Skip to content

Commit

Permalink
Merge branch 'main' into kubecon-china-blog
Browse files Browse the repository at this point in the history
  • Loading branch information
@tiffany76
tiffany76 authored Jul 3, 2024
2 parents 2cd832d + f6d3f3e commit fad371b
Show file tree
Hide file tree
Showing 253 changed files with 950 additions and 312 deletions.
2 changes: 1 addition & 1 deletion .gitmodules
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
[submodule "content-modules/opentelemetry-proto"]
path = content-modules/opentelemetry-proto
url = https://github.com/open-telemetry/opentelemetry-proto
otlp-pin = v1.3.1
otlp-pin = v1.3.2
[submodule "content-modules/semantic-conventions"]
path = content-modules/semantic-conventions
url = https://github.com/open-telemetry/semantic-conventions
Expand Down
2 changes: 1 addition & 1 deletion content-modules/opentelemetry-proto
Submodule opentelemetry-proto updated 5 files
+4 −1 .github/CODEOWNERS
+10 −2 CHANGELOG.md
+15 −82 RELEASING.md
+3 −1 opentelemetry/proto/profiles/v1experimental/pprofextended.proto
+1 −1 opentelemetry/proto/profiles/v1experimental/profiles.proto
149 changes: 149 additions & 0 deletions content/en/blog/2024/hardening-the-collector-one.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,149 @@
---
title: 'Hardening the Collector Episode 1: A new default bind address'
linkTitle: A new default bind address for the Collector
date: 2024-07-02
author: '[Pablo Baeyens](https://github.com/mx-psi) (OpenTelemetry, Datadog)'
# prettier-ignore
cSpell:ignore: awsfirehose awsproxy awsxray Baeyens jaegerremotesampling loki OSTIF remotetap sapm signalfx skywalking splunk
issue: 4760
sig: Collector SIG
---

The OpenTelemetry Collector recently went through a security audit sponsored by
the [CNCF](https://www.cncf.io/), facilitated by [OSTIF](https://ostif.org/),
and performed by [7ASecurity](https://7asecurity.com/). As part of this process
we published a security advisory related to a
[DoS vulnerability](/blog/2024/cve-2024-36129/) that was
[fully addressed in v0.102.1](https://github.com/open-telemetry/opentelemetry-collector/releases/tag/v0.102.1).

The security audit also motivated us to think about ways to harden official
Collector builds and have a more secure default configuration. We are working on
adopting [several][releases-586] [best][core-10469] [practices][core-10470] that
were recommended in the audit to achieve this and we will be publishing a series
of blog posts to keep the community informed. While we expect the report to be
made public soon, we can already say that we are very satisfied with the
confirmation that the Collector has proven to be very secure, highlighting the
secure coding practices and processes we already have in place.

One of the changes we have been working on is changing the default bind address
for Collector servers, such as those exposed by receivers or extensions that
listen for incoming connections. Up to v0.103.0, the default behavior was to
listen on all network interfaces by using the
[unspecified address `0.0.0.0`](https://en.wikipedia.org/wiki/0.0.0.0) on server
addresses. While this is a convenient default for test cases and development
environments, it is
[not the recommended practice for production environments](https://cwe.mitre.org/data/definitions/1327.html),
since it can expose the Collector servers to unnecessary risks. Starting on
v0.104.0 the default bind address becomes `localhost` for all Collector servers.

It has been a long way to get here. We started discussing this in relation to
[CVE-2022-27664](https://github.com/advisories/GHSA-69cg-p879-7622) on [v0.63.0
(September 2022)][core-6151], when we added a warning and improved our
documentation. On [v0.94.0 (September 2023)][core-8510], we decided to add a
feature gate, `component.UseLocalHostAsDefaultHost` to allow users to opt-in to
the new behavior. Finally, this feature gate was enabled by default on [v0.104.0
(June 2024)][core-10352] motivated by the security audit and
[CVE-2024-36129](/blog/2024/cve-2024-36129/).

