Topic
  • 17 replies
  • Latest Post - ‏2014-01-21T21:29:08Z by Alasdair
bmparees
bmparees
9 Posts

Pinned topic liberty localhost port binding

‏2013-12-20T15:59:13Z |

By default my liberty 8.5.5 server is binding to a random port on 127.0.0.1:

$ bin/server start
Starting server defaultServer.
Server defaultServer started with process ID 12683.

$ netstat -anp | grep 12683
tcp6       0      0 127.0.0.1:9080          :::*                    LISTEN      12683/java          
tcp6       0      0 127.0.0.1:55967         :::*                    LISTEN      12683/java          
 

I know the binding to 9080 can be configured, but what is listening on port 55967 and can I either disable it, or change the host it is binding to?

 

  • AlexMulholland
    AlexMulholland
    32 Posts

    Re: liberty localhost port binding

    ‏2014-01-03T20:06:54Z  

    Hello Ben,

    The Liberty server acquires an ephemeral port to be used by the command listener.  This is used for example by the 'server' command script to stop the server, generate dumps etc.  

    There is an APAR in the works that will allow users to override the port number or to disable the port completely, but be aware that the latter will mean that some commands will no longer work.

    http://www-01.ibm.com/support/docview.wss?uid=swg1PM89272

    If this is a critical problem and you have a support contract you can request an iFix through the normal service process.

    Regards, Alex.

     

     

  • bmparees
    bmparees
    9 Posts

    Re: liberty localhost port binding

    ‏2014-01-16T15:29:09Z  

    Hello Ben,

    The Liberty server acquires an ephemeral port to be used by the command listener.  This is used for example by the 'server' command script to stop the server, generate dumps etc.  

    There is an APAR in the works that will allow users to override the port number or to disable the port completely, but be aware that the latter will mean that some commands will no longer work.

    http://www-01.ibm.com/support/docview.wss?uid=swg1PM89272

    If this is a critical problem and you have a support contract you can request an iFix through the normal service process.

    Regards, Alex.

     

     

    No support contract unfortunately.  In looking at that apar it indicates you'll be able to specify the port, but it doesn't say anything about disabling.  Maybe that was just left out of the description and setting the port to "-1" will disable it entirely? 

    Alternatively/in addition, it would be nice to be able to specify which interface(s) it binds to, though I assume localhost was chosen for security reasons.

     

     

     

  • Alasdair
    Alasdair
    55 Posts

    Re: liberty localhost port binding

    ‏2014-01-17T00:05:05Z  
    • bmparees
    • ‏2014-01-16T15:29:09Z

    No support contract unfortunately.  In looking at that apar it indicates you'll be able to specify the port, but it doesn't say anything about disabling.  Maybe that was just left out of the description and setting the port to "-1" will disable it entirely? 

    Alternatively/in addition, it would be nice to be able to specify which interface(s) it binds to, though I assume localhost was chosen for security reasons.

     

     

     

    It only listens on localhost for security reasons. I wouldn't want to allow that to be overridden.

    You are correct that setting it to -1 disables the command listener.

    Alasdair

  • bmparees
    bmparees
    9 Posts

    Re: liberty localhost port binding

    ‏2014-01-17T16:23:24Z  
    • Alasdair
    • ‏2014-01-17T00:05:05Z

    It only listens on localhost for security reasons. I wouldn't want to allow that to be overridden.

    You are correct that setting it to -1 disables the command listener.

    Alasdair

    For my particular use case, allowing it to be configured as anything in 127.*.*.* would be sufficient, so it could still restrict to localhost, just not solely 127.0.0.1

     

     

  • erin.schnabel
    erin.schnabel
    16 Posts

    Re: liberty localhost port binding

    ‏2014-01-17T18:50:15Z  
    • bmparees
    • ‏2014-01-17T16:23:24Z

    For my particular use case, allowing it to be configured as anything in 127.*.*.* would be sufficient, so it could still restrict to localhost, just not solely 127.0.0.1

     

     

    Can you please elaborate on this usecase? We do not hard-code 127.0.0.1, but we do mandate a loopback address be used when we bind the socket.

