Logo-amall

Prometheus exporter listen_addr

Last active 15 days ago

9 replies

3 views

  • Hello !
    I discovered CrowdSec yesterday, and it's work well !
    I have just a small question, i'm trying to make the exporter work, and so far, my config is like this

    prometheus:
      enabled: true
      level: full
      listen_addr: 0.0.0.0
      listen_port: 6060
    

    Since my network is dual stack, if i add my exporter with this config on my prometheus config

      - job_name: 'crowdsec_blog'
        static_configs:
        - targets: ['blog.X.net:6060']
          labels:
            machine: 'blog'
    

    I have an error Get "http://blog.X.net:6060/metrics": dial tcp [2a0f:X:40:X:cafe::X]:6060: connect: connection refused on the prometheus site
    But if i force v4 (['185.X.X.X:6060']), it's work well.
    I try to add [::] to the listen_adress in the crowdsec config, the service restart correctly, but the connection is refused with the same error as above.

    It's possible to make the exporter work in v6 ?

    Also, i add 0.0.0.0 for testing purpose, now i want to allow only my range (185.X.X.X/24 and, if v6 work, my prefix). If i configure listen_addr: 185.0.0.0/24, the service also restart without error, but my prometheus report Get "http://185.X.X.X:6060/metrics": dial tcp 185.X.X.X:6060: connect: connection refused

    Can you guide me ?
    Thanks in advance !

  • II

    Hmm interesting about the ipv6, so if you run with 0.0.0.0 it doesnt show up as a used port if you run ss -lntp? It seems we have only logged it as a warning https://github.com/crowdsecurity/crowdsec/blob/6fb962a94180abca0e9d82fc8fe533786f8e3695/cmd/crowdsec/metrics.go#L195 if the prometheus service fails to start so there be no glaring error

  • II
    Also, i add 0.0.0.0 for testing purpose, now i want to allow only my range (185.X.X.X/24 and, if v6 work, my prefix). If i configure listen_addr: 185.0.0.0/24, the service also restart without error, but my prometheus report Get "http://185.X.X.X:6060/metrics": dial tcp 185.X.X.X:6060: connect: connection refused
    

    So you would need to firewall the port using iptables, nftables. As golang listenandserve takes an ip address to serve on. Its not a configurable option to say allow these IP's

  • II

    However, im going to spin up a test environment, cause looking deeper the listenandserve called the underlying go func with "tcp". Then within the same function it tests if the address is 0.0.0.0 if so only binds to ipv4 not ipv6. So im going to test it if this is the case, we should allow for an empty string as that is in golang terms is bind to all interfaces (ipv4,ipv6)

  • II

    Okay so first tests

    listen_addr: 0.0.0.0 #-> binds only to ipv4
    listen_addr: [::] #-> crashes crowdsec yaml invalid
    listen_addr: "[::]" #-> binds to *:6060
    # Bottom one seems to work on ipv4 and ipv6
    

    Bottom listen_addr tests

    root@ubuntu-s-1vcpu-1gb-intel-lon1-01:~# ip addr
    1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    2: eth0:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 2e:ae:55:66:59:a6 brd ff:ff:ff:ff:ff:ff
        inet 167.99.82.146/20 brd 167.99.95.255 scope global eth0
           valid_lft forever preferred_lft forever
        inet 10.16.0.7/16 brd 10.16.255.255 scope global eth0
           valid_lft forever preferred_lft forever
        inet6 2a03:b0c0:1:d0::ec0:2001/64 scope global 
           valid_lft forever preferred_lft forever
        inet6 fe80::2cae:55ff:fe66:59a6/64 scope link 
           valid_lft forever preferred_lft forever
    3: eth1:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 2a:fe:91:b2:5d:fd brd ff:ff:ff:ff:ff:ff
        inet 10.106.0.4/20 brd 10.106.15.255 scope global eth1
           valid_lft forever preferred_lft forever
        inet6 fe80::28fe:91ff:feb2:5dfd/64 scope link 
           valid_lft forever preferred_lft forever
    root@ubuntu-s-1vcpu-1gb-intel-lon1-01:~# curl http://167.99.82.146:6060/metrics > /dev/null
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 17697    0 17697    0     0   822k      0 --:--:-- --:--:-- --:--:--  822k
    root@ubuntu-s-1vcpu-1gb-intel-lon1-01:~# curl -g "http://[2a03:b0c0:1:d0::ec0:2001]:6060/metrics" > /dev/null
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 17696    0 17696    0     0   557k      0 --:--:-- --:--:-- --:--:--  576k
    root@ubuntu-s-1vcpu-1gb-intel-lon1-01:~# 
    
  • II

    Apologies for sending lots of messages let me know if you need anymore information but TL:DR is set listen_addr: "[::]" to bind both ipv4 and ipv6. If you need to limit who can connect to the port use iptables, nftables to drop if the IP is not whitelisted.

  • Thank you for all the explanation ! I'll try the listen_addr: "[::]" !

  • And thank you for taking the time to test 🙂

  • II

    Great! let me know if you need anything happy to help

Last active 15 days ago

9 replies

3 views