elastic · grcevski · Nov 16, 2022 · Nov 4, 2022 · Nov 4, 2022 · Nov 7, 2022
@@ -77,7 +77,8 @@
 #
 # --------------------------------- Readiness ----------------------------------
 #
-# Enable an unauthenticated TCP readiness endpoint on localhost
+# Enable an unauthenticated TCP readiness endpoint. The readiness service binds to all
+# host addresses.
 #
 #readiness.port: 9399
 #

diff --git a/docs/changelog/91329.yaml b/docs/changelog/91329.yaml
@@ -0,0 +1,6 @@
+pr: 91329
+summary: Allow configuring readiness host
+area: Infra/Core
+type: enhancement
+issues:
+ - 90997
diff --git a/docs/reference/setup/advanced-configuration.asciidoc b/docs/reference/setup/advanced-configuration.asciidoc
@@ -166,10 +166,8 @@ If configured, a node can open a TCP port when the node is in a ready state. A n
 ready when it has successfully joined a cluster. In a single node configuration, the node is
 said to be ready, when it's able to accept requests.
 
-To enable the readiness TCP port, use the `readiness.port` setting. The port is
-always bound to the loopback address, which defaults to the IPv4 loopback address `127.0.0.1`.
-To bind the readiness port to the IPv6 loopback address `::1`,
-add `-Djava.net.preferIPv6Addresses=true` to the <<set-jvm-options,JVM options>>.
+To enable the readiness TCP port, use the `readiness.port` setting. The readiness service will bind to
+all host addresses.
 
 If the node leaves the cluster, or the <<put-shutdown,Shutdown API>> is used to mark the node
 for shutdown, the readiness port is immediately closed.

diff --git a/server/src/main/java/org/elasticsearch/readiness/ReadinessService.java b/server/src/main/java/org/elasticsearch/readiness/ReadinessService.java
@@ -14,8 +14,10 @@
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.ClusterStateListener;
 import org.elasticsearch.cluster.service.ClusterService;
+import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.component.AbstractLifecycleComponent;
 import org.elasticsearch.common.network.NetworkAddress;
+import org.elasticsearch.common.network.NetworkService;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.transport.BoundTransportAddress;
 import org.elasticsearch.common.transport.TransportAddress;
@@ -31,11 +33,14 @@
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.Collection;
+import java.util.List;
 import java.util.Set;
 import java.util.concurrent.CopyOnWriteArrayList;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.atomic.AtomicReference;
 
+import static org.elasticsearch.http.HttpTransportSettings.SETTING_HTTP_BIND_HOST;
+
 public class ReadinessService extends AbstractLifecycleComponent implements ClusterStateListener {
     private static final Logger logger = LogManager.getLogger(ReadinessService.class);
 
@@ -102,18 +107,32 @@ InetSocketAddress socketAddress(InetAddress host, int portNumber) {
 
     // package private for testing
     ServerSocketChannel setupSocket() {
-        InetAddress localhost = InetAddress.getLoopbackAddress();
-        int portNumber = PORT.get(environment.settings());
+        var settings = environment.settings();
+        int portNumber = PORT.get(settings);
         assert portNumber >= 0;
 
+        List<String> httpBindHost = SETTING_HTTP_BIND_HOST.get(settings);
+        var bindHosts = (httpBindHost.isEmpty() ? NetworkService.GLOBAL_NETWORK_BIND_HOST_SETTING.get(settings) : httpBindHost).toArray(
+            Strings.EMPTY_ARRAY
+        );
+
+        var socketAddress = AccessController.doPrivileged((PrivilegedAction<InetSocketAddress>) () -> {
+            try {
+                var bindHost = (bindHosts.length == 0) ? InetAddress.getLoopbackAddress() : InetAddress.getByName(bindHosts[0]);
+                return socketAddress(bindHost, portNumber);
+            } catch (IOException e) {
+                throw new IllegalArgumentException("Failed to resolve readiness host address", e);
+            }
+        });
+
         try {
             serverChannel = ServerSocketChannel.open();
 
             AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
                 try {
-                    serverChannel.bind(socketAddress(localhost, portNumber));
+                    serverChannel.bind(socketAddress);
                 } catch (IOException e) {
-                    throw new BindTransportException("Failed to bind to " + NetworkAddress.format(localhost, portNumber), e);
+                    throw new BindTransportException("Failed to bind to " + NetworkAddress.format(socketAddress), e);
                 }
                 return null;
             });
@@ -129,7 +148,7 @@ ServerSocketChannel setupSocket() {
                 }
             }
         } catch (Exception e) {
-            throw new BindTransportException("Failed to open socket channel " + NetworkAddress.format(localhost, portNumber), e);
+            throw new BindTransportException("Failed to open socket channel " + NetworkAddress.format(socketAddress), e);
         }
 
         return serverChannel;

diff --git a/server/src/main/resources/org/elasticsearch/bootstrap/security.policy b/server/src/main/resources/org/elasticsearch/bootstrap/security.policy
@@ -23,9 +23,7 @@ grant codeBase "${codebase.elasticsearch}" {
   // needed for loading plugins which may expect the context class loader to be set
   permission java.lang.RuntimePermission "setContextClassLoader";
   // needed for the readiness service
-  permission java.net.SocketPermission "127.0.0.1", "listen, accept";
-  // required if started with -Djava.net.preferIPv6Addresses=true
-  permission java.net.SocketPermission "0:0:0:0:0:0:0:1", "listen, accept";
+  permission java.net.SocketPermission "*", "listen, accept";
 
   // for module layer
   permission java.lang.RuntimePermission "createClassLoader";