Hello to everyone.
I’ve upgraded chef-server to the latest version.
And was happily surprised to see that java process listens only localhost
interface and not all as it was before.
Anyway i revised what processes listens on all interfaces and here is the full
list:
tcp 0 0 0.0.0.0:60525 0.0.0.0:*
LISTEN 15269/beam.smp
tcp 0 0 0.0.0:4369 0.0.0.0:* LISTEN
13481/epmd
tcp 0 0 0.0.0.0:44217 0.0.0.0:*
LISTEN 3710/beam.smp
udp 0 0 0.0.0.0:48427 0.0.0.0:*
15728/beam.smp
With epmd i solved problem easily:
echo “-evn ERL_EPM_ADDRESS 127.0.0.1” >>
/opt/chef-server/embedded/service/bookshelf/etc/vm.args
And after restart i got this :
tcp 0 127.0.0.1:4369 0.0.0.0:*
LISTEN 22674/epmd
But i can’t find how to do the same with the beam.smp instances which are :
root 8760 0.0 0.0 3936 376 ? Ss 22:04 0:00 _ runsv
rabbitmq
root 8769 0.0 0.0 4080 516 ? S 22:04 0:00 | _ svlogd
-tt /var/log/chef-server/rabbitmq
494 3871 0.0 0.0 11336 1316 ? Ss 23:00 0:00 | _
/bin/sh /opt/chef-server/embedded/bin/rabbitmq-server
494 3885 18.0 0.1 2538012 43800 ? Sl 23:00 0:00 | _
/opt/chef-server/embedded/lib/erlang/erts-5.9.2/bin/beam.smp – -root
/opt/chef-server/embedded/lib/erlang -progname erl – -home
/var/opt/chef-server/rabbitmq – -pa
/opt/chef-server/embedded/service/rabbitmq/sbin/…/ebin -noshell -noinput
-hidden -s rabbit_prelaunch -sname rabbitmqprelaunch14332 -extra
/etc/rabbitmq/enabled_plugins
/opt/chef-server/embedded/service/rabbitmq/sbin/…/plugins
/var/lib/rabbitmq/mnesia/rabbit@-plugins-expand rabbit@
root 8759 0.0 0.0 3936 380 ? Ss 22:04 0:00 _ runsv
erchef
root 8766 0.0 0.0 4080 544 ? S 22:04 0:00 | _ svlogd
-tt /var/log/chef-server/erchef
494 3039 54.6 0.0 2850856 26024 ? Ssl 23:00 0:01 | _
/opt/chef-server/embedded/service/erchef/erts-5.9.2/bin/beam.smp -K true -A 5
– -root /opt/chef-server/embedded/service/erchef -progname erchef – -home
/var/opt/chef-server/erchef – -noshell -boot
/opt/chef-server/embedded/service/erchef/releases/1.2.6/erchef -embedded
-config /opt/chef-server/embedded/service/erchef/etc/app.config -name
erchef@127.0.0.1 -setcookie erchef -smp enable – runit
494 3778 0.5 0.0 10796 516 ? Ss 23:00 0:00 | _
inet_gethost 4
494 3786 0.0 0.0 10796 436 ? S 23:00 0:00 |
_ inet_gethost 4
root 8756 0.0 0.0 3936 376 ? Ss 22:04 0:00 _ runsv
bookshelf
root 8763 0.0 0.0 4080 516 ? S 22:04 0:00 | _ svlogd
-tt /var/log/chef-server/bookshelf
494 22227 0.1 0.1 2544536 64980 ? Ssl 22:49 0:00 | _
/opt/chef-server/embedded/service/bookshelf/erts-5.9.2/bin/beam.smp – -root
/opt/chef-server/embedded/service/bookshelf -progname bookshelf – -home
/var/opt/chef-server/bookshelf – -noshell -boot
/opt/chef-server/embedded/service/bookshelf/releases/0.2.1/bookshelf -embedded
-config /opt/chef-server/embedded/service/bookshelf/etc/app.config -name
bookshelf@127.0.0.1 -setcookie bookshelf – runit
I even tried to find out with strings commands watching binaries of beam.smp to
see if there is interface restriction option.
Do you guys have some extra documentation maybe how to do it ?
Because its now really my goal to restrict those services to localhost only :
tcp 0 0 0.0.0.0:60525 0.0.0.0:*
LISTEN 15269/beam.smp
tcp 0 0 0.0.0.0:44217 0.0.0.0:*
LISTEN 3710/beam.smp
udp 0 0 0.0.0.0:48427 0.0.0.0:*
15728/beam.smp
Best regards.