Flink BLOB server port exposed externally

Hi All,

I have Apache Flink running as part of our java program , on a linux machine.

The Flink runs on thread(s) within the same java process.

I see that the machine has the BLOB server port 1098 exposed to the outside :

davc@sdavc:~$ netstat -anp | grep LISTEN

(Not all processes could be identified, non-owned process info

will not be shown, you would have to be root to see it all.)

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -

tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      311/postgres

tcp6       0      0 :::8080                 :::*                    LISTEN      -

tcp6       0      0 :::21                   :::*                    LISTEN      -

tcp6       0      0 :::22                   :::*                    LISTEN      -

tcp6       0      0 ::1:5432                :::*                    LISTEN      311/postgres

tcp6       0      0 :::8443                 :::*                    LISTEN      -

tcp6       0      0 :::1098                 :::*                    LISTEN      - 

   

This bring to our team security concerns , when other external user/system open connection (for telnet or other protocols) to this port (accidentally or not), we get below error in the java app log:

2020-04-23 07:54:58 ERROR BlobServerConnection:131 - Error while executing BLOB connection.

java.io.IOException: Unknown operation 3

               at org.apache.flink.runtime.blob.BlobServerConnection.run(BlobServerConnection.java:122)

My question if is there a way to avoid exposing this port  to the outside, and keep it available only for it's original purpose : serving the localhost/127.0.0.1 requests which come from the flink engine.

Thank you and stay safe.

Omar

Hi Omar,

Theoretically I think it could be possible to change the address on which the BlobServer runs (even to localhost). There is no configuration option for it now and the BlobServer always binds to the wildcard. One important aspect to consider here is that the BlobServer must be accessible from all the components of the cluster: taskmanagers, jobmanager (if I am not mistaken).

@Arvid  Wouldn't changing the line 192 in BlobServer:

        this.serverSocket = NetUtils.createSocketFromPorts(ports,
                (port) -> socketFactory.createServerSocket(port, finalBacklog));

to e.g.

        this.serverSocket = NetUtils.createSocketFromPorts(ports,
              (port) -> socketFactory.createServerSocket(port, finalBacklog, InetAddress.getByName(configuration.get(BLOB_HOSTNAME))));

do the trick?

That said I think for now your only option is what Arvid suggested. Remember though that by default BlobServer is exposed on os chosen port, so it might change if you restart your cluster. You can set a staticport/range with 'blob.server.port' configuration option. If you feel strong about the requirement to configure the host as well, feel free to open a jira ticket.

On 12/05/2020 13:34, Arvid Heise wrote:

Hi Omar,

wouldn't it be possible to just create an iptable rule that allows access to 1098 only from localhost? I don't think you can open a socket just for localhost programmatically (at least not from Java).

Best,

Arvid

On Tue, May 12, 2020 at 12:51 PM Omar Gawi <[hidden email]> wrote:

Hi All,

I have Apache Flink running as part of our java program , on a linux machine.

The Flink runs on thread(s) within the same java process.

I see that the machine has the BLOB server port 1098 exposed to the outside :

davc@sdavc:~$ netstat -anp | grep LISTEN

(Not all processes could be identified, non-owned process info

will not be shown, you would have to be root to see it all.)

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -

tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      311/postgres

tcp6       0      0 :::8080                 :::*                    LISTEN      -

tcp6       0      0 :::21                   :::*                    LISTEN      -

tcp6       0      0 :::22                   :::*                    LISTEN      -

tcp6       0      0 ::1:5432                :::*                    LISTEN      311/postgres

tcp6       0      0 :::8443                 :::*                    LISTEN      -

tcp6       0      0 :::1098                 :::*                    LISTEN      - 

   

This bring to our team security concerns , when other external user/system open connection (for telnet or other protocols) to this port (accidentally or not), we get below error in the java app log:

2020-04-23 07:54:58 ERROR BlobServerConnection:131 - Error while executing BLOB connection.

java.io.IOException: Unknown operation 3

               at org.apache.flink.runtime.blob.BlobServerConnection.run(BlobServerConnection.java:122)

My question if is there a way to avoid exposing this port  to the outside, and keep it available only for it's original purpose : serving the localhost/127.0.0.1 requests which come from the flink engine.

Thank you and stay safe.