  • bmparees
    bmparees
    9 Posts

    Re: liberty localhost port binding

    ‏2014-01-17T20:29:07Z  

    Can you please elaborate on this usecase? We do not hard-code 127.0.0.1, but we do mandate a loopback address be used when we bind the socket.

    I'm considering developing a Liberty cartridge (runtime option)  for the OpenShift PaaS, however the OpenShift PaaS runs applications inside a secure linux container which does not allow binding to 127.0.0.1 since that would not properly isolate applications running in different containers on the same host.  Each container is assigned its own loopback ip which applications/runtimes inside that container can bind to.

    Again, just disabling the port is sufficient, but it might be nice for uses to still be able to use the command interface (locally).

    (full disclosure, I now work on the RedHat OpenShift team)

     

     

  • erin.schnabel
    erin.schnabel
    16 Posts

    Re: liberty localhost port binding

    ‏2014-01-20T15:16:16Z  
    • bmparees
    • ‏2014-01-17T20:29:07Z

    I'm considering developing a Liberty cartridge (runtime option)  for the OpenShift PaaS, however the OpenShift PaaS runs applications inside a secure linux container which does not allow binding to 127.0.0.1 since that would not properly isolate applications running in different containers on the same host.  Each container is assigned its own loopback ip which applications/runtimes inside that container can bind to.

    Again, just disabling the port is sufficient, but it might be nice for uses to still be able to use the command interface (locally).

    (full disclosure, I now work on the RedHat OpenShift team)

     

     

    Have you tried changing the localhost entry in /etc/hosts on these systems to match the assigned loopback? I'm curious if that would solve your problem, while allowing the command port to be available (which is useful should you ever need to dump the server..)

  • bmparees
    bmparees
    9 Posts

    Re: liberty localhost port binding

    ‏2014-01-21T00:54:20Z  

    Have you tried changing the localhost entry in /etc/hosts on these systems to match the assigned loopback? I'm curious if that would solve your problem, while allowing the command port to be available (which is useful should you ever need to dump the server..)

    Unfortunately that's not an option for an Openshift environment.  These are secured container environments within a single linux OS.  They have separate process namespaces, but the network and filesystem environment is global.  The difference is that selinux rules enforce what ports/ips/files processes running within a given container can access.
     

    So a process within a container would not be able to modify the global /etc/hosts file.  In addition, there can be (will be) multiple containers running, each with its own loopback ip, so just updating the /etc/hosts localhost value to point to one of them wouldn't really solve the problem. 

     

  • Alasdair
    Alasdair
    55 Posts

    Re: liberty localhost port binding

    ‏2014-01-21T10:14:58Z  
    • bmparees
    • ‏2014-01-21T00:54:20Z

    Unfortunately that's not an option for an Openshift environment.  These are secured container environments within a single linux OS.  They have separate process namespaces, but the network and filesystem environment is global.  The difference is that selinux rules enforce what ports/ips/files processes running within a given container can access.
     

    So a process within a container would not be able to modify the global /etc/hosts file.  In addition, there can be (will be) multiple containers running, each with its own loopback ip, so just updating the /etc/hosts localhost value to point to one of them wouldn't really solve the problem. 

     

    Hi,

    I'm really not familiar with this environment, but in general how are processes running in this environment expected to discover the loopback ip they should be using? Is it literally that they are expected to be configured, or is there some magic way to discover it?

    Thanks
    Alasdair

  • bmparees
    bmparees
    9 Posts

    Re: liberty localhost port binding

    ‏2014-01-21T14:39:45Z  
    • Alasdair
    • ‏2014-01-21T10:14:58Z

    Hi,

    I'm really not familiar with this environment, but in general how are processes running in this environment expected to discover the loopback ip they should be using? Is it literally that they are expected to be configured, or is there some magic way to discover it?

    Thanks
    Alasdair

    They can pick up the assigned IP via an environment variable.  If Liberty supported configuring this I'd expect to write some scripting to update the liberty config w/ the right IP based on the environment variable before starting Liberty.

