search

grafana / dskit

Distributed systems kit
Apache License 2.0
480 stars 68 forks source link

Support listening on unix sockets #475

Open bouk opened 10 months ago

bouk commented 10 months ago

It seems this can almost work since you can specify the network, the only problem is that it adds the port to the address. Perhaps it should only do this if the network equals 'tcp' and ignore the port field, then we could configure Grafana Tempo/Mimir with something like:

http_listen_network: unix
http_listen_address: /var/run/grafana.socket
56quarters commented 10 months ago

Can you explain why you'd want Mimir/Tempo/etc to listen on a UNIX socket?

bouk commented 10 months ago

Oh right: I want to run a reverse proxy (nginx) in front of its API, and I'd prefer not to run the risk of exposing it over the network.

hbjydev commented 8 months ago

Think I've implemented this in my PR ^

56quarters commented 8 months ago

Oh right: I want to run a reverse proxy (nginx) in front of its API, and I'd prefer not to run the risk of exposing it over the network.

I'm not sure why support for Unix sockets is required for this. The Mimir/Loki/Tempo process could be set to bind only to local interfaces (127.0.0.1 etc) with Nginx binding to the public addresses. That seems like it'd work for your usecase, no?

I don't really mind adding support for Unix sockets to dskit (as @hbjydev has done) but I don't want to add more variations to the ways people can run Mimir since it's already pretty challenging.

quentinmit commented 2 months ago

Oh right: I want to run a reverse proxy (nginx) in front of its API, and I'd prefer not to run the risk of exposing it over the network.

I'm not sure why support for Unix sockets is required for this. The Mimir/Loki/Tempo process could be set to bind only to local interfaces (127.0.0.1 etc) with Nginx binding to the public addresses. That seems like it'd work for your usecase, no?

Unix sockets provide an important additional layer of security: you can use filesystem permissions to ensure that only your reverse proxy can connect to Loki etc., instead of any process on the system. This is especially important since Loki doesn't have any built-in authentication.

I don't really mind adding support for Unix sockets to dskit (as @hbjydev has done) but I don't want to add more variations to the ways people can run Mimir since it's already pretty challenging.