Bug 966160
Summary: | Server should only listen to external/public bind addresses when absolutely necessary | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [JBoss] JBoss Operations Network | Reporter: | Marc Shirley <mshirley> | ||||||
Component: | Core Server | Assignee: | John Mazzitelli <mazz> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Mike Foley <mfoley> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | JON 3.1.2 | CC: | ahovsepy, loleary | ||||||
Target Milestone: | ER01 | ||||||||
Target Release: | JON 3.2.0 | ||||||||
Hardware: | All | ||||||||
OS: | All | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2014-01-02 20:36:07 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Marc Shirley
2013-05-22 16:35:31 UTC
The management interfaces in AS7.1.1.Final and EAP 6.1.x are now, by default, only bound to the local loopback IP (127.0.0.1) so this means they are not available to any remote machine. You can only access it from the local machine. You can see this in RHQ Server's standalone-full.xml: <management> ... <management-interfaces> <native-interface security-realm="ManagementRealm"> <socket-binding native="management-native"/> </native-interface> <http-interface security-realm="ManagementRealm"> <socket-binding http="management-http"/> </http-interface> </management-interfaces> </management> ... <interfaces> <interface name="management"> <inet-address value="${jboss.bind.address.management:127.0.0.1}"/> </interface> ... <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:6999}"/> <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:6990}"/> <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:6443}"/> But what about the other miscellaneous ports? In AS 4 we had web services, JMX, JNP, RMI, and XA. Essentially, what this comes down to is what does netstat return: netstat -anp | grep LISTEN | grep "<RHQ JMV PID>/java" All required public services (that needs to be reachable outside of localhost) should be 0.0.0.0:<port> and all required private services (that only need to be reachable from localhost) should be 127.0.0.1:<port>. And no services should be listening that are not required. Furthermore, we should know what all services relate to and their purpose. This is what I see (host:port from netstat) from my latest master build: 127.0.0.1:2528 (jacorb port - i think we can get rid of this service) 127.0.0.1:6990 (http/rest admin port) 127.0.0.1:6999 (native admin port) 0.0.0.0:4445 (messaging - hornetq netty connector - can probably bind this to 127) 0.0.0.0:4455 (messaging-throughput - hornetq netty connector - can probably bind this to 127) 0.0.0.0:7080 (our public HTTP/non-secure web port) 0.0.0.0:7443 (our public HTTPS/secure web port) 0.0.0.0:3447 (remoting connector - looks used by ejb3 for remote clients AND remote JMX - can probably bind this to 127 since we may need the jmx connector for the plugin) not sure how easy it will be to remove jacorb - see https://issues.jboss.org/browse/WFLY-1034 and its associated forum thread https://community.jboss.org/message/754423#754423 maybe that we just bind it to 127.0.0.1 according to brian s., jacorb is also used by JTS - since we need transactioning, I don't want to risk blowing up by removing jacorb entirely. Will bind it to 127.0.0.1 instead with changes that I will commit soon, this is now the bindings - notice that only two are now bound to 0.0.0.0 by default - the http and https web endpoints. tcp 0 0 127.0.0.1:4445 0.0.0.0:* LISTEN 28958/java tcp 0 0 127.0.0.1:2528 0.0.0.0:* LISTEN 28958/java tcp 0 0 127.0.0.1:4455 0.0.0.0:* LISTEN 28958/java tcp 0 0 0.0.0.0:7080 0.0.0.0:* LISTEN 28958/java tcp 0 0 127.0.0.1:6990 0.0.0.0:* LISTEN 28958/java tcp 0 0 0.0.0.0:7443 0.0.0.0:* LISTEN 28958/java tcp 0 0 127.0.0.1:3447 0.0.0.0:* LISTEN 28958/java tcp 0 0 127.0.0.1:6999 0.0.0.0:* LISTEN 28958/java all these services cannot be removed (jacorb required by JTS, messaging needed for JMS/hornetq and remoting needed for managing the server itself via rhq plugins and JMX) but now all these services are bound to the local loopback so they are not remotely accessible. will continue to test to make sure this doesn't break anything and will commit when things look good. git commit to master: cf58fce As this is MODIFIED or ON_QA, setting milestone to ER1. reassigning port 4455 is required for EAP5.1.2 - start of eap5.1.2 with offset (Djboss.socket.binding.port-offset=100) doesn't help. Please get log attached Created attachment 805241 [details]
eap5.1.2.log
checked version: JON 3.2 ER1 OS: Linux x86_64 Created attachment 809334 [details]
publicBindAddress
bz #1016703 filed for comment #9 bind addresses verified find screen-shot attached |