From: "Robin Jarry" <rjarry@redhat.com>
To: "Bruce Richardson" <bruce.richardson@intel.com>
Cc: <dev@dpdk.org>, <stable@dpdk.org>
Subject: Re: [PATCH dpdk] telemetry-exporter: listen on loopback by default
Date: Mon, 27 Jan 2025 21:21:34 +0100 [thread overview]
Message-ID: <D7D4VJ9GISNJ.2RIGH6IDPR8BL@redhat.com> (raw)
In-Reply-To: <Z5eauLXHdzkNi64w@bricha3-mobl1.ger.corp.intel.com>
Bruce Richardson, Jan 27, 2025 at 15:39:
> On Mon, Jan 27, 2025 at 12:51:44PM +0100, Robin Jarry wrote:
>> Fix the following warning reported by Coverity:
>>
>> Defect type: SIGMA.insecure_network_bind:
>> > dpdk-stable-24.11.1/usertools/dpdk-telemetry-exporter.py:278:
>> > Sigma main event: The HTTP server binds to all network interfaces by
>> > setting the IP address to "", `0.0.0.0`, `::`, or `::0`.
>> > This may expose the server to unintended traffic.
>>
>> Avoid listening to all interfaces by default to avoid exposing private
>> information unwillingly.
>>
>> Unrelated: The Python stdlib TCP server listens on IPv4 only by default.
>> Changing this requires creating a subclass that overrides address_family
>> to socket.AF_INET6.
>>
>> Fixes: d94ebd627a86 ("usertools: add telemetry exporter")
>> Cc: stable@dpdk.org
>> Signed-off-by: Robin Jarry <rjarry@redhat.com>
>> ---
>> usertools/dpdk-telemetry-exporter.py | 6 +++---
>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/usertools/dpdk-telemetry-exporter.py b/usertools/dpdk-telemetry-exporter.py
>> index 6eca0db2e80a..6f66d4ecaab1 100755
>> --- a/usertools/dpdk-telemetry-exporter.py
>> +++ b/usertools/dpdk-telemetry-exporter.py
>> @@ -75,7 +75,7 @@ def cmd(self, uri, arg=None) -> dict | list:
>> "/usr/local/share/dpdk/telemetry-endpoints",
>> "/usr/share/dpdk/telemetry-endpoints",
>> ]
>> -DEFAULT_OUTPUT = "openmetrics://:9876"
>> +DEFAULT_OUTPUT = "openmetrics://127.0.0.1:9876"
>>
>
> Minor nit, but would it be better to use "localhost" rather than the
> hardcoded IP here and below?
That's a good point. I had considered it but as I wrote in the commit
message:
>> Unrelated: The Python stdlib TCP server listens on IPv4 only by default.
>> Changing this requires creating a subclass that overrides address_family
>> to socket.AF_INET6.
On certain systems and depending on the libc implementation, localhost
may resolve to ::1 which causes an error on startup:
socket.gaierror: [Errno -9] Address family for hostname not supported
I dug a bit and it happens that the python standard TCPServer
implementation explicitly uses AF_INET when creating the socket. Hence
bind() fails with IPv6 addresses.
next prev parent reply other threads:[~2025-01-27 20:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-27 11:51 [PATCH dpdk] telemetry-exporter: listen on loopback by default Robin Jarry
2025-01-27 14:39 ` Bruce Richardson
2025-01-27 20:21 ` Robin Jarry [this message]
2025-11-11 17:44 ` Thomas Monjalon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D7D4VJ9GISNJ.2RIGH6IDPR8BL@redhat.com \
--to=rjarry@redhat.com \
--cc=bruce.richardson@intel.com \
--cc=dev@dpdk.org \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.