Use a default Redis password

Although it does not provide any additional security, it shows how to
configure Redis with a password and how to use Netbox using a password
protected redis server. Something that might be considered in a classic
production deployment. (But is mostly irrelevant in e.g. a Kubernetes /
OpenShift deployment as the isolation is usually on a network level.)
This commit is contained in:
Christian Mäder 2018-08-13 15:19:29 -07:00
parent 013f81b791
commit 645ec1281c
No known key found for this signature in database
GPG Key ID: 92FFD0A711F196BB
4 changed files with 19 additions and 7 deletions

View File

@ -71,12 +71,12 @@ For example defining `ALLOWED_HOSTS=localhost ::1 127.0.0.1` would allows access
The default settings are optimized for (local) development environments. The default settings are optimized for (local) development environments.
You should therefore adjust the configuration for production setups, at least the following variables: You should therefore adjust the configuration for production setups, at least the following variables:
* `ALLOWED_HOSTS`: Add all URLs that lead to your NetBox instance. * `ALLOWED_HOSTS`: Add all URLs that lead to your NetBox instance, space separated. E.g. `ALLOWED_HOSTS=netbox.mycorp.com server042.mycorp.com 2a02:123::42 10.0.0.42 localhost ::1 127.0.0.1` (It's good advice to always allow localhost connections for easy debugging, i.e. `localhost ::1 127.0.0.1`.)
* `DB_*`: Use a persistent database. * `DB_*`: Use your own persistent database. Don't use the default passwords!
* `EMAIL_*`: Use your own mailserver. * `EMAIL_*`: Use your own mailserver.
* `MAX_PAGE_SIZE`: Use the recommended default of 1000. * `MAX_PAGE_SIZE`: Use the recommended default of 1000.
* `SUPERUSER_*`: Only define those variables during the initial setup, and drop them once the DB is set up. * `SUPERUSER_*`: Only define those variables during the initial setup, and drop them once the DB is set up. Don't use the default passwords!
* `REDIS_*`: Use a persistent redis. * `REDIS_*`: Use your own persistent redis. Don't use the default passwords!
### Running on Docker Swarm / Kubernetes / OpenShift ### Running on Docker Swarm / Kubernetes / OpenShift
@ -284,6 +284,7 @@ REDIS_HOST=redis
Then make sure that the `redis` container and at least one `netbox-worker` are running. Then make sure that the `redis` container and at least one `netbox-worker` are running.
``` ```
# check the container status
$ docker-compose ps $ docker-compose ps
Name Command State Ports Name Command State Ports
@ -293,11 +294,16 @@ netbox-docker_netbox_1 /opt/netbox/docker-entrypo ... Up
netbox-docker_nginx_1 nginx -c /etc/netbox-nginx ... Up 80/tcp, 0.0.0.0:32776->8080/tcp netbox-docker_nginx_1 nginx -c /etc/netbox-nginx ... Up 80/tcp, 0.0.0.0:32776->8080/tcp
netbox-docker_postgres_1 docker-entrypoint.sh postgres Up 5432/tcp netbox-docker_postgres_1 docker-entrypoint.sh postgres Up 5432/tcp
netbox-docker_redis_1 docker-entrypoint.sh redis ... Up 6379/tcp netbox-docker_redis_1 docker-entrypoint.sh redis ... Up 6379/tcp
# connect to redis and send PING command:
$ docker-compose run --rm -T redis sh -c 'redis-cli -h redis -a $REDIS_PASSWORD ping'
Warning: Using a password with '-a' option on the command line interface may not be safe.
PONG
``` ```
If `redis` and the `netbox-worker` are not available, make sure you have updated your `docker-compose.yml` file! If `redis` and the `netbox-worker` are not available, make sure you have updated your `docker-compose.yml` file!
Everything's up and running? Then check the log of the `netbox-worker` and/or `redis`: Everything's up and running? Then check the log of `netbox-worker` and/or `redis`:
```bash ```bash
docker-compose logs -f netbox-worker docker-compose logs -f netbox-worker
@ -307,7 +313,7 @@ docker-compose logs -f redis
Still no clue? You can connect to the `redis` container and have it report any command that is currently executed on the server: Still no clue? You can connect to the `redis` container and have it report any command that is currently executed on the server:
```bash ```bash
docker-compose run --rm -T redis redis-cli -h redis monitor docker-compose run --rm -T redis sh -c 'redis-cli -h redis -a $REDIS_PASSWORD monitor'
# Hit CTRL-C a few times to leave # Hit CTRL-C a few times to leave
``` ```

View File

@ -45,7 +45,11 @@ services:
- netbox-postgres-data:/var/lib/postgresql/data - netbox-postgres-data:/var/lib/postgresql/data
redis: redis:
image: redis:4-alpine image: redis:4-alpine
command: redis-server --appendonly yes command:
- sh
- -c # this is to evaluate the $REDIS_PASSWORD from the env
- redis-server --appendonly yes --requirepass $$REDIS_PASSWORD ## $$ because of docker-compose
env_file: redis.env
volumes: volumes:
- netbox-redis-data:/data - netbox-redis-data:/data
volumes: volumes:

View File

@ -14,6 +14,7 @@ NAPALM_PASSWORD=
NAPALM_TIMEOUT=10 NAPALM_TIMEOUT=10
MAX_PAGE_SIZE=0 MAX_PAGE_SIZE=0
REDIS_HOST=redis REDIS_HOST=redis
REDIS_PASSWORD=H733Kdjndks81
SECRET_KEY=r8OwDznj!!dci#P9ghmRfdu1Ysxm0AiPeDCQhKE+N_rClfWNj SECRET_KEY=r8OwDznj!!dci#P9ghmRfdu1Ysxm0AiPeDCQhKE+N_rClfWNj
SUPERUSER_NAME=admin SUPERUSER_NAME=admin
SUPERUSER_EMAIL=admin@example.com SUPERUSER_EMAIL=admin@example.com

1
redis.env Normal file
View File

@ -0,0 +1 @@
REDIS_PASSWORD=H733Kdjndks81