     

  • Alasdair
    Alasdair
    55 Posts

    Re: liberty localhost port binding

    ‏2014-01-21T18:17:13Z  
    • bmparees
    • ‏2014-01-21T14:39:45Z

    They can pick up the assigned IP via an environment variable.  If Liberty supported configuring this I'd expect to write some scripting to update the liberty config w/ the right IP based on the environment variable before starting Liberty.

     

    Do you mean if I were do something like this System.getenv(SOME_CONSTANT_ENV_NAME); I would get the right IP? 

    Thanks
    Alasdair

  • bmparees
    bmparees
    9 Posts

    Re: liberty localhost port binding

    ‏2014-01-21T18:48:56Z  
    • Alasdair
    • ‏2014-01-21T18:17:13Z

    Do you mean if I were do something like this System.getenv(SOME_CONSTANT_ENV_NAME); I would get the right IP? 

    Thanks
    Alasdair

    Precisely, though again my intent would be to generate the config xml already containing the correct value, via a script that used the environment variable, so Liberty would not need to be aware of any environment variable.
      (Unless the Liberty config allows reference to environment variables?  that would simplify things of course)

     

  • Alasdair
    Alasdair
    55 Posts

    Re: liberty localhost port binding

    ‏2014-01-21T20:06:43Z  
    • bmparees
    • ‏2014-01-21T18:48:56Z

    Precisely, though again my intent would be to generate the config xml already containing the correct value, via a script that used the environment variable, so Liberty would not need to be aware of any environment variable.
      (Unless the Liberty config allows reference to environment variables?  that would simplify things of course)

     

    Assuming you are using a release after 8.5.5.0 you can do this:

    ${env.HOST}

    which will resolve to the HOST environment variable.

    Will the environment variable name vary depending on which container is being used? Or is it a fixed environment variable?

  • bmparees
    bmparees
    9 Posts

    Re: liberty localhost port binding

    ‏2014-01-21T20:19:41Z  
    • Alasdair
    • ‏2014-01-21T20:06:43Z

    Assuming you are using a release after 8.5.5.0 you can do this:

    ${env.HOST}

    which will resolve to the HOST environment variable.

    Will the environment variable name vary depending on which container is being used? Or is it a fixed environment variable?

    the environment variable name will be fixed, so that could definitely work.

     

     

  • Alasdair
    Alasdair
    55 Posts

    Re: liberty localhost port binding

    ‏2014-01-21T20:26:48Z  
    • bmparees
    • ‏2014-01-21T20:19:41Z

    the environment variable name will be fixed, so that could definitely work.

     

     

    And the million dollar question would be what is the environment variable called?

  • bmparees
    bmparees
    9 Posts

    Re: liberty localhost port binding

    ‏2014-01-21T20:31:36Z  
    • Alasdair
    • ‏2014-01-21T20:26:48Z

    And the million dollar question would be what is the environment variable called?

    The million dollar answer: TBD.

    A likely candidate would be:  OPENSHIFT_LIBERTY_IP  (This would be the IP liberty would be expected to bind to for all ports..   http requests are proxied into the ip from the host's external ip, so liberty does not need to (nor would be allowed to) bind to it.

    But i'm not sure why you would need that information?  I assume you're not going to hardcode anything into Liberty...

     

  • Alasdair
    Alasdair
    55 Posts

    Re: liberty localhost port binding

    ‏2014-01-21T21:29:08Z  
    • bmparees
    • ‏2014-01-21T20:31:36Z

    The million dollar answer: TBD.

    A likely candidate would be:  OPENSHIFT_LIBERTY_IP  (This would be the IP liberty would be expected to bind to for all ports..   http requests are proxied into the ip from the host's external ip, so liberty does not need to (nor would be allowed to) bind to it.

    But i'm not sure why you would need that information?  I assume you're not going to hardcode anything into Liberty...

     

    No, I'm certainly not planning to hardcode that into Liberty. I was trying to understand whether this was a standardish linux environment property, like $HOST, or not. If it was then I might have had Liberty pick it up, but not with that property.

    Congratulations on your new job. Good luck.