>>>>> org.apache.flink.runtime.blob.BlobServerConnection.run(BlobServerConnection.java:122)
>>>>>
>>>>>
>>>>> My question if is there a way to avoid exposing this port  to the
>>>>> outside, and keep it available only for it's original purpose : serving
the
>>>>> localhost/127.0.0.1 requests which come from the flink engine.
>>>>>
>>>>>
>>>>> Thank you and stay safe.
>>>>>
>>>>> Omar
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Arvid Heise | Senior Java Developer
>>>>
>>>> <https://www.ververica.com/>
>>>>
>>>> Follow us @VervericaData
>>>>
>>>> --
>>>>
>>>> Join Flink Forward <https://flink-forward.org/> - The Apache Flink
>>>> Conference
>>>>
>>>> Stream Processing | Event Driven | Real Time
>>>>
>>>> --
>>>>
>>>> Ververica GmbH | Invalidenstrasse 115, 10115 Berlin, Germany
>>>>
>>>> --
>>>> Ververica GmbH Registered at Amtsgericht Charlottenburg: HRB 158244 B Managing
>>>> Directors: Timothy Alexander Steinert, Yip Park Tung Jason, Ji (Toni) Cheng
>>>>
>>>>
>>>>

Mime
View raw message