System security¶
Swarm secrets is the main mechanism used for security at system level.
They are used for :
OnSphere communication bus (Each module has one certificate generated the fist time it (said module) is declared. The certificate is stored inside the SWARM secret store, and the public key is available inside the git configuration certs/ directory)
Mandatory accounts
It is important to know which secrets are used for mandatory accounts as well as which modules are using them and for what so that you can better decide if you want/need to rotate them :
Secret |
Used by |
Used for |
Rotating link |
|---|---|---|---|
osp-stack-1_admin-user |
osp-keycloak |
Super admin account (keycloak admin page) name |
|
osp-stack-1_admin-pwd |
osp-keycloak, osp-dispatcher and osp-mysql |
Super admin password, Account to clone the configuration can be used if Keycloak is corrupted and Mysql root password |
|
osp-stack-1_database_password |
osp-keycloak and osp-mysql |
Password for Mysql access and Mysql user password |
Rotating swarm secrets¶
Standard method¶
Rotating one of the mandatory account secrets usually requires extra steps but otherwise, here’s the standard method:
Create a duplicate of the secret
Assign the duplicate to all the service with usage of the given secret and restart them
Remove the first secret (read the error message, if the system refuses the removal it’s probably because the secret is still used)
Create a new secret with your strong password
Assign the new secret to the previous service
Remove the duplicated secret.
Mandatory account secrets¶
Rotate admin user¶
This process is currently not permitted by the system, if this feature is needed by your company feel free to contact us at info@swissdotnet.ch.
Rotate admin password¶
1 : Update on Keycloak¶
Log-in the
Keycloakadministration page (by default auth/admin)Go to user and reset the password
Log-in with admin password
On managing account
On signing in
Set a new password and apply
2 : Modify the osp-mysql root account¶
Log-in the mysql docker (from portainer or command line)
Log on mysql
mysql -u root -p
Use the old root password
Execute the update password
SET PASSWORD FOR 'root'@'localhost' = 'password'
3 : Apply the standard method for rotating the swarm secret named admin-pwd¶
Rotate database password¶
1 : Modify the keycloak mysql account¶
Log-in the mysql docker (from portainer or command line)
Log on mysql
mysql -u root -p
Use the root password
Execute the update password
SET PASSWORD FOR 'keycloak' = 'password'
2 : Apply the standard method for rotating the swarm secret named database_password¶
Warning
The secret
database_passwordmust be changed for the mysql service and keycloak service.
Lock your swarm¶
Swarm has critical configuration information inside the Raft log which is encrypted on the disk by default with a TLS key (the same one used for node communication).
This key is not protected on the host but, Swarm gives you the possibility to lock this key with a password which is regularly rotated by the system.
The main drawback is that a node will not be able to reconnect to the swarm after a restart without a manual unlocking of this key.
See the docker swarm documentation for more detailed information.
Encrypt in-between node traffic¶
The traffic between the node is not encrypted by default, it’s possible to add encryption to this traffic on all the swarm overlay network. This is done by passing the driver_opts encrypted : “” at the creation.
networks:
my-app-backend:
driver: overlay
driver_opts:
encrypted: ""
To migrate an existing stack, the recommended way is :
Update the stack.cfg and create a duplicated version of all the overlay network with the encrypted option
For each module replace the network by the encrypted version
Delete the not encrypted network
[Opt] Re-duplicated with the original name (then point)
See the docker network documentation for more detailed information.
Configure same user as OnSphere to access Portainer¶
Keylcoak can be used to provide the Portainer user. The following steps are necessary:
Add or create a client to Keycloak. If the address of the stack is a hostname, Portainer must be able to resolve it.
{
"clientId": "portainer-auth",
"name": "Portainer",
"rootUrl": "http://<portainer hostname>:<portainer port>",
"adminUrl": "http://<portainer hostname>:<portainer port>",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "7eefc9f8-9ccf-49dc-a8f9-30a5ee53960c",
"redirectUris": ["http://<portainer hostname>:<portainer port>/*"],
"webOrigins": ["http://<portainer hostname>:<portainer port>"],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"saml.assertion.signature": "false",
"saml.force.post.binding": "false",
"saml.multivalued.roles": "false",
"saml.encrypt": "false",
"oauth2.device.authorization.grant.enabled": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"saml.server.signature": "false",
"saml.server.signature.keyinfo.ext": "false",
"use.refresh.tokens": "true",
"exclude.session.state.from.auth.response": "false",
"oidc.ciba.grant.enabled": "false",
"saml.artifact.binding": "false",
"backchannel.logout.session.required": "true",
"client_credentials.use_refresh_token": "false",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "false",
"display.on.consent.screen": "false",
"saml.onetimeuse.condition": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": ["web-origins", "profile", "roles", "email"],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
]
}
Create the configuration inside Portainer. Self-signed certificate are not supported.
Manage the right with Portainer for each user.