VictoriaMetrics icon indicating copy to clipboard operation
VictoriaMetrics copied to clipboard
verified publisher icon VictoriaMetrics

Allow binding to IP address that does not exist yet (`IP_FREEBIND`)

Open septatrix opened this issue 2 months ago • 4 comments

Is your feature request related to a problem? Please describe

I would like my VM/VL instances to only be reachable through my VPN. However, it is not always possible for me to ensure that the VPN IP is already available by the time VM should start up. Therefore I cannot configure it to listen on that address.

Describe the solution you'd like

It should be possible by some means to set the IP_FREEBIND flag on the socket, either for all sockets with a global flag, or using some special syntax for -httpListenAddr=. Setting the flag in go can be done like the following: syscall.SetsockoptInt(fd, syscall.IPPROTO_IP, syscall.IP_FREEBIND, 1)

Describe alternatives you've considered

One may work around this bei either binding to all addresses and configuring a firewall to block other access, or binding to localhost and setting up a reverse proxy (like vmauth) to only forward those requests coming from the desired IP range. However, both of these require additional components and configuration which complicate the setup.

Additional information

No response

septatrix avatar Oct 21 '25 13:10 septatrix

Would it be possible to use systemd or another service manager to create ensure that vmauth does start until after the vpn interface is available?

tiny-pangolin avatar Oct 21 '25 14:10 tiny-pangolin

In theory yes, though that would mean that if the VPN for some reason is unable to start it would prevent VM from starting as well. Think of a setup where VM is listening on both localhost and the VPN ip such that even if the VPN is down for some reason a local instance of grafana or alertmanager would still be able to query the instance

septatrix avatar Oct 21 '25 14:10 septatrix

Another alternative (and what I use for some other services) is to use systemd socket activation to pass a socket to the service. In the .socket unit I then declare FreeBind=yes. However, VM/VL also do not support this. Another advantage of socket activation is that it enables faster boots and easy binding to privileged ports without granting additional permissions

septatrix avatar Oct 21 '25 15:10 septatrix

Somewhat related to https://github.com/VictoriaMetrics/VictoriaMetrics/pull/4973

makasim avatar Dec 10 '25 12:12 makasim