## What have we changed?

Starting on v0.104.0, the default bind address of all servers exposed by the
Collector are `localhost` instead of `0.0.0.0`. For example, the OTLP receiver
default endpoints for OTLP/gRPC and OTLP/HTTP are now `localhost:4317` and
`localhost:4318` respectively. The full list of components affected by this
change is:

- [`otlp` receiver](https://github.com/open-telemetry/opentelemetry-collector/tree/main/receiver/otlpreceiver#otlp-receiver)
- [`awsfirehose` receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsfirehosereceiver#aws-kinesis-data-firehose-receiver)
- [`awsxray` receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awsxrayreceiver#aws-x-ray-receiver)
- [`influxdb` receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/influxdbreceiver#influxdb-receiver)
- [`jaeger` receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/jaegerreceiver#jaeger-receiver)
- [`loki` receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/lokireceiver#loki-receiver)
- [`opencensus` receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/opencensusreceiver#opencensus-receiver)
- [`sapm` receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/sapmreceiver#sapm-receiver)
- [`signalfx` receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/signalfxreceiver#signalfx-receiver)
- [`skywalking` receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/skywalkingreceiver#skywalking-receiver)
- [`splunk_hec` receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/splunkhecreceiver#splunk-hec-receiver)
- [`zipkin` receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/zipkinreceiver#zipkin-receiver)
- [`zookeeper` receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/zookeeperreceiver#zookeeper-receiver)
- [`awsproxy` extension](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/awsproxy#aws-proxy)
- [`health_check` extension](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/healthcheckextension#health-check)
- [`jaegerremotesampling` extension](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/jaegerremotesampling#jaegers-remote-sampling-extension)
- [`remotetap` processor](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/processor/remotetapprocessor#remote-tap-processor)

When in doubt, check the specific components' documentation to see the new
default values.

Starting on the [OpenTelemetry Collector Helm Chart][helm-chart] v0.47.1 and on
v0.87.0 of the OpenTelemetry Collector official Docker images we updated the
default configuration for all components to explicitly set the endpoints to an
explicit value.

## What does it mean to me?

If you are relying on the default configuration you may need to start explicitly
setting the endpoint on your Collector components. For example, if you are using
the following configuration with the OTLP receiver:

```yaml
receivers:
otlp:
protocols:
grpc:
```
You may now need to explicitly set the `otlp::protocols::grpc::endpoint`
[configuration setting](https://github.com/open-telemetry/opentelemetry-collector/blob/v0.103.0/receiver/otlpreceiver/config.md):

```yaml
receivers:
otlp:
protocols:
grpc:
endpoint: ${env:HOST_IP}:4317
```

where the `HOST_IP` environment variable is set to the bind address you want to
use (for example, `status.podIP` on Kubernetes).

Because of the changes in the Collector Helm Chart and Collector Docker images
you are not affected if using the default configuration on either of these.

## How can I prepare for this change?

Since v0.63.0 the Collector logs a warning related to this when you have an
endpoint using the 0.0.0.0 address. Before upgrading, you can check for this
warning and address it. From v0.94.0 to v0.103.0 you can also preview the impact
of this change by [enabling][feature-gate] the
`component.UseLocalHostAsDefaultHost` feature gate.

Addressing this change should be straightforward, however, due to the number of
components that are impacted, starting on v0.104.0 you can temporarily opt out
of this change by disabling the `component.UseLocalHostAsDefaultHost` feature
gate so you can work on addressing this at your own pace. This feature gate will
be marked as stable in a future Collector release, so we recommend addressing
this as soon as possible.

## What's next?

As we work on adopting the best practices recommended by the security audit, we
will be publishing more blog posts to keep the community informed. This will
include hardening the Collector binaries on macOS and further the default
behavior of Collector servers. Stay tuned!

[helm-chart]:
https://github.com/open-telemetry/opentelemetry-helm-charts?tab=readme-ov-file#opentelemetry-collector
[feature-gate]:
https://github.com/open-telemetry/opentelemetry-collector/tree/v0.103.0/featuregate#controlling-gates
[releases-586]:
https://github.com/open-telemetry/opentelemetry-collector-releases/issues/586
[core-6151]:
https://github.com/open-telemetry/opentelemetry-collector/issues/6151
[core-8510]:
https://github.com/open-telemetry/opentelemetry-collector/issues/8510
[core-10469]:
https://github.com/open-telemetry/opentelemetry-collector/issues/10469
[core-10470]:
https://github.com/open-telemetry/opentelemetry-collector/issues/10470
[core-10352]:
https://github.com/open-telemetry/opentelemetry-collector/pull/10352
2 changes: 1 addition & 1 deletion content/en/docs/collector/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: Collector
description: Vendor-agnostic way to receive, process and export telemetry data.
aliases: [collector/about]
cascade:
vers: 0.103.1
vers: 0.104.0
weight: 270
---

