-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch to disable promtail http/grpc servers, and document behaviour for port = 0 #1991
Comments
Just want to mention that, Option just like how Fluent Bit does, would be great Even if the listen address is loopback address, it still exposes us to Elevation of rights attack |
@Dhana-Krishnasamy The http server is required for healtchecking, don't you need it too ? |
Good question, I think it would be nice if promtail could post the health info as well like the log it scraps. Unsecure port is a no-go for us. |
Fixes grafana#1991. Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>
Fixes #1991. Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>
How to disable grpc server only? Our use cases want to disable grpc server and keeps http server. |
For those who find their way here from Google, the |
Is your feature request related to a problem? Please describe.
By default, promtail listens on http and grpc ports. You may not want these servers to be active or accessible.
The example promtail configurations here and here show
Users might expect this to mean "disable grpc server". Actually what happens is that the grpc server binds to a random port.
I cannot see that this is a useful behaviour. It's not secure (since anyone can find it using nmap).
Describe the solution you'd like
Implement the ability to disable http server and grpc server, e.g. by setting the port to zero as per example configs, or by having a separate flag.
Describe alternatives you've considered
If this isn't implemented, then at least document here the current behaviour:
Also change
grpc_listen_port: 0
togrpc_listen_port: 9095
in all the sample configs (since the0
example is not useful, but people are likely to copy it)Additional context
Workaround is to bind servers to 127.0.0.1 and/or use iptables to block traffic.
The text was updated successfully, but these errors were encountered: