Security approach for running Opal as a Docker container

101 views
Skip to first unread message

Tom Bishop

unread,
May 20, 2022, 4:26:14 AM5/20/22
to obiba...@googlegroups.com
Hi,

Some groups I am working with would like to use the approach suggested in the Opal help pages (https://opaldoc.obiba.org/en/latest/admin/installation.html#docker-image-installation), using Docker containers.

It is really useful to have the example docker-compose.yml file. The concern is that the passwords are then specified in that file which is making people nervous (they are on a hospital network). If I appropriately permission the docker-compose.yml file, and require sudo to execute Docker commands, then someone would need to get onto the machine with a sudo account in order to learn the passwords. Is that correct? Presumably, with "traditional" Opal, if someone had sudo access on the machine, they could change the Opal administrator password and get the data?

As an alternative, I have started to work on a solution that uses Docker secrets, and therefore requires you to run Docker in swarm mode. The steps I have in mind are:
  1. Specify the secrets manually e.g. printf "some string that is your secret value" | docker secret create my_secret -
  2. Tell each service which secrets to use (I am hoping it is as easy as removing the environment value and adding the secrets)
  3. Start Docker in swarm mode
  4. Build the stack with the compose file
My initial attempts are not working yet, so I want to make sure my understanding of the situation is correct.

Thanks

Tom



Yannick Marcon

unread,
May 20, 2022, 5:41:11 AM5/20/22
to obiba...@googlegroups.com
Hi Tom,

You can use environment variables defined in a file: https://docs.docker.com/compose/env-file/ it is cleaner than having these in the docker-compose file but that does not change the security issue as the env file contains clear variable values.

In a "traditional" opal, the administrator password is stored hashed in a file. As you said, a user with sudo rights can modify this password with a new hash (this is needed to be able to recover the server access in case the password is lost). 

Since Opal 4.4, two-factor authentication can be activated, then having access to the password in the env file or changing the hashed password would not be enough to gain access.

How does the coral distribution deal with that?

Regards
Yannick

Yannick




--
You received this message because you are subscribed to the Google Groups "obiba-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to obiba-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/LO4P265MB37924F85DE2719F2D8E625A4B9D39%40LO4P265MB3792.GBRP265.PROD.OUTLOOK.COM.

Tom Bishop

unread,
May 20, 2022, 8:48:49 AM5/20/22
to obiba...@googlegroups.com
Hi Yannick,

Thanks for these pointers. That's a good point about the 2FA. I guess a sudo user could still attack the database directly, but it would at least be less convenient than going into Opal.

I've looked at Coral, and from what I understand, the passwords are not stored in plain text in a file but a user who can execute Docker commands can do:

sudo docker container exec my_container cat /run/secrets/my_secret_data

I tried this with Coral and was able to see my passwords.

I'm inclined to stick with a well-permissioned Docker compose file and 2FA. Do you think it might be worth adding a note to the Opal help suggesting setting the permission on the file to 600 and owner to root?

Best wishes,
Tom
From: obiba...@googlegroups.com <obiba...@googlegroups.com> on behalf of Yannick Marcon <yannick...@obiba.org>
Sent: Friday, May 20, 2022 10:40 AM
To: obiba...@googlegroups.com <obiba...@googlegroups.com>
Subject: Re: [OBiBa] Security approach for running Opal as a Docker container
 

Tom Bishop

unread,
Jul 8, 2022, 10:13:15 AM7/8/22
to obiba...@googlegroups.com

Hi Yannick,

 

I hope you had a good trip back from Rotterdam.

 

I am still looking at moving some of our set ups onto a Docker approach and have another security question.

 

This might be a similar answer to the one about setting a password for Rock. I notice that there are no environment variables in Opal for a MongoDB username and password. Is this because the container does not expose a port to the host? And therefore without sudo, one cannot connect to the container?

 

I was wondering if I could use a mongo client on my host to connect to mongoDB in a container without a password if I knew the IP address.

 

I.e. do something like:

 

mongo --host 172.22.0.5

 

At the moment this gives me an error, but that might be because I am doing something wrong. What do you think?

 

Thanks

 

Tom

 

 

From: obiba...@googlegroups.com <obiba...@googlegroups.com> On Behalf Of Yannick Marcon
Sent: 20 May 2022 10:41
To: obiba...@googlegroups.com
Subject: Re: [OBiBa] Security approach for running Opal as a Docker container

 

Hi Tom,

Yannick Marcon

unread,
Jul 8, 2022, 10:38:17 AM7/8/22
to obiba...@googlegroups.com
Hi,

There are some environment variables that you can pass to opal's docker:

* MONGO_USER
* MONGO_PASSWORD

(it is missing in the doc, I'll had them)

Regards
Yannick


To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/LO4P265MB379238F624476299FBD9CAA9B9829%40LO4P265MB3792.GBRP265.PROD.OUTLOOK.COM.

Tom Bishop

unread,
Jul 11, 2022, 11:14:20 AM7/11/22
to obiba...@googlegroups.com

Hi Yannick,

 

Thanks for confirming these environment variables. I have given them a quick go and I think I am missing something. I have:

opal:

   ……..

   environment:

       ………

      - MONGO_USER=root

      - MONGO_PASSWORD=password

 

  mongo:

    image: mongo

    environment:

      - MONGO_INITDB_ROOT_USERNAME=root

      - MONGO_INITDB_ROOT_PASSWORD=password

 

My understanding is that this creates a super user in the admin database of mongoDB. However, this information is not used by Opal during the set up:

 

https://github.com/obiba/docker-opal/blob/242038c1031d6930c4b93fb6a85d9ff084668fe3/bin/first_run.sh#L66-L67

 

JSON file:

 

{

    "usedForIdentifiers": false,

    "name": "mongodb",

    "usage": "STORAGE",

    "defaultStorage": true,

    "mongoDbSettings": {

        "url": "mongodb://@host@:@port@/@db@",

        "username": "@user@",

        "password": "@pwd@",

        "properties": ""

    }

}

 

The URL needs to be set to have ?authSource=admin appended if a username and password are set, otherwise the connection fails.

 

Is it the right thing to do to change this in the Opal Docker image, to make the set up easier?

 

Thanks

 

Tom

 

 

 

Reply all
Reply to author
Forward
0 new messages