Version: Next

Security Configuration

This guide covers basic security configuration for Merobox deployments and best practices for secure usage.

Basic Security Settings

Merobox provides basic security configuration through environment variables and Docker settings:

Environment Variables

# Basic security environment variables
export RUST_LOG="info"
export DOCKER_HOST="unix:///var/run/docker.sock"

Docker Security

Basic Docker security practices for Merobox:

# Run containers as non-root user when possible
docker run --user 1000:1000 ghcr.io/calimero-network/merod:edge

# Use read-only filesystem for additional security
docker run --read-only ghcr.io/calimero-network/merod:edge

# Drop unnecessary capabilities
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE ghcr.io/calimero-network/merod:edge

Network Security

Basic network security practices for Merobox:

Port Management

# Check which ports are in use
netstat -tulpn | grep -E "(2428|2528)"

# Use different ports if conflicts exist
merobox run --base-port 3000 --base-rpc-port 3001

Network Isolation

# Create isolated Docker network
docker network create calimero-isolated

# Run nodes on isolated network
docker run --network calimero-isolated ghcr.io/calimero-network/merod:edge

Secrets Management

Basic secrets management for Merobox:

Environment Variables

# Use environment variables for sensitive data (if supported)
export API_KEY="your-api-key"
export SECRET_KEY="your-secret-key"

# Pass to Merobox (if supported)
merobox run --count 1

File-based Secrets

# Store secrets in files with proper permissions
echo "your-secret" > secret.txt
chmod 600 secret.txt

# Mount secrets as volumes
docker run -v $(pwd)/secret.txt:/app/secret.txt ghcr.io/calimero-network/merod:edge

Authentication

Basic authentication practices for Merobox:

Auth Service Integration

# Enable authentication service
merobox run --auth-service

# Access nodes through auth service
# Node URLs will be available at: http://node-name.127.0.0.1.nip.io

Basic Access Control

# Use different node prefixes for different users
merobox run --prefix user1-nodes
merobox run --prefix user2-nodes

# Stop nodes when not needed
merobox stop --all

Basic Security Best Practices

1. Use Non-Root Users

# Run containers as non-root user
docker run --user 1000:1000 ghcr.io/calimero-network/merod:edge

2. Read-Only Filesystems

# Use read-only filesystem when possible
docker run --read-only ghcr.io/calimero-network/merod:edge

3. Drop Unnecessary Capabilities

# Drop all capabilities and add only what's needed
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE ghcr.io/calimero-network/merod:edge

4. Resource Limits

# Set memory and CPU limits
docker run --memory=1g --cpus=0.5 ghcr.io/calimero-network/merod:edge

Troubleshooting Security Issues

Common Security Issues

# Check container security settings
docker inspect calimero-node-1 | jq '.[0].HostConfig.SecurityOpt'

# Check user permissions
docker exec calimero-node-1 id

# Check file permissions
docker exec calimero-node-1 ls -la /calimero/

# Check network connectivity
docker exec calimero-node-1 netstat -tulpn

Security Debugging

# Enable security debugging
export RUST_LOG=debug

# Check security logs
docker logs calimero-node-1 | grep -i security

# Test authentication
curl -H "Authorization: Bearer <token>" http://localhost:2528/health

Security Best Practices

General Security

Principle of Least Privilege: Grant minimum necessary permissions
Regular Updates: Keep all components updated
Monitoring: Monitor for security events
Documentation: Document security procedures

Container Security

Non-root Users: Run containers as non-root users
Read-only Filesystems: Use read-only filesystems where possible
Capability Dropping: Drop unnecessary capabilities
Resource Limits: Set appropriate resource limits

Network Security

Port Management: Use appropriate ports and check for conflicts
Network Isolation: Use isolated Docker networks
Access Control: Control network access appropriately

Data Protection

Environment Variables: Use environment variables for sensitive data
File Permissions: Set proper file permissions for secrets
Cleanup: Clean up sensitive data when done

Next Steps

Now that you understand basic security configuration:

Node Management - Complete node management guide
Workflows - Workflow system and automation
Environment Variables - Configuration options
Troubleshooting - Common issues and solutions

Was this page helpful?

Need some help? Check Support page

Basic Security Settings​

Environment Variables​

Docker Security​

Network Security​

Port Management​

Network Isolation​

Secrets Management​

Environment Variables​

File-based Secrets​

Authentication​

Auth Service Integration​

Basic Access Control​

Basic Security Best Practices​

1. Use Non-Root Users​

2. Read-Only Filesystems​

3. Drop Unnecessary Capabilities​

4. Resource Limits​

Troubleshooting Security Issues​

Common Security Issues​

Security Debugging​

Security Best Practices​

General Security​

Container Security​

Network Security​

Data Protection​

Next Steps​

Basic Security Settings

Environment Variables

Docker Security

Network Security

Port Management

Network Isolation

Secrets Management

Environment Variables

File-based Secrets

Authentication

Auth Service Integration

Basic Access Control

Basic Security Best Practices

1. Use Non-Root Users

2. Read-Only Filesystems

3. Drop Unnecessary Capabilities

4. Resource Limits

Troubleshooting Security Issues

Common Security Issues

Security Debugging

Security Best Practices

General Security

Container Security

Network Security

Data Protection

Next Steps