allow to enable/disable exposing swarm and socat ports #1990
Conversation
| @@ -144,6 +144,11 @@ | |||
| # configure this as we manage it with the CLI. | |||
| #CODENVY_SWARM_NODES=172.17.0.1:2375 | |||
|
|
|||
| # Expose swarm port | |||
| # Expose swarm port tobe available on host as 23751 | |||
| # So if you are using remote nodes for running workspaces (production mode) this expose | ||
| # could be disabled. | ||
| # Enabled by default, to disable please uncomment and set CODENVY_EXPOSE_SWARM_PORT=false | ||
| #CODENVY_EXPOSE_SWARM_PORT=true |
There was a problem hiding this comment.
looks like an invalid name for the property SWARM/SOCAT
There was a problem hiding this comment.
not sure I understand this comment, can you please elaborate?
There was a problem hiding this comment.
name is CODENVY_EXPOSE_SWARM_PORT=true
while it should be SOCAT (no SWARM here)
| ##### SOCAT ##### | ||
| ##### ##### | ||
| # Expose socat port | ||
| # Expose socat port tobe available on host as 23750. It is needed only in all-in-one |
| @@ -20,6 +20,7 @@ | |||
| # swarm nodes management | |||
| # coma separated list of <IP>:<PORT> | |||
| $swarm_nodes = getValue("CODENVY_SWARM_NODES","172.17.0.1:2375") | |||
| $expose_swarm_port = getValue("CODENVY_EXPOSE_SWARM_PORT","true") | |||
There was a problem hiding this comment.
It should be false by default to increase security level
| @@ -333,6 +334,10 @@ | |||
| $rsync_ssh_log_level=getValue("RSYNC_SSH_LOG_LEVEL","INFO") | |||
|
|
|||
| ############################### | |||
| # socat | |||
| # | |||
| $expose_socat_port = getValue("CODENVY_EXPOSE_SOCAT_PORT","true") | |||
There was a problem hiding this comment.
It should be false by default to increase security level
There was a problem hiding this comment.
if this will be false all-in-one mode will not work. but it could be disabled if after user configured remote nodes
|
@roman - configuring these properties probably needs to be added to the configuration docs, or probably more importantly the run book, as this is a security measure to take once you roll it out for adoption. FYI - we are not using the terms "basic", "production" or "all-in-one" in our docs in how we describe the system to end users. The system is always a production system, and the architecture for a single node vs. multiple nodes is also the same. the only things that are different are some configuration properties - so we are avoiding language of talking about the system in some sort of mode, as it's really only got one mode with many configuration properties. |
What does this PR do?
allow to enable/disable exposing swarm and socat ports
What issues does this PR fix or reference?
#1954
Changelog
[cli] allow to enable/disable exposing swarm and socat ports
Release Notes
As a security measure, you can now disable Codenvy from automatically exposing SOCAT and Swarm ports to external clients. If you are running Codenvy as a single node (for testing or individual usage) these ports needs to be exposed for clients. However, if you are using Codenvy in production with a distributed set of workspace nodes, you can optionally disable this port exposure. By limiting port exposure, you can further reduce the access remote users have to the underlying Docker daemon that Codenvy is using.