Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: Add --addr cmd argument in documentations #7360

Closed
ali-jalaal opened this issue Feb 12, 2025 · 4 comments · Fixed by #7398
Closed

docs: Add --addr cmd argument in documentations #7360

ali-jalaal opened this issue Feb 12, 2025 · 4 comments · Fixed by #7398
Labels
bug docs

Comments

@ali-jalaal
Copy link

Short description

In OPA v1.0+, the server is exposed only on localhost network interface, while in OPA v0.x the server was exposed on all network interfaces (#6286). This change would cause OPA instances in Docker environment to only be exposed on localhost:8181 and not be accessible from host machine (unless --addr=0.0.0.0:8181 argument would be passed).

Steps To Reproduce

According to Running with Docker documentation, by executing the following command:

docker run -p 8181:8181 openpolicyagent/opa run --server --log-level debug

OPA server would not return the response in the host machine by running:

curl -i localhost:8181/

Example response:

curl: (52) Empty reply from server

(Tested with OPA v1.1.0 on Mac and Windows)

Expected behavior

It would be nice to update these 2 docs:

  1. Adding a short note about exposed network interfaces and --addr:0.0.0.0:8181 in the example command in Running with Docker document
  2. Adding a section in Upgrading to v1.0 document to explain this change, its reason, and how to expose OPA server to all network interfaces

Additional context

Related issue: #7264
@ali-jalaal ali-jalaal added the bug label Feb 12, 2025
@ali-jalaal ali-jalaal mentioned this issue Feb 12, 2025
Merged
@anderseknert
Copy link
Member

Sounds good to me 👍 Some info from here could be lifted to the v1 upgrade guide, or linked https://www.openpolicyagent.org/docs/latest/security/#interface-binding

And the docs on Docker updated.

@anderseknert
Copy link
Member

anderseknert commented Feb 12, 2025
edited
Loading

This is also covered in the v0 compatibility guide. I agree that it certainly won't hurt to include a note on that in the v1 documentation though, as this may impact even users not interested in v0 compatibility.

@anderseknert
Copy link
Member

I haven't looked into the details, and very much just thinking out loud here. But if the default setting results in containerized OPA not being reachable, I wonder if we instead could try and detect when we run in a container and adjust the defaults in that case? 🤔

@ali-jalaal
Copy link
Author

ali-jalaal commented Feb 13, 2025
edited
Loading

I wonder if we instead could try and detect when we run in a container and adjust the defaults in that case?

That would be nice! Currently OPA's behavior differs when running as a local process vs inside a container. Binding the containerized OPA to the localhost interface (of the host machine) would also make it compatible with the documents.

charlieegan3 added a commit to charlieegan3/opa that referenced this issue Feb 27, 2025
@charlieegan3
docs: Add note about v1.0 addr behaviour
6ac6fde 
Fixes open-policy-agent#7360

Also https://github.com/orgs/open-policy-agent/discussions/662#discussioncomment-12338962

Signed-off-by: Charlie Egan <[email protected]>
@charlieegan3 charlieegan3 mentioned this issue Feb 27, 2025
Merged
charlieegan3 added a commit to charlieegan3/opa that referenced this issue Feb 27, 2025
@charlieegan3
docs: Add note about v1.0 addr behaviour
9edce11 
Fixes open-policy-agent#7360

Also https://github.com/orgs/open-policy-agent/discussions/662#discussioncomment-12338962

Signed-off-by: Charlie Egan <[email protected]>
charlieegan3 added a commit to charlieegan3/opa that referenced this issue Feb 27, 2025
@charlieegan3
docs: Add note about v1.0 addr behaviour
567f579 
Fixes open-policy-agent#7360

Also https://github.com/orgs/open-policy-agent/discussions/662#discussioncomment-12338962t

Signed-off-by: Charlie Egan <[email protected]>
@github-project-automation github-project-automation bot moved this from Backlog to Done in Open Policy Agent Feb 27, 2025
@BrewTestBot BrewTestBot mentioned this issue Feb 28, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug docs
Projects
Open Policy Agent
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs: Add note about v1.0 addr behaviour charlieegan3/opa
2 participants
@anderseknert @ali-jalaal