Security Configuration
This guide covers basic security configuration for Merobox deployments and best practices for secure usage.
Basic Security Settings
Merobox provides basic security configuration through environment variables and Docker settings:
Environment Variables
# Basic security environment variables
export RUST_LOG="info"
export DOCKER_HOST="unix:///var/run/docker.sock"
Docker Security
Basic Docker security practices for Merobox:
# Run containers as non-root user when possible
docker run --user 1000:1000 ghcr.io/calimero-network/merod:edge
# Use read-only filesystem for additional security
docker run --read-only ghcr.io/calimero-network/merod:edge
# Drop unnecessary capabilities
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE ghcr.io/calimero-network/merod:edge
Network Security
Basic network security practices for Merobox:
Port Management
# Check which ports are in use
netstat -tulpn | grep -E "(2428|2528)"
# Use different ports if conflicts exist
merobox run --base-port 3000 --base-rpc-port 3001
Network Isolation
# Create isolated Docker network
docker network create calimero-isolated
# Run nodes on isolated network
docker run --network calimero-isolated ghcr.io/calimero-network/merod:edge
Secrets Management
Basic secrets management for Merobox:
Environment Variables
# Use environment variables for sensitive data (if supported)
export API_KEY="your-api-key"
export SECRET_KEY="your-secret-key"
# Pass to Merobox (if supported)
merobox run --count 1
File-based Secrets
# Store secrets in files with proper permissions
echo "your-secret" > secret.txt
chmod 600 secret.txt
# Mount secrets as volumes
docker run -v $(pwd)/secret.txt:/app/secret.txt ghcr.io/calimero-network/merod:edge
Authentication
Basic authentication practices for Merobox:
Auth Service Integration
# Enable authentication service
merobox run --auth-service
# Access nodes through auth service
# Node URLs will be available at: http://node-name.127.0.0.1.nip.io
Basic Access Control
# Use different node prefixes for different users
merobox run --prefix user1-nodes
merobox run --prefix user2-nodes
# Stop nodes when not needed
merobox stop --all
Basic Security Best Practices
1. Use Non-Root Users
# Run containers as non-root user
docker run --user 1000:1000 ghcr.io/calimero-network/merod:edge
2. Read-Only Filesystems
# Use read-only filesystem when possible
docker run --read-only ghcr.io/calimero-network/merod:edge
3. Drop Unnecessary Capabilities
# Drop all capabilities and add only what's needed
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE ghcr.io/calimero-network/merod:edge
4. Resource Limits
# Set memory and CPU limits
docker run --memory=1g --cpus=0.5 ghcr.io/calimero-network/merod:edge
Troubleshooting Security Issues
Common Security Issues
# Check container security settings
docker inspect calimero-node-1 | jq '.[0].HostConfig.SecurityOpt'
# Check user permissions
docker exec calimero-node-1 id
# Check file permissions
docker exec calimero-node-1 ls -la /calimero/
# Check network connectivity
docker exec calimero-node-1 netstat -tulpn
Security Debugging
# Enable security debugging
export RUST_LOG=debug
# Check security logs
docker logs calimero-node-1 | grep -i security
# Test authentication
curl -H "Authorization: Bearer <token>" http://localhost:2528/health
Security Best Practices
General Security
- Principle of Least Privilege: Grant minimum necessary permissions
- Regular Updates: Keep all components updated
- Monitoring: Monitor for security events
- Documentation: Document security procedures
Container Security
- Non-root Users: Run containers as non-root users
- Read-only Filesystems: Use read-only filesystems where possible
- Capability Dropping: Drop unnecessary capabilities
- Resource Limits: Set appropriate resource limits
Network Security
- Port Management: Use appropriate ports and check for conflicts
- Network Isolation: Use isolated Docker networks
- Access Control: Control network access appropriately
Data Protection
- Environment Variables: Use environment variables for sensitive data
- File Permissions: Set proper file permissions for secrets
- Cleanup: Clean up sensitive data when done
Next Steps
Now that you understand basic security configuration:
- Node Management - Complete node management guide
- Workflows - Workflow system and automation
- Environment Variables - Configuration options
- Troubleshooting - Common issues and solutions
Was this page helpful?