dskit icon indicating copy to clipboard operation
dskit copied to clipboard

Published 20 hours ago verified publisher icon grafana

Support listening on unix sockets

Open bouk opened this issue 1 year ago • 5 comments
trafficstars

It seems this can almost work since you can specify the network, the only problem is that it adds the port to the address. Perhaps it should only do this if the network equals 'tcp' and ignore the port field, then we could configure Grafana Tempo/Mimir with something like:

http_listen_network: unix
http_listen_address: /var/run/grafana.socket

bouk avatar Feb 01 '24 08:02 bouk

Can you explain why you'd want Mimir/Tempo/etc to listen on a UNIX socket?

56quarters avatar Feb 01 '24 15:02 56quarters

Oh right: I want to run a reverse proxy (nginx) in front of its API, and I'd prefer not to run the risk of exposing it over the network.

bouk avatar Feb 01 '24 15:02 bouk

Think I've implemented this in my PR ^

hbjydev avatar Mar 28 '24 00:03 hbjydev

Oh right: I want to run a reverse proxy (nginx) in front of its API, and I'd prefer not to run the risk of exposing it over the network.

I'm not sure why support for Unix sockets is required for this. The Mimir/Loki/Tempo process could be set to bind only to local interfaces (127.0.0.1 etc) with Nginx binding to the public addresses. That seems like it'd work for your usecase, no?

I don't really mind adding support for Unix sockets to dskit (as @hbjydev has done) but I don't want to add more variations to the ways people can run Mimir since it's already pretty challenging.

56quarters avatar Mar 28 '24 13:03 56quarters

Oh right: I want to run a reverse proxy (nginx) in front of its API, and I'd prefer not to run the risk of exposing it over the network.

I'm not sure why support for Unix sockets is required for this. The Mimir/Loki/Tempo process could be set to bind only to local interfaces (127.0.0.1 etc) with Nginx binding to the public addresses. That seems like it'd work for your usecase, no?

Unix sockets provide an important additional layer of security: you can use filesystem permissions to ensure that only your reverse proxy can connect to Loki etc., instead of any process on the system. This is especially important since Loki doesn't have any built-in authentication.

I don't really mind adding support for Unix sockets to dskit (as @hbjydev has done) but I don't want to add more variations to the ways people can run Mimir since it's already pretty challenging.

quentinmit avatar Sep 11 '24 05:09 quentinmit