To run a secure system, it's important that you change the default passwords. This page gives a way to randomize passwords.
The configuration repository supplies well known default passwords for services, typically defined in the defaults/main.yml file for any particular role. By convention all such passwords have a name that clearly indicates they are passwords, typically ROLE_PURPOSE_PASSWORD.
It's incumbent upon you to You should ensure that these values are overridden if you are deploying a non-development environment. There are real world examples for of folks losing their data because they had neither updated default password, nor ensured that access to services was blocked at the network.
Please do both and if you have questions about how to do so, ask on slackSlack.
Randomly Generated Passwords for New Deployments
One way to ensure that your passwords are overridden is to pass in overrides when you are installing Open edX using Ansible. Ansible let's lets you pass in a file of overrides using the -e@/path/to/file.yml convention.
As of January 6February 2, 2017, we recommend that you override at least the following values https://raw.githubusercontent.com/edx/configuration/master/playbooks/sample_vars/passwords.yml
That file's contents look like so:
Code Block | ||
---|---|---|
| ||
ANALYTICS_API_EMAIL_HOST_PASSWORD: !!null ANALYTICS_PIPELINE_OUTPUT_DATABASE_PASSWORD: !!null ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_PASSPHRASE: !!null COMMON_HTPASSWD_PASS: !!null COMMON_HTPASSWD_USER: !!null COMMON_MONGO_READ_ONLY_PASS: !!null COMMON_MYSQL_ADMIN_PASS: !!null COMMON_MYSQL_MIGRATE_PASS: !!null COMMON_MYSQL_READ_ONLY_PASS: !!null CREDENTIALS_MYSQL_PASSWORD: !!null DISCOVERY_EMAIL_HOST_PASSWORD: !!null DISCOVERY_MYSQL_PASSWORD: !!null ECOMMERCE_BROKER_PASSWORD: !!null ECOMMERCE_DATABASE_PASSWORD: !!null ECOMMERCE_WORKER_BROKER_PASSWORD: !!null EDXAPP_CELERY_PASSWORD: !!null EDXAPP_COMMENTS_SERVICE_KEY: !!null EDXAPP_EMAIL_HOST_PASSWORD: !!null EDXAPP_MONGO_PASSWORD: !!null EDXAPP_MYSQL_CSMH_PASSWORD: !!null EDXAPP_MYSQL_PASSWORD: !!null EDXAPP_MYSQL_PASSWORD_ADMIN: !!null EDXAPP_MYSQL_PASSWORD_READ_ONLY: !!null EDXAPP_MYSQL_REPLICA_PASSWORD: !!null FLOWER_BROKER_PASSWORD: !!null FORUM_API_KEY: !!null FORUM_MONGO_PASSWORD: !!null HIVE_METASTORE_DATABASE_PASSWORD: !!null INSIGHTS_DATABASE_PASSWORD: !!null INSIGHTS_EMAIL_HOST_PASSWORD: !!null JENKINS_ANALYTICS_GITHUB_CREDENTIAL_PASSPHRASE: !!null JENKINS_ANALYTICS_USER_PASSWORD_PLAIN: !!null MARIADB_CLUSTER_PASSWORD_ADMIN: !!null MONGO_ADMIN_PASSWORD: !!null mongo_admin_password: {{ MONGO_ADMIN_PASSWORD }} NOTIFIER_COMMENT_SERVICE_API_KEY: {{ FORUM_API_KEY }} NOTIFIER_EMAIL_PASS: !!null NOTIFIER_USER_SERVICE_HTTP_AUTH_PASS: !!null POSTFIX_QUEUE_EXTERNAL_SMTP_PASSWORD: !!null PROGRAMS_DATABASE_PASSWORD: !!null REDIS_PASSWORD: !!null SPLUNKFORWARDER_PASSWORD: !!null SPLUNK_SMTP_PASSWORD: !!null SPLUNK_SSL_PASSWORD: !!null SWIFT_LOG_SYNC_PASSWORD: !!null XQUEUE_BASIC_AUTH_PASSWORD: !!null XQUEUE_BASIC_AUTH_USER: !!null XQUEUE_MYSQL_PASSWORD: !!null XQUEUE_RABBITMQ_PASS: !!null XSY_PASSWORD: !!null... |
This can be done easily from the bash command line. Add the content above to a file named passwords.yml and run the following command from the same directory in which you have created the file.
