Disabling the Drill Console

The TDV Server embeds Apache Drill to assist with the runtime for the MPP Engine. The Apache Drill console uses an older version of jQuery which has known security vulnerabilities. The Apache Drill console is not required for normal operation of TDV or its MPP capability. This console can safely be disabled by blocking access to it via OS configuration (for on-premise installations), Docker Container/Pod configuration, or Kubernetes Helm Chart.

TDV Server (on-premises):

On operating system hosting TDV Server (Windows/Linux/AIX), change the firewall to not expose (TDV_BASE_PORT - 100)+3.

Example: TDV Server installation on Linux using default TDV_BASE_PORT=9400.

Change firewalld or iptables to not allow inbound requests to port 9303.

TDV Server (docker) :

Modify TDV container/pod to not expose port (TDV_BASE_PORT - 100) + 3.

Example: Change the TDV Docker run_tdv_container.sh script to only allow external access to 9300-9302,9304-9306 using the content below.

Assumption: default TDV_BASE_PORT=9400. All previous ports will continue to be open except (TDV_BASE_PORT - 100) + 3.

Old content	New content
local H_DRILL_PORT_1=$(($H_DRILL_BASE_PORT + 1)); local C_DRILL_PORT_1=$(($C_DRILL_BASE_PORT + 1))	local H_DRILL_PORT_2=$(($H_DRILL_BASE_PORT + 2)); local C_DRILL_PORT_2=$(($C_DRILL_BASE_PORT + 2))
	Add this new line local H_DRILL_PORT_4=$(($H_DRILL_BASE_PORT + 4)); local C_DRILL_PORT_42=$(($C_DRILL_BASE_PORT + 4))
CONTAINER_PORTS="-p ${H_BASE_PORT}-${H_PORT_3}:${C_BASE_PORT}-${C_PORT_3} -p $H_PORT_5:$C_PORT_5 -p $H_PORT_9:$C_PORT_9 -p ${H_DRILL_BASE_PORT}-${H_DRILL_PORT_2}:${C_DRILL_BASE_PORT}-${C_DRILL_PORT_2} -p ${H_DRILL_PORT_4}:${C_DRILL_PORT_6}"	CONTAINER_PORTS="-p ${H_BASE_PORT}-${H_PORT_3}:${C_BASE_PORT}-${C_PORT_3} -p $H_PORT_5:$C_PORT_5 -p $H_PORT_9:$C_PORT_9 -p ${H_DRILL_BASE_PORT}-${H_DRILL_PORT_6}:${C_DRILL_BASE_PORT}-${C_DRILL_PORT_6}"

Note: If you are not running the run_tdv_container.sh script that is provided with TDV, then you must manually exclude port 9303 when running the container using the docker run command. For example:

docker run -itd -v <volume>:<location> type=volume,source=tdv-vol,target=/opt/TIBCO --cpus=2.000 -env [TDV_ADMIN_PASSWORD=<PASSWORD>] [TDV_ADMIN_PASSWORD_FILE=<FILE with tdv admin password>] -m=8g -p 9300:9300 -p 9301:9301 -p 9302:9302 -p9304:9304 -p9305:9305 -p 9306:9306 -p 9400:9400 -p 9401:9401 -p 9402:9402 -p 9403:9403 --hostname=localhost --name tdv myrepo/tdv:8.4 Dockerfile.tdv.repo

TDV Server Kubernetes:

Modify TDV helmchart to not expose port (TDV_BASE_PORT - 100) + 3.

Example: The content of the TDV helmchart should be changed to only allow external access to 9300-9302,9304-9306 as described in the table below.

Assumption: default TDV_BASE_PORT=9400. All previous ports will continue to be open except (TDV_BASE_PORT - 100) + 3.

tdv.yaml	tdv-svc.yaml
Remove the following content from the file tdv/templates/tdv.yaml	Remove the following content from the file tdv/templates/tdv-svc.yaml
- name: "p9303" containerPort: 9303	- port: 9303 name: "p9303" - port: 9303 nodePort: 31303 name: "p9303" - port: 9303 name: "p9303"