Versions Compared

Old Version 9

changes.mady.by.user Ned Batchelder

Saved on

compared with

New Version Current

changes.mady.by.user Edward Zarecor (Do Not Use)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

One way to ensure that your passwords are overridden is to pass in overrides when you are installing Open edX using Ansible.  Ansible lets you pass in a file of overrides using the -e@/path/to/file.yml convention.

As of January 6February 2, 2017, we recommend that you override at least the following values https://raw.githubusercontent.com/edx/configuration/master/playbooks/sample_vars/passwords.yml

That file's contents look like so:

Code Block
titlepasswords.yml
ANALYTICS_API_EMAIL_HOST_PASSWORD: !!null
ANALYTICS_PIPELINE_OUTPUT_DATABASE_PASSWORD: !!null
ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_PASSPHRASE: !!null
COMMON_HTPASSWD_PASS: !!null
COMMON_HTPASSWD_USER: !!null
COMMON_MONGO_READ_ONLY_PASS: !!null
COMMON_MYSQL_ADMIN_PASS: !!null
COMMON_MYSQL_MIGRATE_PASS: !!null
COMMON_MYSQL_READ_ONLY_PASS: !!null
CREDENTIALS_MYSQL_PASSWORD: !!null
DISCOVERY_EMAIL_HOST_PASSWORD: !!null
DISCOVERY_MYSQL_PASSWORD: !!null
ECOMMERCE_BROKER_PASSWORD: !!null
ECOMMERCE_DATABASE_PASSWORD: !!null
ECOMMERCE_WORKER_BROKER_PASSWORD: !!null
EDXAPP_CELERY_PASSWORD: !!null
EDXAPP_COMMENTS_SERVICE_KEY: !!null
EDXAPP_EMAIL_HOST_PASSWORD: !!null
EDXAPP_MONGO_PASSWORD: !!null
EDXAPP_MYSQL_CSMH_PASSWORD: !!null
EDXAPP_MYSQL_PASSWORD: !!null
EDXAPP_MYSQL_PASSWORD_ADMIN: !!null
EDXAPP_MYSQL_PASSWORD_READ_ONLY: !!null
EDXAPP_MYSQL_REPLICA_PASSWORD: !!null
FLOWER_BROKER_PASSWORD: !!null
FORUM_API_KEY: !!null
FORUM_MONGO_PASSWORD: !!null
HIVE_METASTORE_DATABASE_PASSWORD: !!null
INSIGHTS_DATABASE_PASSWORD: !!null
INSIGHTS_EMAIL_HOST_PASSWORD: !!null
JENKINS_ANALYTICS_GITHUB_CREDENTIAL_PASSPHRASE: !!null
JENKINS_ANALYTICS_USER_PASSWORD_PLAIN: !!null
MARIADB_CLUSTER_PASSWORD_ADMIN: !!null
MONGO_ADMIN_PASSWORD: !!null
mongo_admin_password: {{ MONGO_ADMIN_PASSWORD }}
NOTIFIER_COMMENT_SERVICE_API_KEY: {{ FORUM_API_KEY }}
NOTIFIER_EMAIL_PASS: !!null
NOTIFIER_USER_SERVICE_HTTP_AUTH_PASS: !!null
POSTFIX_QUEUE_EXTERNAL_SMTP_PASSWORD: !!null
PROGRAMS_DATABASE_PASSWORD: !!null
REDIS_PASSWORD: !!null
SPLUNKFORWARDER_PASSWORD: !!null
SPLUNK_SMTP_PASSWORD: !!null
SPLUNK_SSL_PASSWORD: !!null
SWIFT_LOG_SYNC_PASSWORD: !!null
XQUEUE_BASIC_AUTH_PASSWORD: !!null
XQUEUE_BASIC_AUTH_USER: !!null
XQUEUE_MYSQL_PASSWORD: !!null
XQUEUE_RABBITMQ_PASS: !!null
XSY_PASSWORD: !!null...

