diff --git a/deploy-cluster-aws/awsdeploy.sh b/deploy-cluster-aws/awsdeploy.sh index 07a2585e..caed6c9c 100755 --- a/deploy-cluster-aws/awsdeploy.sh +++ b/deploy-cluster-aws/awsdeploy.sh @@ -48,6 +48,7 @@ if [ "$USING_EBS" = True ]; then echo "EBS_VOLUME_SIZE = "$EBS_VOLUME_SIZE echo "EBS_OPTIMIZED = "$EBS_OPTIMIZED fi +echo "BIND_HTTP_TO_LOCALHOST = "$BIND_HTTP_TO_LOCALHOST # Check for the SSH private key file if [ ! -f "$HOME/.ssh/$SSH_KEY_NAME" ]; then @@ -116,7 +117,7 @@ fab upgrade_setuptools if [ "$WHAT_TO_DEPLOY" == "servers" ]; then # (Re)create the RethinkDB configuration file conf/rethinkdb.conf - python create_rethinkdb_conf.py + python create_rethinkdb_conf.py --bind-http-to-localhost $BIND_HTTP_TO_LOCALHOST # Rollout RethinkDB and start it fab prep_rethinkdb_storage:$USING_EBS fab install_rethinkdb diff --git a/deploy-cluster-aws/create_rethinkdb_conf.py b/deploy-cluster-aws/create_rethinkdb_conf.py index 4a11b462..9f0c6889 100644 --- a/deploy-cluster-aws/create_rethinkdb_conf.py +++ b/deploy-cluster-aws/create_rethinkdb_conf.py @@ -8,8 +8,19 @@ from __future__ import unicode_literals import os import os.path import shutil +import argparse from hostlist import public_dns_names +# Parse the command-line arguments +parser = argparse.ArgumentParser() +parser.add_argument("--bind-http-to-localhost", + help="should RethinkDB web interface be bound to localhost?", + required=True) +args = parser.parse_args() +bind_http_to_localhost = args.bind_http_to_localhost + +print('bind_http_to_localhost = {}'.format(bind_http_to_localhost)) + # cwd = current working directory old_cwd = os.getcwd() os.chdir('conf') @@ -24,6 +35,10 @@ with open('rethinkdb.conf', 'a') as f: f.write('## The host:port of a node that RethinkDB will connect to\n') for public_dns_name in public_dns_names: f.write('join=' + public_dns_name + ':29015\n') + if bind_http_to_localhost: + f.write('## Bind the web interface port to localhost\n') + # 127.0.0.1 is the usual IP address for localhost + f.write('bind-http=127.0.0.1\n') os.chdir(old_cwd) diff --git a/deploy-cluster-aws/example_deploy_conf.py b/deploy-cluster-aws/example_deploy_conf.py index 5de1b0f5..81eef50c 100644 --- a/deploy-cluster-aws/example_deploy_conf.py +++ b/deploy-cluster-aws/example_deploy_conf.py @@ -74,3 +74,8 @@ EBS_VOLUME_SIZE=30 # Setting EBS_OPTIMIZED=True may cost more, but not always. # If USING_EBS=False, EBS_OPTIMIZED is irrelevant and not used EBS_OPTIMIZED=False + +# BIND_HTTP_TO_LOCALHOST is True or False, depending on whether +# you want the RethinkDB web interface port to be bound to localhost +# (which is more secure). See https://www.rethinkdb.com/docs/security/ +BIND_HTTP_TO_LOCALHOST=False \ No newline at end of file diff --git a/deploy-cluster-aws/launch_ec2_nodes.py b/deploy-cluster-aws/launch_ec2_nodes.py index 230ddc16..09d05043 100644 --- a/deploy-cluster-aws/launch_ec2_nodes.py +++ b/deploy-cluster-aws/launch_ec2_nodes.py @@ -28,7 +28,7 @@ from awscommon import get_naeips SETTINGS = ['NUM_NODES', 'BRANCH', 'WHAT_TO_DEPLOY', 'SSH_KEY_NAME', 'USE_KEYPAIRS_FILE', 'IMAGE_ID', 'INSTANCE_TYPE', 'SECURITY_GROUP', - 'USING_EBS', 'EBS_VOLUME_SIZE', 'EBS_OPTIMIZED'] + 'USING_EBS', 'EBS_VOLUME_SIZE', 'EBS_OPTIMIZED', 'BIND_HTTP_TO_LOCALHOST'] class SettingsTypeError(TypeError): @@ -104,6 +104,10 @@ if not isinstance(EBS_VOLUME_SIZE, int): if not isinstance(EBS_OPTIMIZED, bool): raise SettingsTypeError('EBS_OPTIMIZED should be a boolean (True or False)') +if not isinstance(BIND_HTTP_TO_LOCALHOST, bool): + raise SettingsTypeError('BIND_HTTP_TO_LOCALHOST should be a boolean ' + '(True or False)') + if NUM_NODES > 64: raise ValueError('NUM_NODES should be less than or equal to 64. ' 'The AWS deployment configuration file sets it to {}'. diff --git a/docs/source/clusters-feds/aws-testing-cluster.md b/docs/source/clusters-feds/aws-testing-cluster.md index 16fe27d2..d587483e 100644 --- a/docs/source/clusters-feds/aws-testing-cluster.md +++ b/docs/source/clusters-feds/aws-testing-cluster.md @@ -132,6 +132,7 @@ SECURITY_GROUP="bigchaindb" USING_EBS=True EBS_VOLUME_SIZE=30 EBS_OPTIMIZED=False +BIND_HTTP_TO_LOCALHOST=False ``` Make a copy of that file and call it whatever you like (e.g. `cp example_deploy_conf.py my_deploy_conf.py`). You can leave most of the settings at their default values, but you must change the value of `SSH_KEY_NAME` to the name of your private SSH key. You can do that with a text editor. Set `SSH_KEY_NAME` to the name you used for `` when you generated an RSA key pair for SSH (in basic AWS setup).