Skip to main content
Version: Next

Security Configuration

This guide covers basic security configuration for Merobox deployments and best practices for secure usage.

Basic Security Settings

Merobox provides basic security configuration through environment variables and Docker settings:

Environment Variables

# Basic security environment variables
export RUST_LOG="info"
export DOCKER_HOST="unix:///var/run/docker.sock"

Docker Security

Basic Docker security practices for Merobox:

# Run containers as non-root user when possible
docker run --user 1000:1000 ghcr.io/calimero-network/merod:edge

# Use read-only filesystem for additional security
docker run --read-only ghcr.io/calimero-network/merod:edge

# Drop unnecessary capabilities
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE ghcr.io/calimero-network/merod:edge

Network Security

Basic network security practices for Merobox:

Port Management

# Check which ports are in use
netstat -tulpn | grep -E "(2428|2528)"

# Use different ports if conflicts exist
merobox run --base-port 3000 --base-rpc-port 3001

Network Isolation

# Create isolated Docker network
docker network create calimero-isolated

# Run nodes on isolated network
docker run --network calimero-isolated ghcr.io/calimero-network/merod:edge

Secrets Management

Basic secrets management for Merobox:

Environment Variables

# Use environment variables for sensitive data (if supported)
export API_KEY="your-api-key"
export SECRET_KEY="your-secret-key"

# Pass to Merobox (if supported)
merobox run --count 1

File-based Secrets

# Store secrets in files with proper permissions
echo "your-secret" > secret.txt
chmod 600 secret.txt

# Mount secrets as volumes
docker run -v $(pwd)/secret.txt:/app/secret.txt ghcr.io/calimero-network/merod:edge

Authentication

Basic authentication practices for Merobox:

Auth Service Integration

# Enable authentication service
merobox run --auth-service

# Access nodes through auth service
# Node URLs will be available at: http://node-name.127.0.0.1.nip.io

Basic Access Control

# Use different node prefixes for different users
merobox run --prefix user1-nodes
merobox run --prefix user2-nodes

# Stop nodes when not needed
merobox stop --all

Basic Security Best Practices

1. Use Non-Root Users

# Run containers as non-root user
docker run --user 1000:1000 ghcr.io/calimero-network/merod:edge

2. Read-Only Filesystems

# Use read-only filesystem when possible
docker run --read-only ghcr.io/calimero-network/merod:edge

3. Drop Unnecessary Capabilities

# Drop all capabilities and add only what's needed
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE ghcr.io/calimero-network/merod:edge

4. Resource Limits

# Set memory and CPU limits
docker run --memory=1g --cpus=0.5 ghcr.io/calimero-network/merod:edge

Troubleshooting Security Issues

Common Security Issues

# Check container security settings
docker inspect calimero-node-1 | jq '.[0].HostConfig.SecurityOpt'

# Check user permissions
docker exec calimero-node-1 id

# Check file permissions
docker exec calimero-node-1 ls -la /calimero/

# Check network connectivity
docker exec calimero-node-1 netstat -tulpn

Security Debugging

# Enable security debugging
export RUST_LOG=debug

# Check security logs
docker logs calimero-node-1 | grep -i security

# Test authentication
curl -H "Authorization: Bearer <token>" http://localhost:2528/health

Security Best Practices

General Security

  1. Principle of Least Privilege: Grant minimum necessary permissions
  2. Regular Updates: Keep all components updated
  3. Monitoring: Monitor for security events
  4. Documentation: Document security procedures

Container Security

  1. Non-root Users: Run containers as non-root users
  2. Read-only Filesystems: Use read-only filesystems where possible
  3. Capability Dropping: Drop unnecessary capabilities
  4. Resource Limits: Set appropriate resource limits

Network Security

  1. Port Management: Use appropriate ports and check for conflicts
  2. Network Isolation: Use isolated Docker networks
  3. Access Control: Control network access appropriately

Data Protection

  1. Environment Variables: Use environment variables for sensitive data
  2. File Permissions: Set proper file permissions for secrets
  3. Cleanup: Clean up sensitive data when done

Next Steps

Now that you understand basic security configuration:

Was this page helpful?
Need some help? Check Support page