Code Block |
---|
while IFS= read line; do REPLACE=$(LC_ALL=C < /dev/urandom tr -dc 'A-Za-z0-9' | head -c35) && echo "$line" | sed "s/\!\!null/\'$REPLACE\'/"; done < ./passwords.yml > ./my-passwords.yml |
The output This creates a new file named my-passwords.yml, and its content should look something like the following:
Code Block |
---|
ANALYTICS_API_EMAIL_HOST_PASSWORD: '58Ld0verTyG2M7ht64SzVvMb4rylWXHHzII' ANALYTICS_PIPELINE_OUTPUT_DATABASE_PASSWORD: 'tjX28dM0QhjXgySJ9JLU9io9nckodjxjJmo' ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_PASSPHRASE: 'kBMlvEUqsaGFDSSzasownyDiXK9tTIcGTdZ' COMMON_HTPASSWD_PASS: 'JKhFjY8SA2LI2GdK8nK0SLM1HgzzFR4cuEb' COMMON_HTPASSWD_USER: '4xLx6FPc8Bni5MUjRbVLzvThERmSO2AIJBZ' COMMON_MONGO_READ_ONLY_PASS: 'UXfWWuXnfSb962jQ1yB4gbPaGRQ0dOZCCYh' COMMON_MYSQL_ADMIN_PASS: 'yxaLDLsZXb4FDAOpj9HD42Sr4UYBLNmLJP2' COMMON_MYSQL_MIGRATE_PASS: 'CXwSNlQ7QtK6al6MXxsrrt12PfQxfs8ydZf' COMMON_MYSQL_READ_ONLY_PASS: 'CBnZ0bxVmGGc7HEQQXWlTUc8C0MbVev6mYU' ... |
Keep the my-passwords.yml file in a safe location, ideally encrypted – you can potentially use Ansible vault for this.. If you don't have another solution for this, we recommend that you use ansible-vault, which comes with your ansible installation
Starting from a bare Ubuntu Xenial installation, you can follow these steps:
Code Block |
---|
# Ensure your instance is upgraded to the latest Xenial
sudo apt-get update -y
sudo apt-get upgrade -y
reboot
# Installed the edx_ansible role
wget https://raw.githubusercontent.com/edx/configuration/master/util/install/ansible-bootstrap.sh -O - | sudo bash
# Create passwords specific to your installation. Please consider that you'll need to share these across application nodes if you have multiple
# The password files will be owned by root.
cd /edx/app/edx_ansible/
sudo wget https://raw.githubusercontent.com/edx/configuration/master/playbooks/sample_vars/passwords.yml
while IFS= read line; do REPLACE=$(LC_ALL=C < /dev/urandom tr -dc 'A-Za-z0-9' | head -c35) && echo "$line" | sed "s/\!\!null/\'$REPLACE\'/"; done < ./passwords.yml | sudo tee ./my-passwords.yml
# Encrypt your environment specific secrets with Ansible vault. This step will prompt you to create a password
# for accessing your encrypted data. It is IMPERATIVE that you do not lose or forget this password
sudo /edx/app/edx_ansible/venvs/edx_ansible/bin/ansible-vault encrypt ./my-passwords.yml
# Install the native installation using your encrypted passwords
cd /edx/app/edx_ansible/edx_ansible/playbooks/
sudo /edx/app/edx_ansible/venvs/edx_ansible/bin/ansible-playbook -c local ./edx_sandbox.yml -i 'localhost,' -e@/edx/app/edx_ansible/my-passwords.yml --ask-vault-pass
|
When you build you deployment environment, ensure that you add `-e@/path/to/my-passwords.yml` to your call to ansible-playbook.
...
Running the following command from a host that is public from the point of view of your OPENEDx Open edX instance is useful
Code Block |
---|
nmap -Pn -p- edx.mydomain.info |
The fewer ports that are open the better. You should be concerned if more than 80 (http), 443 (https) and 22 (ssh) are open. Ideally 22, ssh, would also be limited to networks that you control.
...