Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support listening on unix sockets #475

Open
bouk opened this issue Feb 1, 2024 · 5 comments · May be fixed by #511
Open

Support listening on unix sockets #475

bouk opened this issue Feb 1, 2024 · 5 comments · May be fixed by #511

Comments

@bouk
Copy link

bouk commented Feb 1, 2024
edited
Loading

It seems this can almost work since you can specify the network, the only problem is that it adds the port to the address. Perhaps it should only do this if the network equals 'tcp' and ignore the port field, then we could configure Grafana Tempo/Mimir with something like:

http_listen_network: unix
http_listen_address: /var/run/grafana.socket
@56quarters
Copy link
Contributor

Can you explain why you'd want Mimir/Tempo/etc to listen on a UNIX socket?

@bouk
Copy link
Author

bouk commented Feb 1, 2024

Oh right: I want to run a reverse proxy (nginx) in front of its API, and I'd prefer not to run the risk of exposing it over the network.

@hbjydev hbjydev linked a pull request Mar 28, 2024 that will close this issue
Open
2 tasks
@hbjydev
Copy link

hbjydev commented Mar 28, 2024

Think I've implemented this in my PR ^

@56quarters
Copy link
Contributor

56quarters commented Mar 28, 2024
edited
Loading

Oh right: I want to run a reverse proxy (nginx) in front of its API, and I'd prefer not to run the risk of exposing it over the network.

I'm not sure why support for Unix sockets is required for this. The Mimir/Loki/Tempo process could be set to bind only to local interfaces (127.0.0.1 etc) with Nginx binding to the public addresses. That seems like it'd work for your usecase, no?

I don't really mind adding support for Unix sockets to dskit (as @hbjydev has done) but I don't want to add more variations to the ways people can run Mimir since it's already pretty challenging.

@quentinmit
Copy link

Oh right: I want to run a reverse proxy (nginx) in front of its API, and I'd prefer not to run the risk of exposing it over the network.

I'm not sure why support for Unix sockets is required for this. The Mimir/Loki/Tempo process could be set to bind only to local interfaces (127.0.0.1 etc) with Nginx binding to the public addresses. That seems like it'd work for your usecase, no?

Unix sockets provide an important additional layer of security: you can use filesystem permissions to ensure that only your reverse proxy can connect to Loki etc., instead of any process on the system. This is especially important since Loki doesn't have any built-in authentication.

I don't really mind adding support for Unix sockets to dskit (as @hbjydev has done) but I don't want to add more variations to the ways people can run Mimir since it's already pretty challenging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Implement UNIX socket support for gRPC and HTTP listeners hbjydev/dskit
4 participants
@bouk @quentinmit @56quarters @hbjydev