Mongo container sends network requests to mysterious EC2 servers at AWS

ledroide commented 6 months ago

summary

Network tracker shows denied outgoing requests from mongo container to external destinations. Mongo seem to run fine however.

What are these requests ? What is the purpose ? How do we configure Mongo to avoid these requests ?

context and versions

Kubernetes, Cilium + Hubble,
docker.io/library/mongo:7.0.6-jammy (latest)

hubble output

External access is denied because only DNS is allowed for egress NetworkPolicies, so the error is legit.

Mar  5 14:02:26.496: test/mongo-76db777b55-dh46w:33590 (ID:22417) <> 35.160.35.184:443 (world) policy-verdict:none EGRESS DENIED (TCP Flags: SYN)
Mar  5 14:02:26.496: test/mongo-76db777b55-dh46w:33590 (ID:22417) <> 35.160.35.184:443 (world) Policy denied DROPPED (TCP Flags: SYN)
Mar  5 14:02:26.497: test/mongo-76db777b55-dh46w:33602 (ID:22417) <> 35.160.35.184:443 (world) policy-verdict:none EGRESS DENIED (TCP Flags: SYN)
Mar  5 14:02:26.497: test/mongo-76db777b55-dh46w:33602 (ID:22417) <> 35.160.35.184:443 (world) Policy denied DROPPED (TCP Flags: SYN)
Mar  5 14:02:26.748: test/mongo-76db777b55-dh46w:40156 (ID:22417) <> 35.155.246.37:443 (world) policy-verdict:none EGRESS DENIED (TCP Flags: SYN)
Mar  5 14:02:26.748: test/mongo-76db777b55-dh46w:40156 (ID:22417) <> 35.155.246.37:443 (world) Policy denied DROPPED (TCP Flags: SYN)
Mar  5 14:02:26.750: test/mongo-76db777b55-dh46w:40166 (ID:22417) <> 35.155.246.37:443 (world) policy-verdict:none EGRESS DENIED (TCP Flags: SYN)
Mar  5 14:02:26.750: test/mongo-76db777b55-dh46w:40166 (ID:22417) <> 35.155.246.37:443 (world) Policy denied DROPPED (TCP Flags: SYN)
Mar  5 14:02:26.999: test/mongo-76db777b55-dh46w:50050 (ID:22417) <> 44.240.52.117:443 (world) policy-verdict:none EGRESS DENIED (TCP Flags: SYN)
Mar  5 14:02:26.999: test/mongo-76db777b55-dh46w:50050 (ID:22417) <> 44.240.52.117:443 (world) Policy denied DROPPED (TCP Flags: SYN)
Mar  5 14:02:27.001: test/mongo-76db777b55-dh46w:50056 (ID:22417) <> 44.240.52.117:443 (world) policy-verdict:none EGRESS DENIED (TCP Flags: SYN)
Mar  5 14:02:27.001: test/mongo-76db777b55-dh46w:50056 (ID:22417) <> 44.240.52.117:443 (world) Policy denied DROPPED (TCP Flags: SYN)

Incomplete list of denied requests -> <address>:<port>.

35.160.35.184:443
35.155.246.37:443
44.240.52.117:443
54.69.251.6:443
35.166.226.67:443
35.160.151.220:443
54.203.25.147:443
52.12.47.65:443
35.163.144.222:443
35.81.90.104:443

All these IP addresses are part of "Amazon Technologies Inc."

