Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to disable promtail http/grpc servers, and document behaviour for port = 0 #1991

Closed
candlerb opened this issue Apr 27, 2020 · 5 comments · Fixed by #2004
Closed

Switch to disable promtail http/grpc servers, and document behaviour for port = 0 #1991

candlerb opened this issue Apr 27, 2020 · 5 comments · Fixed by #2004
Labels
component/agent type/enhancement Something existing could be improved

Comments

@candlerb
Copy link
Contributor

candlerb commented Apr 27, 2020
edited
Loading

Is your feature request related to a problem? Please describe.
By default, promtail listens on http and grpc ports. You may not want these servers to be active or accessible.

The example promtail configurations here and here show

  grpc_listen_port: 0

Users might expect this to mean "disable grpc server". Actually what happens is that the grpc server binds to a random port.

I cannot see that this is a useful behaviour. It's not secure (since anyone can find it using nmap).

Describe the solution you'd like
Implement the ability to disable http server and grpc server, e.g. by setting the port to zero as per example configs, or by having a separate flag.

Describe alternatives you've considered
If this isn't implemented, then at least document here the current behaviour:

# HTTP server listen port (0 means random port)
[http_listen_port: <int> | default = 80]

# gRPC server listen host
[grpc_listen_address: <string>]

# gRPC server listen port (0 means random port)
[grpc_listen_port: <int> | default = 9095]

Also change grpc_listen_port: 0 to grpc_listen_port: 9095 in all the sample configs (since the 0 example is not useful, but people are likely to copy it)

Additional context
Workaround is to bind servers to 127.0.0.1 and/or use iptables to block traffic.
@hhromic hhromic mentioned this issue Apr 27, 2020
Closed
@candlerb candlerb changed the title port = 0 to disable server (or at least document current behaviour) Switch to disable promtail http/grpc servers, and document behaviour for port = 0 Apr 27, 2020
@Dhana-Krishnasamy
Copy link

Dhana-Krishnasamy commented Apr 27, 2020
edited
Loading

Just want to mention that,
We have a security constraint that we cannot have unsecure open ports in our systems. To scrape the log files and send them to Loki, we don't need a http interface anyway.

Option just like how Fluent Bit does, would be great

Even if the listen address is loopback address, it still exposes us to Elevation of rights attack

@cyriltovena cyriltovena added component/agent type/enhancement Something existing could be improved labels Apr 27, 2020
@cyriltovena
Copy link
Contributor

@Dhana-Krishnasamy The http server is required for healtchecking, don't you need it too ?

@Dhana-Krishnasamy
Copy link

@Dhana-Krishnasamy The http server is required for healtchecking, don't you need it too ?

Good question, I think it would be nice if promtail could post the health info as well like the log it scraps. Unsecure port is a no-go for us.

cyriltovena added a commit to cyriltovena/loki that referenced this issue Apr 28, 2020
@cyriltovena
Adds config to disable HTTP and GRPC server in Promtail.
dd92dad 
Fixes grafana#1991.

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>
@cyriltovena cyriltovena mentioned this issue Apr 28, 2020
Merged
cyriltovena added a commit that referenced this issue Apr 29, 2020
@cyriltovena
Adds config to disable HTTP and GRPC server in Promtail. (#2004)
34f9c60 
Fixes #1991.

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>
@mm2175
Copy link

mm2175 commented May 16, 2023

How to disable grpc server only? Our use cases want to disable grpc server and keeps http server.

@sjonpaulbrown
Copy link

How to disable grpc server only? Our use cases want to disable grpc server and keeps http server.

For those who find their way here from Google, the disable flag was added to the server config as part of the following PR. It defaults to false.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/agent type/enhancement Something existing could be improved
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adds config to disable HTTP and GRPC server in Promtail. cyriltovena/loki
5 participants
@candlerb @cyriltovena @Dhana-Krishnasamy @mm2175 @sjonpaulbrown