This can be done easily from the bash command line.  Add the content above to a file named passwords.yml and run the following command from the same directory in which you have created the file.

Code Block
while IFS= read line; do REPLACE=$(LC_ALL=C < /dev/urandom tr -dc 'A-Za-z0-9' | head -c35) && echo "$line" | sed "s/\!\!null/\'$REPLACE\'/"; done < ./passwords.yml > ./my-passwords.yml

...

Code Block
ANALYTICS_API_EMAIL_HOST_PASSWORD: '58Ld0verTyG2M7ht64SzVvMb4rylWXHHzII'
ANALYTICS_PIPELINE_OUTPUT_DATABASE_PASSWORD: 'tjX28dM0QhjXgySJ9JLU9io9nckodjxjJmo'
ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_PASSPHRASE: 'kBMlvEUqsaGFDSSzasownyDiXK9tTIcGTdZ'
COMMON_HTPASSWD_PASS: 'JKhFjY8SA2LI2GdK8nK0SLM1HgzzFR4cuEb'
COMMON_HTPASSWD_USER: '4xLx6FPc8Bni5MUjRbVLzvThERmSO2AIJBZ'
COMMON_MONGO_READ_ONLY_PASS: 'UXfWWuXnfSb962jQ1yB4gbPaGRQ0dOZCCYh'
COMMON_MYSQL_ADMIN_PASS: 'yxaLDLsZXb4FDAOpj9HD42Sr4UYBLNmLJP2'
COMMON_MYSQL_MIGRATE_PASS: 'CXwSNlQ7QtK6al6MXxsrrt12PfQxfs8ydZf'
COMMON_MYSQL_READ_ONLY_PASS: 'CBnZ0bxVmGGc7HEQQXWlTUc8C0MbVev6mYU'

...

Keep the my-passwords.yml file in a safe location, ideally encrypted – you can potentially use Ansible vault for this..  If you don't have another solution for this, we recommend that you use ansible-vault, which comes with your ansible installation

Starting from a bare Ubuntu Xenial installation, you can follow these steps:

Code Block
# Ensure your instance is upgraded to the latest Xenial
sudo apt-get update -y
sudo apt-get upgrade -y
reboot

# Installed the edx_ansible role
wget https://raw.githubusercontent.com/edx/configuration/master/util/install/ansible-bootstrap.sh -O - | sudo bash

# Create passwords specific to your installation. Please consider that you'll need to share these across application nodes if you have multiple
# The password files will be owned by root.
cd /edx/app/edx_ansible/
sudo wget https://raw.githubusercontent.com/edx/configuration/master/playbooks/sample_vars/passwords.yml
while IFS= read line; do REPLACE=$(LC_ALL=C < /dev/urandom tr -dc 'A-Za-z0-9' | head -c35) && echo "$line" | sed "s/\!\!null/\'$REPLACE\'/"; done < ./passwords.yml | sudo tee ./my-passwords.yml

# Encrypt your environment specific secrets with Ansible vault.  This step will prompt you to create a password 
# for accessing your encrypted data.  It is IMPERATIVE that you do not lose or forget this password 
sudo /edx/app/edx_ansible/venvs/edx_ansible/bin/ansible-vault encrypt ./my-passwords.yml

# Install the native installation using your encrypted passwords
cd /edx/app/edx_ansible/edx_ansible/playbooks/
sudo /edx/app/edx_ansible/venvs/edx_ansible/bin/ansible-playbook -c local ./edx_sandbox.yml -i 'localhost,' -e@/edx/app/edx_ansible/my-passwords.yml --ask-vault-pass




When you build you deployment environment, ensure that you add `-e@/path/to/my-passwords.yml` to your call to ansible-playbook.

...

Running the following command from a host that is public from the point of view of your Open edX instance is useful

Code Block
nmap -Pn  -p- edx.mydomain.info

The fewer ports that are open the better.  You should be concerned if more than 80 (http), 443 (https) and 22 (ssh) are open.  Ideally 22, ssh, would also be limited to networks that you control.

...