faasd
faasd copied to clipboard
openfaas
Add ufw rule for port 8081
Why do you need this?
Installed faasd on a Ubuntu 22.04 VPS behind a Caddy reverse proxy. Started blocking ports with ufw, only leaving 22, 80 and 443 open. faasd broke then, cause it needs port 8081 available. Didn't know about the inner workings of faasd, found out in the community office hours that interface openfaas0 needs this port to be open. Not sure how to configure these settings correctly for a interface with ufw.
Error message (for ASCII cows 🐮):
error finding function cows.openfaas-fn: Get "http://faasd-provider:8081/system/function/cows?namespace=openfaas-fn&usage=false": dial tcp 10.62.0.1:8081: i/o timeout
Expected Behaviour
Would be nice to have some documentation on how to secure a server for faasd, as I couldn't find anything in the eBook as well as in the OpenFaas docs. Best case: have it implemented in the relevant install scripts (for me it was hack/install.sh)
Current Behaviour
If I block port 8081 everywhere, faasd is not operational.
Are you a GitHub Sponsor (Yes/No?)
- [x] No Bought the faasd eBook though :-)
List All Possible Solutions and Workarounds
Dirty workaround: leave port 8081 open everywhere.
Found out in the community office hours that only interface openfaas0 needs this port to be open.
Which Solution Do You Recommend?
Have ufw rule definitions implemented in the relevant install scripts (for me it was hack/install.sh). Port 8081 for the openfaas0 interface is relevant, how can I make sure it's not open anywhere? Maybe would be nice to also configure some rules for Caddy and OpenSSH in the installers?
Steps to Reproduce (for bugs)
Have Caddy point to faasd gateways' :8080 as a reverse_proxy, exemplary Caddyfile:
faasd.domain.tld {
reverse_proxy 127.0.0.1:8080
}
Hint: I edited /var/lib/faasd/docker-compose.yaml, so the faasd-gateway is only available via localhost:
gateway:
[...]
ports:
-"127.0.0.1:8080:8080"
then run sudo ufw allow proto tcp from any to any port 80,443 and sudo ufw enable (make sure to have ssh port 22 also open, so you don't lock yourself out)
Result: faasd is not operational (web-ui as well as deploys via faas-cli)
Your Environment
- OS and architecture: Ubuntu Server 22.04 (amd64)
I tried sudo ufw allow in on openfaas0 to any port 8081 proto tcp, seems to work. I'm just not sure if this makes any sense firewall- and network-wise. Should I restrict access by doing something like from eth0? Also I remember @alexellis talking about allowing loopback...
Sorry, totally in the dark here :D
Appreciate some hints in the right direction!
sudo ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
80,443/tcp ALLOW Anywhere
8081/tcp on openfaas0 ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
80,443/tcp (v6) ALLOW Anywhere (v6)
8081/tcp (v6) on openfaas0 ALLOW Anywhere (v6)
Thanks for this issue, this looks good to me and for some reason I had a recollection that we had enabled ufw already. @jsiebens any thoughts?
openfaas0 is a bridge adapter for the containers created by openfaas to be accessed by the host. It is not accessible via the public internet.
With your firewall now in place, try an example from the book to make sure that containers can talk to each other, and to the gateway.
So make a HTTP REST call to the gateway from a function.
Then deploy Mongo or Postgresql using the instructions in the book, and make sure that a function can still contact them.
Thanks for this issue, this looks good to me and for some reason I had a recollection that we had enabled ufw already. @jsiebens any thoughts?
Yes, you are right. I've used the following ufw rules in the past when installing faasd:
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow from 10.62.0.0/16 to 10.62.0.0/16
ufw default deny incoming ufw default allow outgoing ufw allow 22/tcp ufw allow 80/tcp ufw allow 443/tcp ufw allow from 10.62.0.0/16 to 10.62.0.0/16
That looks great! Thanks 👍
We discussed this on the community call today, and would like to find someone to add the above rules and to install ufw in the terraform script we maintain here.
@jsiebens how would you add it to all of your providers? https://github.com/openfaas/faasd/issues/250
I'm only using ufw in the module for Equinix Metal. Mainly because, at the time of creating the module, they didn't have some kind of firewall available. All my other modules are using firewalls or security groups of the target cloud (e.g. GCP and AWS)
If the ufw installation and rules would be added to the faasd install script, perhaps make it optional or skippable? Like it is already doing for Caddy
It should either be added to hack/install.sh as an optional addition, or added to the Terraform. I think that the Terraform makes more sense, since it's not a part of faasd itself.
Alex
@alexellis Do we need to make changes in the faasd or depend on Terraform instead for fixing this?
If we need to make changes in faasd, I would like to work on it.
Please inform.
@NikhilSharmaWe that's a good question.
There is a package for managing ufw for Go - and it would be possible to write our own also.
https://github.com/shinebayar-g/ufw-docker-automated/tree/main/ufwhandler
But for now, I think we are OK (judging by this issue) with Terraform setting up and managing ufw via cloud-init.
We may even decide to use the install script to configure it at some later point.
Alex