Expand Down
4 changes: 2 additions & 2 deletions content/en/docs/contributing/blog.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,13 +79,13 @@ Follow these steps to create a post from the template:
1. Run the following command from the repository root:

```sh
npx hugo new content/en/blog/2023/short-name-for-post.md
npx hugo new content/en/blog/2024/short-name-for-post.md
```

If your post has images or other assets, run the following command:

```sh
npx hugo new content/en/blog/2023/short-name-for-post/index.md
npx hugo new content/en/blog/2024/short-name-for-post/index.md
```

1. Edit the Markdown file at the path you provided in the previous command. The
Expand Down
25 changes: 13 additions & 12 deletions content/en/docs/demo/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,24 +23,25 @@ Want to deploy the demo and see it in action? Start here.
Want to understand how a particular language's instrumentation works? Start
here.

| Language | Automatic Instrumentation | Instrumentation Libraries | Manual Instrumentation |
| ---------- | -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- |
| .NET | | [Cart Service](services/cart/) | [Cart Service](services/cart/) |
| C++ | | | [Currency Service](services/currency/) |
| Go | | [Accounting Service](services/accounting/), [Checkout Service](services/checkout/), [Product Catalog Service](services/product-catalog/) | [Checkout Service](services/checkout/), [Product Catalog Service](services/product-catalog/) |
| Java | [Ad Service](services/ad/) | | [Ad Service](services/ad/) |
| JavaScript | | [Frontend](services/frontend/) | [Frontend](services/frontend/), [Payment Service](services/payment/) |
| Kotlin | | [Fraud Detection Service](services/fraud-detection/) | |
| PHP | | [Quote Service](services/quote/) | [Quote Service](services/quote/) |
| Python | [Recommendation Service](services/recommendation/) | | [Recommendation Service](services/recommendation/) |
| Ruby | | [Email Service](services/email/) | [Email Service](services/email/) |
| Rust | | [Shipping Service](services/shipping/) | [Shipping Service](services/shipping/) |
| Language | Automatic Instrumentation | Instrumentation Libraries | Manual Instrumentation |
| ---------- | -------------------------------------------------- | -------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- |
| .NET | [Accounting Service](services/accounting/) | [Cart Service](services/cart/) | [Cart Service](services/cart/) |
| C++ | | | [Currency Service](services/currency/) |
| Go | | [Checkout Service](services/checkout/), [Product Catalog Service](services/product-catalog/) | [Checkout Service](services/checkout/), [Product Catalog Service](services/product-catalog/) |
| Java | [Ad Service](services/ad/) | | [Ad Service](services/ad/) |
| JavaScript | | [Frontend](services/frontend/) | [Frontend](services/frontend/), [Payment Service](services/payment/) |
| Kotlin | | [Fraud Detection Service](services/fraud-detection/) | |
| PHP | | [Quote Service](services/quote/) | [Quote Service](services/quote/) |
| Python | [Recommendation Service](services/recommendation/) | | [Recommendation Service](services/recommendation/) |
| Ruby | | [Email Service](services/email/) | [Email Service](services/email/) |
| Rust | | [Shipping Service](services/shipping/) | [Shipping Service](services/shipping/) |

## Service Documentation

Specific information about how OpenTelemetry is deployed in each service can be
found here:

- [Accounting Service](services/accounting/)
- [Ad Service](services/ad/)
- [Cart Service](services/cart/)
- [Checkout Service](services/checkout/)
Expand Down
2 changes: 1 addition & 1 deletion content/en/docs/demo/architecture.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ generator which uses [Locust](https://locust.io/) to fake user traffic.
```mermaid
graph TD
subgraph Service Diagram
accountingservice(Accounting Service):::golang
accountingservice(Accounting Service):::dotnet
adservice(Ad Service):::java
cache[(Cache<br/>&#40redis&#41)]
cartservice(Cart Service):::dotnet
Expand Down
2 changes: 1 addition & 1 deletion content/en/docs/demo/services/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ To visualize request flows, see the [Service Diagram](../architecture/).

| Service | Language | Description |
| ----------------------------------------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
| [accountingservice](accounting/) | Go | Processes incoming orders and count the sum of all orders (mock/). |
| [accountingservice](accounting/) | .NET | Processes incoming orders and count the sum of all orders (mock/). |
| [adservice](ad/) | Java | Provides text ads based on given context words. |
| [cartservice](cart/) | .NET | Stores the items in the user's shopping cart in Redis and retrieves it. |
| [checkoutservice](checkout/) | Go | Retrieves user cart, prepares order and orchestrates the payment, shipping and the email notification. |
Expand Down
Loading

0 comments on commit fad371b

Please sign in to comment.