External grafana cannot connect to carbonapi

[nikobearrr]

If you run the docker image as provided it is shipped with Grafana. However, you might want to use external grafana. In such case you won't be able to connect, even though the port 8081 is exported.

[nikobearrr]

Hi @Civil, thanks for taking a look at this PR.

I have also noticed that for carbon it also uses 127.0.0.1 instead of 0.0.0.0, but I wouldn't expect we would like to connect to that. However, in the Dockerfile the 8080 port is exposed. I think we should either change the IP or remove the exposed port. In the README I see the 8081 mapping port is missing (carbonapi) so I will make a PR with that change. That's how I found regarding the other exposed port

[deniszh]

@nikobearrr : port is exposed because it's image property, you can't change it w/o rebuilding image, contrary to listening port in config, which can be changed by mounting volume with config. That's why by default carbonapi and go-carmon listening on localhost only.

[nikobearrr]

@deniszh I am looking it from "quick start" point of view. Port 8080 is exposed, but in case you map it, e.g. -p 8080:8080 you won't be able to access it. Correct me if I am wrong, but any IP configuration different than 0.0.0.0:8080 in https://github.com/go-graphite/docker-go-graphite/blob/master/conf/etc/go-carbon/go-carbon.conf#L204 would make it impossible to access the carbonserver at port 8080.

So I cannot just run the image, export port 8080 and connect to it. That is the same issue as with carbonapi, which I submitted the PR for: carbonapi is running on port 8081, port is exposed, I map the port, but I cannot connect to it.

[deniszh]

Correct me if I am wrong, but any IP configuration different than 0.0.0.0:8080 in https://github.com/go-graphite/docker-go-graphite/blob/master/conf/etc/go-carbon/go-carbon.conf#L204 would make it impossible to access the carbonserver at port 8080. So I cannot just run the image, export port 8080 and connect to it. That is the same issue as with carbonapi, which I submitted the PR for: carbonapi is running on port 8081, port is exposed, I map the port, but I cannot connect to it.

Yes, and that's by purpose IMO. User should have control on this, with secure defaults. Security is reversed convenience, that's true.

[deniszh]

Ah, and btw it's not even require volume mount. Carbonapi supports env variables config, so, you just can run -p 8081:8081 -e CARBONAPI_LISTEN=0.0.0.0:8081 with same result. After merging #13 port 8081 is exposed to network by default, which is suboptimal IMO. But that's my paranoid "modus operandi", nvm. :)

[nikobearrr]

I am not sure how is that a matter of security, but I am by no means expert or close to such. I give you my personal experience from yesterday: I ran the image successfully using the provided command in quick start section of readme. Then I mapped port 8081 (carbonapi) and I tried to connect from my external grafana. That didn't work. I thought I did something wrong with the mapping. Then I thought I did something wrong with the hostname. Something seemed wrong because I could see the port is exposed, I triple-checked the port is mapped and yet my external grafana wouldn't connect. I decided to leave the issue for today and I thought to just check the carbonapi default config.

It is not given that things should work without any configuration, but given the port is exposed and I can map it, why not just make it default that it "just" works? The reason why I did this PR and made a question regarding the same situation with carbonserver is because I thought this is wrong and to save someone else's time debugging/trying to figure out what is going wrong.

If you think the PR I submitted has added security weakness please feel free to revert it. In any case, I think there should be something added in the readme regarding this (or how to configure it by the env variable as you wrote), because it might not be clear to everyone else, especially if they are just starting with gocarbon and want to run it and make a POC.

[Civil]

I've always hesitated to decide if we should just add a caps-red text saying "All your data is exposed by default, please make sure you use this in internal network only or in isolated environment" or stick with "expose only grafana".

As I'm not sure that a lot of people have plans of using monitoring to outside world...

[deniszh]

Hi @nikobearrr

I am not sure how is that a matter of security, but I am by no means expert or close to such.

I'm not saying that I'm an expert either, but I can imagine that some users not realizing that carbonapi using plaintext protocol without authorization and their "precious" metrics become visible to all internal and maybe even external networks (of course, if their network configured wrong).

The reason why I did this PR and made a question regarding the same situation with carbonserver is because I thought this is wrong and to save someone else's time debugging/trying to figure out what is going wrong.

As I said earlier, security and convenience usually are mutually exclusive. You saving someone else's debug time and potentially exposing their metrics. And as I said - there're no good and bad answers there, software development just full of tradeoffs and not obvious choises. I had own bias and leaning in security side - but that's my traits and not usiversal good for all humanity.

If you think the PR I submitted has added security weakness please feel free to revert it.

I don't think so. You have valid use case, and security risk is minimal. README mentioning exposing port 8081 now, so, I think it's fine.