Hi Omar, with FLINK-15154 [1] which will be released with the upcoming 1.11.0 release, it will be possible to bind the Blob server to the hostname specified via jobmanager.bind-host. Per default it will still bind to the wildcard address but with this option you can bind it to localhost, for example. Be aware, though, that the Blob server needs to be accessible from all TaskManager processes. Hence, if you run a distributed cluster, then binding the blob server to localhost won't work.
[1] https://issues.apache.org/jira/browse/FLINK-15154 Cheers, Till On Wed, May 13, 2020 at 10:10 AM Dawid Wysakowicz <dwysakow...@apache.org> wrote: > Hi Omar, > > Theoretically I think it could be possible to change the address on which > the BlobServer runs (even to localhost). There is no configuration option > for it now and the BlobServer always binds to the wildcard. One important > aspect to consider here is that the BlobServer must be accessible from all > the components of the cluster: taskmanagers, jobmanager (if I am not > mistaken). > > @Arvid Wouldn't changing the line 192 in BlobServer: > > this.serverSocket = NetUtils.createSocketFromPorts(ports, > (port) -> socketFactory.createServerSocket(port, > finalBacklog)); > > to e.g. > > this.serverSocket = NetUtils.createSocketFromPorts(ports, > (port) -> socketFactory.createServerSocket(port, > finalBacklog, InetAddress.getByName(configuration.get(BLOB_HOSTNAME)))); > > do the trick? > > That said I think for now your only option is what Arvid suggested. > Remember though that by default BlobServer is exposed on os chosen port, so > it might change if you restart your cluster. You can set a staticport/range > with 'blob.server.port' configuration option. If you feel strong about the > requirement to configure the host as well, feel free to open a jira ticket. > On 12/05/2020 13:34, Arvid Heise wrote: > > Hi Omar, > > wouldn't it be possible to just create an iptable rule that allows access > to 1098 only from localhost? I don't think you can open a socket just for > localhost programmatically (at least not from Java). > > Best, > > Arvid > > On Tue, May 12, 2020 at 12:51 PM Omar Gawi <omar.g...@gmail.com> wrote: > >> Hi All, >> >> I have Apache Flink running as part of our java program , on a linux >> machine. >> The Flink runs on thread(s) within the same java process. >> I see that the machine has the BLOB server port 1098 exposed to the >> outside : >> >> davc@sdavc:~$ netstat -anp | grep LISTEN >> >> (Not all processes could be identified, non-owned process info >> >> will not be shown, you would have to be root to see it all.) >> >> tcp 0 0 0.0.0.0:22 0.0.0.0:* >> LISTEN - >> >> tcp 0 0 127.0.0.1:5432 0.0.0.0:* >> LISTEN 311/postgres >> >> tcp6 0 0 :::8080 :::* >> LISTEN - >> >> tcp6 0 0 :::21 :::* >> LISTEN - >> >> tcp6 0 0 :::22 :::* >> LISTEN - >> >> tcp6 0 0 ::1:5432 :::* >> LISTEN 311/postgres >> >> tcp6 0 0 :::8443 :::* >> LISTEN - >> *tcp6 0 0 :::1098 :::* >> LISTEN -* >> >> >> This bring to our team security concerns , when other external >> user/system open connection (for telnet or other protocols) to this port >> (accidentally or not), we get below error in the java app log: >> >> 2020-04-23 07:54:58 ERROR BlobServerConnection:131 - Error while >> executing BLOB connection. >> >> java.io.IOException: Unknown operation 3 >> >> at >> org.apache.flink.runtime.blob.BlobServerConnection.run(BlobServerConnection.java:122) >> >> >> My question if is there a way to avoid exposing this port to the >> outside, and keep it available only for it's original purpose : serving the >> localhost/127.0.0.1 requests which come from the flink engine. >> >> >> Thank you and stay safe. >> >> Omar >> > > > -- > > Arvid Heise | Senior Java Developer > > <https://www.ververica.com/> > > Follow us @VervericaData > > -- > > Join Flink Forward <https://flink-forward.org/> - The Apache Flink > Conference > > Stream Processing | Event Driven | Real Time > > -- > > Ververica GmbH | Invalidenstrasse 115, 10115 Berlin, Germany > > -- > Ververica GmbH Registered at Amtsgericht Charlottenburg: HRB 158244 B Managing > Directors: Timothy Alexander Steinert, Yip Park Tung Jason, Ji (Toni) Cheng > > >