$ whois 35.160.151.220

NetRange:       35.152.0.0 - 35.183.255.255
CIDR:           35.152.0.0/13, 35.176.0.0/13, 35.160.0.0/12
NetName:        AT-88-Z
NetHandle:      NET-35-152-0-0-1
Parent:         NET35 (NET-35-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:   Amazon Technologies Inc. (AT-88-Z)
RegDate:        2016-08-09
Updated:        2016-08-09
Ref:            https://rdap.arin.net/registry/ip/35.152.0.0

OrgName:        Amazon Technologies Inc.
OrgId:          AT-88-Z
Address:        410 Terry Ave N.
City:           Seattle
StateProv:      WA
[...]

tianon commented 6 months ago

This sounds like you probably exposed your MongoDB container to the public internet, and it's likely compromised. :grimacing:

I would suggest you shut it down ASAP and consider all data in it leaked or compromised. :see_no_evil:

ledroide commented 6 months ago

This sounds like you probably exposed your MongoDB container to the public internet, and it's likely compromised. 😬 I would suggest you shut it down ASAP and consider all data in it leaked or compromised. 🙈

@tianon Thanks for this warning. However :

This Mongo instance is not exposed to the internet
There are strict rules including NetworkPolicies and strong credentials that prevent unauthorized access
The Mongo container is configured with securityContext.readOnlyRootFilesystem: true and had been restarted many times since we have notices these requests.

From what I see, there is something in this container configuration that is fetching some service(s) hosted in AWS. Note that this Mongo container is not running on AWS hosting.

LaurentGoderre commented 6 months ago

@ledroide what is the image digest (sha) of the image you are using?

tianon commented 6 months ago

also, any chance you're using mongosh inside that container? apparently it enables telemetry by default (and we should probably update our docs to point that out :disappointed:): https://www.mongodb.com/docs/mongodb-shell/telemetry/

tianon commented 6 months ago

(maybe you could use something like tshark to log the DNS requests to try and map those IPs to hostnames to verify?)

ledroide commented 6 months ago

also, any chance you're using mongosh inside that container? apparently it enables telemetry by default (and we should probably update our docs to point that out 😞): https://www.mongodb.com/docs/mongodb-shell/telemetry/

Trying :

mongodb@mongo-76db777b55-qv5pl:/$ mongosh
Connecting to:          mongodb://127.0.0.1:27017/?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.5
Using MongoDB:          7.0.6
Using Mongosh:          2.1.5

test> config.get('enableTelemetry')
true
test> disableTelemetry()
Telemetry is now disabled.
test> config.get('enableTelemetry')
false

After 45 minutes, no external access is reported. @tianon it looks like you have found the cause of this issue.

Unfortunately I am unable to find a way to configure my container with telemetry disabled. Here are supported environment variables. No telemetry.

Maybe is there a way to mount a file mongosh.conf - from a configMap - somewhere in the container ?

ledroide commented 6 months ago

I guess the probes are triggering the telemetry, because running a mongosh command :

          readinessProbe:
            exec:
              command:
                - /usr/bin/mongosh
                - --eval
                - "db.adminCommand('ping').ok"
                - localhost:27017/test
                - --quiet

I could not find a clean way to configure telemetry in mongosh, so I put this workaround in the podspec :

      containers:
        - name: mongo
          image: docker.io/library/mongo:7.0.6-jammy
          args:
            - --dbpath
            - /data/db
          lifecycle:
            postStart:
              exec:
                command:
                  - /usr/bin/mongosh
                  - --nodb
                  - --eval
                  - "disableTelemetry()"

This writes the config here :

kubectl exec -ti deploy/mongo -- bash
mongodb@mongo-7c9d665b54-99dpt:/$ cat ~/.mongodb/mongosh/config | jq .

{
  "userId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "telemetryAnonymousId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "enableTelemetry": false,
  "disableGreetingMessage": true
}

15 minutes away from restarting the container, no external requests. It looks that the workaround solves the issue.

However, an environment variable to switch off telemetry would be appreciated.

tianon commented 6 months ago

That all tracks because the function would probably only disable it for the lifetime of the mongosh command -- unfortunately, for more than that you'll need to file a feature request with MongoDB directly (we're just packagers of what they publish). :sweat_smile:

tianon commented 6 months ago

Oh, sorry, misread your latest -- it does persist, that's interesting. I agree though that an environment variable would be awesome, but isn't something we would implement here. :smile:

docker-library / mongo