Configure Kafka to expose JMX only on 127.0.0.1

Asked 27/3, 2018 at 6:59 Answered 2/8, 2020 at 17:32

I'm struggling to configure Kafka's JMX to be exposed only on localhost. By default, when I start Kafka, it exposes three ports, whereas two of them are automatically bound to 0.0.0.0, meaning that they're accessible to everyone.

I managed to bind the broker itself to 127.0.0.1 (because I only need it locally), but the JMX ports are really giving me headaches.

I have to following env vars defined:

export JMX_PORT=${JMX_PORT:-9999}
export KAFKA_JMX_OPTS="-Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.rmi.port=$JMX_PORT -Dcom.sun.management.jmxremote.port=$JMX_PORT -Dcom.sun.management.jmxremote=true -Djava.rmi.server.hostname=127.0.0.1 -Djava.net.preferIPv4Stack=true"

If I now look at the bound ports/ips, I see this:

$ netstat -tulpn | grep 9864
tcp        0      0 0.0.0.0:9999            0.0.0.0:*               LISTEN      9864/java
tcp        0      0 0.0.0.0:44895           0.0.0.0:*               LISTEN      9864/java
tcp        0      0 127.0.0.1:9092          0.0.0.0:*               LISTEN      9864/java

meaning that JMX listens on 0.0.0.0, and there's even another open port 44895 which I don't know its purpose.

What I'd like to achieve is that Kafka ports are only opened on 127.0.0.1. Can anybody give a hint? Thanks in advance!

EDIT:

I was partially successful by adding -Dcom.sun.management.jmxremote.host=localhost, but there's still one open port exposed on 0.0.0.0:

$ netstat -tulpn | grep 12789
tcp        0      0 127.0.0.1:9999          0.0.0.0:*               LISTEN      12789/java
tcp        0      0 0.0.0.0:43513           0.0.0.0:*               LISTEN      12789/java
tcp        0      0 127.0.0.1:9092          0.0.0.0:*               LISTEN      12789/java

Faithfaithful answered 27/3, 2018 at 6:59 Comment(1)

can you please help me with this https://mcmap.net/q/1625872/-not-able-to-see-kafka-consumer-and-kafka-producer-mbean-in-jconsole/2442565 – Shouse 19/9, 2018 at 2:42

I just managed to make Kafka only listen to the defined broker port, and disabling JMX altogether:

export KAFKA_JMX_OPTS="-Djava.rmi.server.hostname=localhost -Djava.net.preferIPv4Stack=true"

When starting a fresh Kafka 1.1.0 broker on Ubuntu, I initially saw two open ports:

$ netstat -tulpn | grep 19894
tcp6       0      0 :::40487                :::*                    LISTEN      19894/java
tcp6       0      0 127.0.0.1:9092          :::*                    LISTEN      19894/java

After setting the above environment variable in the kafka-server-start.sh file, the second port is no longer opened:

$ netstat -tulpn | grep :9092
tcp        0      0 127.0.0.1:9092          0.0.0.0:*               LISTEN      20345/java
$ netstat -tulpn | grep 20345
tcp        0      0 127.0.0.1:9092          0.0.0.0:*               LISTEN      20345/java

Faithfaithful answered 31/3, 2018 at 16:49 Comment(0)

just

export KAFKA_JMX_OPTS="-Djava.rmi.server.hostname=localhost"

is enough

Prepuce answered 2/8, 2020 at 17:32 Comment(0)

Recommended topics

Hot tags