*** Wartungsfenster jeden ersten Mittwoch vormittag im Monat ***

Skip to content
Snippets Groups Projects
Select Git revision
  • main default protected
  • st/dev
2 results
Compare
Name Last commit Last update
.gitlab-ci
docker
scripts
ssl
.gitignore
.gitlab-ci.yml
LICENSE
README.md
docker-compose.base.yml
docker-compose.yml
example.env
README.md

CRDM Logging Setup

Containerized setup for the log server of the "Center for Research Data Management" at TU Wien.

Setup

Setting up the logging server consists of the following steps:

  • Create a .env file (c.f. example.env)
  • Initialize the TLS/SSL certificates
  • Initialize the security index with docker compose run os-node-1 ./init-security.sh
  • Start the cluster with docker compose up

Note: Populating the .env file has to be done manually, but the remaining steps are automated by ./scripts/setup.sh!

TLS/SSL certificates

A root CA and self-signed certificates for inter-container communication (as well as HTTPS certificates for public-facing endpoints) can be generated with scripts/generate-ssl.sh.

These files include:

  • root-ca-{crt,key}.pem: Key pair for the root CA
  • root-ca-crt.srl: Serial number for the root CA
  • node{1,2}-{crt,key}.pem: Key pairs for the inter-container communication
  • {cluster,dashboards}-{crt,key}.pem: Key pairs for public-facing endpoints

Note: For the common name of the public-facing certificates, the script will take the value of ${OPENSEARCH_HOSTNAME} and ${DASHBOARDS_HOSTNAME}, respectively. If either of these variables isn't set, a fallback value of localhost will be used.

Custom key pairs for external communication

Of course, it can be desirable to use custom certificates (that aren't self-signed) on public-facing endpoints.
Such key pairs can be set by placing the corresponding files ({cluster,dashboards}-{crt,key}.pem) in the ssl/ directory.
If the script detects that they exist as regular files (and not as symlinks), it will skip the auto-generation for these files and leave them as is.

Note: It looks like the private key needs to be in PKCS#8 format. A key generated via openssl genrsa can be converted with the following command: openssl pkcs8 -inform PEM -outform PEM -in PRIVATE_KEY_FILE.PEM -topk8 -nocrypt -v1 PBE-SHA1-3DES -out PRIVATE_KEY_PKCS8.PEM

Security configuration

Before being able to use the log server, encryption and authentication/authorization need to be set up. The script ./opensearch/init-security.sh (to be executed inside the node-1 container) takes care of that.

It creates the users defined in ./opensearch/security/internal_users.template.yml, i.e. admin, kibanaserver, and logging_user. Also, it sets their passwords to the values specified in the following environment variables:

  • OPENSEARCH_ADMIN_PASSWORD
  • OPENSEARCH_KIBANASERVER_PASSWORD
  • OPENSEARCH_LOGGINGUSER_PASSWORD

Note that this setup script will throw away any internal users defined via the REST API!

[ 4.Dec 10h : 4,578 users | 1,094 groups | 6,476 projects ]