Omar

--

Arvid Heise | Senior Java Developer

Follow us @VervericaData

--

Join Flink Forward - The Apache Flink Conference

Stream Processing | Event Driven | Real Time

--

Ververica GmbH | Invalidenstrasse 115, 10115 Berlin, Germany

--

Ververica GmbH Registered at Amtsgericht Charlottenburg: HRB 158244 B Managing Directors: Timothy Alexander Steinert, Yip Park Tung Jason, Ji (Toni) Cheng   

Hi Omar,

with FLINK-15154 [1] which will be released with the upcoming 1.11.0 release, it will be possible to bind the Blob server to the hostname specified via jobmanager.bind-host. Per default it will still bind to the wildcard address but with this option you can bind it to localhost, for example. Be aware, though, that the Blob server needs to be accessible from all TaskManager processes. Hence, if you run a distributed cluster, then binding the blob server to localhost won't work.

[1] https://issues.apache.org/jira/browse/FLINK-15154

Cheers,

Till

On Wed, May 13, 2020 at 10:10 AM Dawid Wysakowicz <[hidden email]> wrote:

Hi Omar,

Theoretically I think it could be possible to change the address on which the BlobServer runs (even to localhost). There is no configuration option for it now and the BlobServer always binds to the wildcard. One important aspect to consider here is that the BlobServer must be accessible from all the components of the cluster: taskmanagers, jobmanager (if I am not mistaken).

@Arvid  Wouldn't changing the line 192 in BlobServer:

        this.serverSocket = NetUtils.createSocketFromPorts(ports,
                (port) -> socketFactory.createServerSocket(port, finalBacklog));

to e.g.

        this.serverSocket = NetUtils.createSocketFromPorts(ports,
              (port) -> socketFactory.createServerSocket(port, finalBacklog, InetAddress.getByName(configuration.get(BLOB_HOSTNAME))));

do the trick?

That said I think for now your only option is what Arvid suggested. Remember though that by default BlobServer is exposed on os chosen port, so it might change if you restart your cluster. You can set a staticport/range with 'blob.server.port' configuration option. If you feel strong about the requirement to configure the host as well, feel free to open a jira ticket.

On 12/05/2020 13:34, Arvid Heise wrote:

Hi Omar,

wouldn't it be possible to just create an iptable rule that allows access to 1098 only from localhost? I don't think you can open a socket just for localhost programmatically (at least not from Java).

Best,

Arvid

On Tue, May 12, 2020 at 12:51 PM Omar Gawi <[hidden email]> wrote:

Hi All,

I have Apache Flink running as part of our java program , on a linux machine.

The Flink runs on thread(s) within the same java process.

I see that the machine has the BLOB server port 1098 exposed to the outside :

davc@sdavc:~$ netstat -anp | grep LISTEN

(Not all processes could be identified, non-owned process info

will not be shown, you would have to be root to see it all.)

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -

tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      311/postgres

tcp6       0      0 :::8080                 :::*                    LISTEN      -

tcp6       0      0 :::21                   :::*                    LISTEN      -

tcp6       0      0 :::22                   :::*                    LISTEN      -

tcp6       0      0 ::1:5432                :::*                    LISTEN      311/postgres

tcp6       0      0 :::8443                 :::*                    LISTEN      -

tcp6       0      0 :::1098                 :::*                    LISTEN      - 

   

This bring to our team security concerns , when other external user/system open connection (for telnet or other protocols) to this port (accidentally or not), we get below error in the java app log:

2020-04-23 07:54:58 ERROR BlobServerConnection:131 - Error while executing BLOB connection.

java.io.IOException: Unknown operation 3

               at org.apache.flink.runtime.blob.BlobServerConnection.run(BlobServerConnection.java:122)

My question if is there a way to avoid exposing this port  to the outside, and keep it available only for it's original purpose : serving the localhost/127.0.0.1 requests which come from the flink engine.

Thank you and stay safe.

Omar

--

Arvid Heise | Senior Java Developer

Follow us @VervericaData

--

Join Flink Forward - The Apache Flink Conference

Stream Processing | Event Driven | Real Time

--

Ververica GmbH | Invalidenstrasse 115, 10115 Berlin, Germany

--

Ververica GmbH Registered at Amtsgericht Charlottenburg: HRB 158244 B Managing Directors: Timothy Alexander Steinert, Yip Park Tung Jason, Ji (Toni) Cheng   

Thanks Till!

