-
Notifications
You must be signed in to change notification settings - Fork 484
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redis always started in insecure mode #2863
Comments
Hi Tony @tonyespy : when running in security enable mode, the redis db password has been stored into vault (See: https://github.com/edgexfoundry/edgex-go/blob/master/internal/security/secretstore/init.go#L335) as part of |
Now redis starts with conf file with credentials and thus insecure gap is removed - Refactor security-bootstrap-redis to absorbed into security-bootstrapper as one of command - Remove security-bootstrap-redis binary build - Redis db server starts with config file with credentials - Update snaps Closes: edgexfoundry#2863 Signed-off-by: Jim Wang <yutsung.jim.wang@intel.com>
Now redis starts with conf file with credentials and thus insecure gap is removed - Refactor security-bootstrap-redis to absorbed into security-bootstrapper as one of command - Remove security-bootstrap-redis binary build - Redis db server starts with config file with credentials - Update snaps Closes: edgexfoundry#2863 Signed-off-by: Jim Wang <yutsung.jim.wang@intel.com>
Now redis starts with conf file with credentials and thus insecure gap is removed - Refactor security-bootstrap-redis to absorbed into security-bootstrapper as one of command - Remove security-bootstrap-redis binary build - Redis db server starts with config file with credentials - Update snaps Closes: edgexfoundry#2863 Signed-off-by: Jim Wang <yutsung.jim.wang@intel.com>
Now redis starts with conf file with credentials and thus insecure gap is removed - Refactor security-bootstrap-redis to absorbed into security-bootstrapper as one of command - Remove security-bootstrap-redis binary build - Redis db server starts with config file with credentials - Update snaps Closes: edgexfoundry#2863 Signed-off-by: Jim Wang <yutsung.jim.wang@intel.com>
Now redis starts with conf file with credentials and thus insecure gap is removed - Refactor security-bootstrap-redis to absorbed into security-bootstrapper as one of command - Remove security-bootstrap-redis binary build - Redis db server starts with config file with credentials - Update snaps Closes: edgexfoundry#2863 Signed-off-by: Jim Wang <yutsung.jim.wang@intel.com>
* feat(security): Fix redis start issue #2863 Now redis starts with conf file with credentials and thus insecure gap is removed - Refactor security-bootstrap-redis to absorbed into security-bootstrapper as one of command - Remove security-bootstrap-redis binary build - Redis db server starts with config file with credentials - Update snaps Closes: #2863 Signed-off-by: Jim Wang <yutsung.jim.wang@intel.com> Change the redis.conf file permission to 0600 Make chown for redis' conf to redis:redis 999:1000 as part of redis' uid and gid creation Add doc's url and detailed explanation for redis' conf EdgeX is currently using Remove the change ownership from golang code and only do the change ownership inside the docker's entrypoint script because snap doesn't work with chow to a non-existing userId. Signed-off-by: Jim Wang <yutsung.jim.wang@intel.com> * feat(snap): add patch contnets patch -p1 < ./0001-fix-snap-update-the-snap-optimization-patch.patch.txt patching file snap/local/patches/0001-optimize-build-for-pipeline-CI-check.patch Signed-off-by: Jim Wang <yutsung.jim.wang@intel.com>
The Redis startup sequence has been updated for Hanoi to be compliant with our Secret Creation and Distribution ADR. Instead of the Redis credentials being read from Vault via security-secretstore-read and written to disk, a new service security-bootstrap-redis has been introduced which reads the newly generated credentials and calls into Redis (running in insecure mode) to set the credentials. The credentials are not persisted however which means the next time the EdgeX system is started, the same sequence happens all over again, so basically every time EdgeX starts, there's a small window where Redis is running in insecure mode.
Version: v1.2.2-dev.104
The text was updated successfully, but these errors were encountered: