Configure Kafka to expose JMX only on 127.0.0.1

Question

I'm struggling to configure Kafka's JMX to be exposed only on localhost. By default, when I start Kafka, it exposes three ports, whereas two of them are automatically bound to 0.0.0.0, meaning that they're accessible to everyone.

I managed to bind the broker itself to 127.0.0.1 (because I only need it locally), but the JMX ports are really giving me headaches.

I have to following env vars defined:

export JMX_PORT=${JMX_PORT:-9999}
export KAFKA_JMX_OPTS="-Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.rmi.port=$JMX_PORT -Dcom.sun.management.jmxremote.port=$JMX_PORT -Dcom.sun.management.jmxremote=true -Djava.rmi.server.hostname=127.0.0.1 -Djava.net.preferIPv4Stack=true"

If I now look at the bound ports/ips, I see this:

$ netstat -tulpn | grep 9864
tcp        0      0 0.0.0.0:9999            0.0.0.0:*               LISTEN      9864/java
tcp        0      0 0.0.0.0:44895           0.0.0.0:*               LISTEN      9864/java
tcp        0      0 127.0.0.1:9092          0.0.0.0:*               LISTEN      9864/java

meaning that JMX listens on 0.0.0.0, and there's even another open port 44895 which I don't know its purpose.

What I'd like to achieve is that Kafka ports are only opened on 127.0.0.1. Can anybody give a hint? Thanks in advance!

EDIT:

I was partially successful by adding -Dcom.sun.management.jmxremote.host=localhost, but there's still one open port exposed on 0.0.0.0:

$ netstat -tulpn | grep 12789
tcp        0      0 127.0.0.1:9999          0.0.0.0:*               LISTEN      12789/java
tcp        0      0 0.0.0.0:43513           0.0.0.0:*               LISTEN      12789/java
tcp        0      0 127.0.0.1:9092          0.0.0.0:*               LISTEN      12789/java

Answer 1

I just managed to make Kafka only listen to the defined broker port, and disabling JMX altogether:

export KAFKA_JMX_OPTS="-Djava.rmi.server.hostname=localhost -Djava.net.preferIPv4Stack=true"

When starting a fresh Kafka 1.1.0 broker on Ubuntu, I initially saw two open ports:

$ netstat -tulpn | grep 19894
tcp6       0      0 :::40487                :::*                    LISTEN      19894/java
tcp6       0      0 127.0.0.1:9092          :::*                    LISTEN      19894/java

After setting the above environment variable in the kafka-server-start.sh file, the second port is no longer opened:

$ netstat -tulpn | grep :9092
tcp        0      0 127.0.0.1:9092          0.0.0.0:*               LISTEN      20345/java
$ netstat -tulpn | grep 20345
tcp        0      0 127.0.0.1:9092          0.0.0.0:*               LISTEN      20345/java