How to Override Default Configuration Passwords and Verify Exposed Services

To run a secure system, it's important that you change the default passwords.  This page gives a way to randomize passwords.

The configuration repository supplies well known default passwords for services, typically defined in the defaults/main.yml file for any particular role.  By convention all such passwords have a name that clearly indicates they are passwords, typically ROLE_PURPOSE_PASSWORD.

You should ensure that these values are overridden if you are deploying a non-development environment.  There are real world examples of folks losing their data because they had neither updated default password, nor ensured that access to services was blocked at the network.

Please do both and if you have questions about how to do so, ask on Slack.

Randomly Generated Passwords for New Deployments

One way to ensure that your passwords are overridden is to pass in overrides when you are installing Open edX using Ansible.  Ansible lets you pass in a file of overrides using the -e@/path/to/file.yml convention.

As of February 2, 2017, we recommend that you override at least the following values

That file's contents look like so:

This can be done easily from the bash command line.  Add the content above to a file named passwords.yml and run the following command from the same directory in which you have created the file.

This creates a new file named my-passwords.yml, and its content should look something like the following:

Keep the my-passwords.yml file in a safe location, ideally encrypted.  If you don't have another solution for this, we recommend that you use ansible-vault, which comes with your ansible installation

Starting from a bare Ubuntu Xenial installation, you can follow these steps:

When you build you deployment environment, ensure that you add `-e@/path/to/my-passwords.yml` to your call to ansible-playbook.

Network Access

We strongly recommend that you review the ports that are exposed on your hosts regularly. 

Running the following command from a host that is public from the point of view of your Open edX instance is useful

The fewer ports that are open the better.  You should be concerned if more than 80 (http), 443 (https) and 22 (ssh) are open.  Ideally 22, ssh, would also be limited to networks that you control.