Do you know what is 1.11.0 release date?

On Mon, May 18, 2020 at 12:49 PM Till Rohrmann <[hidden email]> wrote:

Hi Omar,

with FLINK-15154 [1] which will be released with the upcoming 1.11.0 release, it will be possible to bind the Blob server to the hostname specified via jobmanager.bind-host. Per default it will still bind to the wildcard address but with this option you can bind it to localhost, for example. Be aware, though, that the Blob server needs to be accessible from all TaskManager processes. Hence, if you run a distributed cluster, then binding the blob server to localhost won't work.

[1] https://issues.apache.org/jira/browse/FLINK-15154

Cheers,

Till

On Wed, May 13, 2020 at 10:10 AM Dawid Wysakowicz <[hidden email]> wrote:

Hi Omar,

Theoretically I think it could be possible to change the address on which the BlobServer runs (even to localhost). There is no configuration option for it now and the BlobServer always binds to the wildcard. One important aspect to consider here is that the BlobServer must be accessible from all the components of the cluster: taskmanagers, jobmanager (if I am not mistaken).

@Arvid  Wouldn't changing the line 192 in BlobServer:

        this.serverSocket = NetUtils.createSocketFromPorts(ports,
                (port) -> socketFactory.createServerSocket(port, finalBacklog));

to e.g.

        this.serverSocket = NetUtils.createSocketFromPorts(ports,
              (port) -> socketFactory.createServerSocket(port, finalBacklog, InetAddress.getByName(configuration.get(BLOB_HOSTNAME))));

do the trick?

That said I think for now your only option is what Arvid suggested. Remember though that by default BlobServer is exposed on os chosen port, so it might change if you restart your cluster. You can set a staticport/range with 'blob.server.port' configuration option. If you feel strong about the requirement to configure the host as well, feel free to open a jira ticket.

On 12/05/2020 13:34, Arvid Heise wrote:

Hi Omar,

wouldn't it be possible to just create an iptable rule that allows access to 1098 only from localhost? I don't think you can open a socket just for localhost programmatically (at least not from Java).

Best,

Arvid

On Tue, May 12, 2020 at 12:51 PM Omar Gawi <[hidden email]> wrote:

Hi All,

I have Apache Flink running as part of our java program , on a linux machine.

The Flink runs on thread(s) within the same java process.

I see that the machine has the BLOB server port 1098 exposed to the outside :

davc@sdavc:~$ netstat -anp | grep LISTEN

(Not all processes could be identified, non-owned process info

will not be shown, you would have to be root to see it all.)

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -

tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      311/postgres

tcp6       0      0 :::8080                 :::*                    LISTEN      -

tcp6       0      0 :::21                   :::*                    LISTEN      -

tcp6       0      0 :::22                   :::*                    LISTEN      -

tcp6       0      0 ::1:5432                :::*                    LISTEN      311/postgres

tcp6       0      0 :::8443                 :::*                    LISTEN      -

tcp6       0      0 :::1098                 :::*                    LISTEN      - 

   

This bring to our team security concerns , when other external user/system open connection (for telnet or other protocols) to this port (accidentally or not), we get below error in the java app log:

2020-04-23 07:54:58 ERROR BlobServerConnection:131 - Error while executing BLOB connection.

java.io.IOException: Unknown operation 3

               at org.apache.flink.runtime.blob.BlobServerConnection.run(BlobServerConnection.java:122)

My question if is there a way to avoid exposing this port  to the outside, and keep it available only for it's original purpose : serving the localhost/127.0.0.1 requests which come from the flink engine.

Thank you and stay safe.

Omar

--

Arvid Heise | Senior Java Developer

Follow us @VervericaData

--

Join Flink Forward - The Apache Flink Conference

Stream Processing | Event Driven | Real Time

--

Ververica GmbH | Invalidenstrasse 115, 10115 Berlin, Germany

--

Ververica GmbH Registered at Amtsgericht Charlottenburg: HRB 158244 B Managing Directors: Timothy Alexander Steinert, Yip Park Tung Jason, Ji (Toni) Cheng   

1.11.0 is feature freezing today. The final release date depends on the progress of release testing / bug fixing.

