Using the 0.0.0.0 address exposes this server to every network interface

[louise-zhang]

Got below warn messages complaining about security issue:

Using the 0.0.0.0 address exposes this server to every network interface, which may facilitate Denial of Service attacks {"kind": "receiver", "name": "otlp", "pipeline": "logs", "documentation": "https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/security-best-practices.md#safeguards-against-denial-of-service-attacks"}

2023-02-21T04:34:23.519Z	info	service/pipelines.go:114	Receiver is starting...	{"kind": "receiver", "name": "otlp", "pipeline": "logs"}
2023-02-21T04:34:23.519Z	warn	internal/warning.go:51	Using the 0.0.0.0 address exposes this server to every network interface, which may facilitate Denial of Service attacks	{"kind": "receiver", "name": "otlp", "pipeline": "logs", "documentation": "https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/security-best-practices.md#safeguards-against-denial-of-service-attacks"}
2023-02-21T04:34:23.519Z	info	[email protected]/otlp.go:94	Starting GRPC server	{"kind": "receiver", "name": "otlp", "pipeline": "logs", "endpoint": "0.0.0.0:4317"}
2023-02-21T04:34:23.519Z	warn	internal/warning.go:51	Using the 0.0.0.0 address exposes this server to every network interface, which may facilitate Denial of Service attacks	{"kind": "receiver", "name": "otlp", "pipeline": "logs", "documentation": "https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/security-best-practices.md#safeguards-against-denial-of-service-attacks"}
2023-02-21T04:34:23.519Z	info	[email protected]/otlp.go:112	Starting HTTP server	{"kind": "receiver", "name": "otlp", "pipeline": "logs", "endpoint": "0.0.0.0:4318"}
2023-02-21T04:34:23.519Z	info	service/pipelines.go:118	Receiver started.	{"kind": "receiver", "name": "otlp", "pipeline": "logs"}

[atoulme]

This warning comes from the collector itself. By default, the collector doesn't expose OTLP to external network interfaces.
However, we run the collector as a container and for the service to become available to ports exposed on the container, we must configure the service to run on 0.0.0.0.

There is more information in the URL linked in the message: https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/security-best-practices.md#safeguards-against-denial-of-service-attacks

[kumachop2]

@atoulme Should we ignore warning messages ? Based on link https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/security-best-practices.md#safeguards-against-denial-of-service-attacks, its advisable to use localhost. Please let me know if any action needed here.
Appreciated your response.

[atoulme]

If you use localhost, then it's not possible for other services to send messages to the collector, as Docker creates a networking environment where ports bound to 127.0.0.1 are not available outside the container.

[atoulme]

I have opened an issue to ask for this warning to be removed, see open-telemetry/opentelemetry-collector#7488

[kumachop2]

@atoulme Bunch of thanks for prompt response and action.

[RichardJECooke]

So is there a way to turn off this warning? By changing the feature gate thing they mention? I don't know what command to use as I'm new to Otel