-
Notifications
You must be signed in to change notification settings - Fork 120
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow to enable/disable exposing swarm and socat ports #1990
base: master
Are you sure you want to change the base?
Conversation
@@ -144,6 +144,11 @@ | |||
# configure this as we manage it with the CLI. | |||
#CODENVY_SWARM_NODES=172.17.0.1:2375 | |||
|
|||
# Expose swarm port | |||
# Expose swarm port tobe available on host as 23751 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo after to before be
# So if you are using remote nodes for running workspaces (production mode) this expose | ||
# could be disabled. | ||
# Enabled by default, to disable please uncomment and set CODENVY_EXPOSE_SWARM_PORT=false | ||
#CODENVY_EXPOSE_SWARM_PORT=true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks like an invalid name for the property SWARM/SOCAT
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure I understand this comment, can you please elaborate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
name is CODENVY_EXPOSE_SWARM_PORT=true
while it should be SOCAT (no SWARM here)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ahhh, silly copy paste!
##### SOCAT ##### | ||
##### ##### | ||
# Expose socat port | ||
# Expose socat port tobe available on host as 23750. It is needed only in all-in-one |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same typo at tobe
@@ -20,6 +20,7 @@ | |||
# swarm nodes management | |||
# coma separated list of <IP>:<PORT> | |||
$swarm_nodes = getValue("CODENVY_SWARM_NODES","172.17.0.1:2375") | |||
$expose_swarm_port = getValue("CODENVY_EXPOSE_SWARM_PORT","true") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be false by default to increase security level
@@ -333,6 +334,10 @@ | |||
$rsync_ssh_log_level=getValue("RSYNC_SSH_LOG_LEVEL","INFO") | |||
|
|||
############################### | |||
# socat | |||
# | |||
$expose_socat_port = getValue("CODENVY_EXPOSE_SOCAT_PORT","true") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be false by default to increase security level
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if this will be false all-in-one mode will not work. but it could be disabled if after user configured remote nodes
@roman - configuring these properties probably needs to be added to the configuration docs, or probably more importantly the run book, as this is a security measure to take once you roll it out for adoption. FYI - we are not using the terms "basic", "production" or "all-in-one" in our docs in how we describe the system to end users. The system is always a production system, and the architecture for a single node vs. multiple nodes is also the same. the only things that are different are some configuration properties - so we are avoiding language of talking about the system in some sort of mode, as it's really only got one mode with many configuration properties. |
What does this PR do?
allow to enable/disable exposing swarm and socat ports
What issues does this PR fix or reference?
#1954
Changelog
[cli] allow to enable/disable exposing swarm and socat ports
Release Notes
As a security measure, you can now disable Codenvy from automatically exposing SOCAT and Swarm ports to external clients. If you are running Codenvy as a single node (for testing or individual usage) these ports needs to be exposed for clients. However, if you are using Codenvy in production with a distributed set of workspace nodes, you can optionally disable this port exposure. By limiting port exposure, you can further reduce the access remote users have to the underlying Docker daemon that Codenvy is using.