flink-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dawid Wysakowicz <dwysakow...@apache.org>
Subject Re: Flink BLOB server port exposed externally
Date Wed, 13 May 2020 08:10:07 GMT
Hi Omar,

Theoretically I think it could be possible to change the address on
which the BlobServer runs (even to localhost). There is no configuration
option for it now and the BlobServer always binds to the wildcard. One
important aspect to consider here is that the BlobServer must be
accessible from all the components of the cluster: taskmanagers,
jobmanager (if I am not mistaken).

@Arvid  Wouldn't changing the line 192 in BlobServer:

        this.serverSocket = NetUtils.createSocketFromPorts(ports,
                (port) -> socketFactory.createServerSocket(port,
finalBacklog));

to e.g.

        this.serverSocket = NetUtils.createSocketFromPorts(ports,
              (port) -> socketFactory.createServerSocket(port,
finalBacklog, InetAddress.getByName(configuration.get(BLOB_HOSTNAME))));

do the trick?

That said I think for now your only option is what Arvid suggested.
Remember though that by default BlobServer is exposed on os chosen port,
so it might change if you restart your cluster. You can set a
staticport/range with 'blob.server.port' configuration option. If you
feel strong about the requirement to configure the host as well, feel
free to open a jira ticket.

On 12/05/2020 13:34, Arvid Heise wrote:
> Hi Omar,
>
> wouldn't it be possible to just create an iptable rule that allows
> access to 1098 only from localhost? I don't think you can open a
> socket just for localhost programmatically (at least not from Java).
>
> Best,
>
> Arvid
>
> On Tue, May 12, 2020 at 12:51 PM Omar Gawi <omar.gawi@gmail.com
> <mailto:omar.gawi@gmail.com>> wrote:
>
>     Hi All,
>
>     I have Apache Flink running as part of our java program , on a
>     linux machine.
>     The Flink runs on thread(s) within the same java process.
>     I see that the machine has the BLOB server port 1098 exposed to
>     the outside :
>
>     davc@sdavc:~$ netstat -anp | grep LISTEN
>
>     (Not all processes could be identified, non-owned process info
>
>     will not be shown, you would have to be root to see it all.)
>
>     tcp        0      0 0.0.0.0:22 <http://0.0.0.0:22>             
>     0.0.0.0:*               LISTEN      -
>
>     tcp        0      0 127.0.0.1:5432
>     <http://127.0.0.1:5432>          0.0.0.0:*              
>     LISTEN      311/postgres
>
>     tcp6       0      0 :::8080                
>     :::*                    LISTEN      -
>
>     tcp6       0      0 :::21                  
>     :::*                    LISTEN      -
>
>     tcp6       0      0 :::22                  
>     :::*                    LISTEN      -
>
>     tcp6       0      0 ::1:5432               
>     :::*                    LISTEN      311/postgres
>
>     tcp6       0      0 :::8443                
>     :::*                    LISTEN      -
>
>     *tcp6       0      0 :::1098                
>     :::*                    LISTEN      -* 
>        
>
>     This bring to our team security concerns , when other external
>     user/system open connection (for telnet or other protocols) to
>     this port (accidentally or not), we get below error in the java
>     app log:
>
>     2020-04-23 07:54:58 ERROR BlobServerConnection:131 - Error while
>     executing BLOB connection.
>
>     java.io.IOException: Unknown operation 3
>
>                    at
>     org.apache.flink.runtime.blob.BlobServerConnection.run(BlobServerConnection.java:122)
>
>
>     My question if is there a way to avoid exposing this port  to the
>     outside, and keep it available only for it's original purpose :
>     serving the localhost/127.0.0.1 <http://127.0.0.1> requests which
>     come from the flink engine.
>
>
>     Thank you and stay safe.
>
>     Omar
>
>
>
> -- 
>
> Arvid Heise| Senior Java Developer
>
> <https://www.ververica.com/>
>
>
> Follow us @VervericaData
>
> --
>
> Join Flink Forward <https://flink-forward.org/>- The Apache
> FlinkConference
>
> Stream Processing | Event Driven | Real Time
>
> --
>
> Ververica GmbH | Invalidenstrasse 115, 10115 Berlin, Germany
>
> --
>
> Ververica GmbHRegistered at Amtsgericht Charlottenburg: HRB 158244
> BManaging Directors: Timothy Alexander Steinert, Yip Park Tung Jason,
> Ji (Toni) Cheng   
Mime
View raw message