Thank you~

Xintong Song

On Mon, May 18, 2020 at 6:36 PM Omar Gawi <[hidden email]> wrote:

Thanks Till!

Do you know what is 1.11.0 release date?

On Mon, May 18, 2020 at 12:49 PM Till Rohrmann <[hidden email]> wrote:

Hi Omar,

with FLINK-15154 [1] which will be released with the upcoming 1.11.0 release, it will be possible to bind the Blob server to the hostname specified via jobmanager.bind-host. Per default it will still bind to the wildcard address but with this option you can bind it to localhost, for example. Be aware, though, that the Blob server needs to be accessible from all TaskManager processes. Hence, if you run a distributed cluster, then binding the blob server to localhost won't work.

[1] https://issues.apache.org/jira/browse/FLINK-15154

Cheers,

Till

On Wed, May 13, 2020 at 10:10 AM Dawid Wysakowicz <[hidden email]> wrote:

Hi Omar,

Theoretically I think it could be possible to change the address on which the BlobServer runs (even to localhost). There is no configuration option for it now and the BlobServer always binds to the wildcard. One important aspect to consider here is that the BlobServer must be accessible from all the components of the cluster: taskmanagers, jobmanager (if I am not mistaken).

@Arvid  Wouldn't changing the line 192 in BlobServer:

        this.serverSocket = NetUtils.createSocketFromPorts(ports,
                (port) -> socketFactory.createServerSocket(port, finalBacklog));

to e.g.

        this.serverSocket = NetUtils.createSocketFromPorts(ports,
              (port) -> socketFactory.createServerSocket(port, finalBacklog, InetAddress.getByName(configuration.get(BLOB_HOSTNAME))));

do the trick?

That said I think for now your only option is what Arvid suggested. Remember though that by default BlobServer is exposed on os chosen port, so it might change if you restart your cluster. You can set a staticport/range with 'blob.server.port' configuration option. If you feel strong about the requirement to configure the host as well, feel free to open a jira ticket.

On 12/05/2020 13:34, Arvid Heise wrote:

Hi Omar,

wouldn't it be possible to just create an iptable rule that allows access to 1098 only from localhost? I don't think you can open a socket just for localhost programmatically (at least not from Java).

Best,

Arvid

On Tue, May 12, 2020 at 12:51 PM Omar Gawi <[hidden email]> wrote:

Hi All,

I have Apache Flink running as part of our java program , on a linux machine.

The Flink runs on thread(s) within the same java process.

I see that the machine has the BLOB server port 1098 exposed to the outside :

davc@sdavc:~$ netstat -anp | grep LISTEN

(Not all processes could be identified, non-owned process info

will not be shown, you would have to be root to see it all.)

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -

tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      311/postgres

tcp6       0      0 :::8080                 :::*                    LISTEN      -

tcp6       0      0 :::21                   :::*                    LISTEN      -

tcp6       0      0 :::22                   :::*                    LISTEN      -

tcp6       0      0 ::1:5432                :::*                    LISTEN      311/postgres

tcp6       0      0 :::8443                 :::*                    LISTEN      -

tcp6       0      0 :::1098                 :::*                    LISTEN      - 

   

This bring to our team security concerns , when other external user/system open connection (for telnet or other protocols) to this port (accidentally or not), we get below error in the java app log:

2020-04-23 07:54:58 ERROR BlobServerConnection:131 - Error while executing BLOB connection.

java.io.IOException: Unknown operation 3

               at org.apache.flink.runtime.blob.BlobServerConnection.run(BlobServerConnection.java:122)

My question if is there a way to avoid exposing this port  to the outside, and keep it available only for it's original purpose : serving the localhost/127.0.0.1 requests which come from the flink engine.

Thank you and stay safe.

Omar

--

Arvid Heise | Senior Java Developer

Follow us @VervericaData

--

Join Flink Forward - The Apache Flink Conference

Stream Processing | Event Driven | Real Time

--

Ververica GmbH | Invalidenstrasse 115, 10115 Berlin, Germany

--

Ververica GmbH Registered at Amtsgericht Charlottenburg: HRB 158244 B Managing Directors: Timothy Alexander Steinert, Yip Park Tung Jason, Ji (Toni) Cheng