Why is 0.0.0.0 the default host? #8510
Comments
|
Previous discussion can be found on #6151. If I recall correctly ultimately we decided on a SIG meeting around that time not to change the default for backwards compatibility reasons. |
|
If we were to change it, what default value would you suggest? |
|
If we believe the default value is unsafe, it should be changed (despite backwards compatibility concerns). If it is safe (and appropriate in some scenarios) it should not log the warning. The current situation is a bad user experience. |
|
I believe 127.0.0.1 should be default. There is no good reason to have warnings show up on the default setting. |
We don't support this (maybe we should), see #4384 for a related feature request. |
|
Filed open-telemetry/opentelemetry-collector-releases#408 so we can address the Docker case independently from the general default. A quick search on contrib reveals at least the following components in that repository are affected:
But there may be others, e.g. the sapm receiver which sets the endpoint to |
While I think that would be a nice addition to the Making some configuration fields take input from the environment in the absence of explicit configuration would be a much more significant change and one that I worry would make it even more difficult to reason about the effective configuration that would result from any given collector invocation. |
|
I agree, fallback env var seems like an overkill, and a slippery slope. Hopefully most people manage configurations as code / programmatically, so they can always do this themselves by reusing some base var={desired-ip} in their configs. This issue is about the warning, we can either change the default or remove the warning. I personally would be fine with just removing the warning, because 0.0.0.0 is a reasonable default in many cases (e.g. |
|
For context (see issue linked on my first message) the main rationale for the warning was that this is a known security weakness (CWE-1327) and that we had a specific vulnerability (GHSA-69cg-p879-7622) where the current default made the security implications worse than they could have been. Since this is ultimately a security-related decision I would be interested in what the @open-telemetry/sig-security-maintainers think. |
|
GHSA-69cg-p879-7622 doesn't look like it's related at all: "HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error" CWE-1327 - just because it exists doesn't make it a valid one. Starting a server that does not require TLS is also not the best practice, but it's important for dev usability. 0.0.0.0 doesn't seem any different. Do we log a warning when starting servers with Insecure settings? |
We could and should :) |
This is described in more detail in #6151 and was discussed on the SIG meeting at the time. Copying from the issue:
So the relationship is that because of binding to all network interfaces the vulnerability was easier to exploit.
The fact that is listed as CWE should count as some evidence that this is important; it's fair to argue against it but you should provide equivalent evidence against it.
Actually this is a good case for doing something for 0.0.0.0. We enable TLS by default (see here), so I don't think that's a good argument against nudging users to be secure by default when it comes to choosing what network interfaces to bind to. The equivalent to the approach we took for TLS would be to change the default to |
|
I think we warned users long enough already, we could indeed consider using localhost as the default host to bind the port to. |
|
Inspired by #7769 (comment) I want to vote on what we should do here. What should we do with this issue? 🚀 Do nothing, leave the warning as is, don't change the default Vote for all options that are acceptable to you |
|
@mx-psi another option would be to make this a feature-gate to give people a chance to change over more smoothly |
I'd say we can use the poll to decide what the end result should be and we can discuss the process to get there once we know that. Does that sound okay? |
|
Well, if we're voting, so far "change default to localhost" is winning, leaning towards additionally removing the warning. |
Indeed. I think doing this with a feature gate as @codeboten suggested makes sense. There is one slight inconvenience, which is that this feature gate must be shared across core and contrib modules. One way to work around this is to, on contrib, |
|
PTAL at #8622 as a first step, I am working on the contrib PR but would want to validate the design here first. I ended up exposing this as part of the public API since otherwise it is hard to reason about initialization and registration order. |
|
Hi, just wanted to suggest that you have somewhere in the docs a warning about the case where |
…ocalhost defaults for server-like components (#8622) **Description:** - Define `component.UseLocalHostAsDefaultHost` in the `internal/localhostgate` package. - Define `featuregate.ErrIsAlreadyRegistered` error, returned by `Register` when a gate is already registered. - Adds support for the localhost gate on the OTLP receiver. This PR does not remove the current warning in any way, we can remove this separately. **Link to tracking Issue:** Updates #8510 **Testing:** Adds unit tests **Documentation:** Document on OTLP receiver template and add related logging.
I am running OTLP receivers with default settings:
The start up logs are littered with these warnings:
internal@v0.85.0/warning.go:40 Using the 0.0.0.0 address exposes this server to every network interface, which may facilitate Denial of Service attacks {"kind": "receiver", "name": "otlp", "data_type": "traces", "documentation": "https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/security-best-practices.md#safeguards-against-denial-of-service-attacks"}Why isn't the default config for those exporters is such that it follows the mentioned best practices?
The text was updated successfully, but these errors were encountered: