Securing CockroachDB in docker-compose setup

Local Setup
1

I am using the simple two container setup for Nakama and CockRoachDB and I want to secure the database.

My docker-compose now looks like this:

version: '3'
services:
  cockroachdb:
    container_name: cockroachdb
    image: cockroachdb/cockroach:v20.2.0
    command: start-single-node --certs-dir=/certs --store=attrs=ssd,path=/var/lib/cockroach/
    restart: "no"
    volumes:
      - ./certs:/certs
      - ./data:/var/lib/cockroach
    expose:
      - "8080"
      - "26257"
    ports:
      - "26257:26257"
      - "8080:8080"
  nakama:
    container_name: nakama
    image: heroiclabs/nakama:latest
    entrypoint:
      - "/bin/sh"
      - "-ecx"
      - >
          /nakama/nakama migrate up --database.address "root@cockroachdb:26257?sslrootcert=/certs/ca.crt&sslcert=/certs/node.crt&sslkey=/certs/node.key&sslmode=require" &&
          exec /nakama/nakama --config /nakama/data/config.yml
    restart: "no"
    links:
      - "cockroachdb:db"
    depends_on:
      - cockroachdb
    volumes:
      - ./certs:/certs
      - ./nakama/data:/nakama/data # Edit this line
    expose:
      - "7349"
      - "7350"
      - "7351"
    ports:
      - "7349:7349"
      - "7350:7350"
      - "7351:7351"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:7350/"]
      interval: 10s
      timeout: 5s
      retries: 5
volumes:
  data:

My start up log looks like this, note the connection error at the end.

nakama         | {"level":"info","ts":"2021-01-20T13:08:50.309Z","caller":"migrate/migrate.go:139","msg":"Database connection","dsn":"postgresql://root@cockroachdb:26257?sslrootcert=/certs/ca.crt&sslcert=/certs/node.crt&sslkey=/certs/node.key&sslmode=require"}
nakama         | {"level":"info","ts":"2021-01-20T13:08:50.420Z","caller":"migrate/migrate.go:154","msg":"Database information","version":"CockroachDB CCL v20.2.0 (x86_64-unknown-linux-gnu, built 2020/11/09 16:01:45, go1.13.14)"}
nakama         | {"level":"info","ts":"2021-01-20T13:08:50.422Z","caller":"migrate/migrate.go:158","msg":"Using existing database","name":"nakama"}
nakama         | {"level":"info","ts":"2021-01-20T13:08:50.517Z","caller":"migrate/migrate.go:192","msg":"Successfully applied migration","count":0}
nakama         | + exec /nakama/nakama --config /nakama/data/config.yml
nakama         | {"level":"info","ts":"2021-01-20T13:08:50.551Z","caller":"server/config.go:87","msg":"Successfully loaded config file","path":"/nakama/data/config.yml"}
nakama         | {"level":"info","ts":"2021-01-20T13:08:50.554Z","caller":"main.go:104","msg":"Nakama starting"}
nakama         | {"level":"info","ts":"2021-01-20T13:08:50.555Z","caller":"main.go:105","msg":"Node","name":"nakama","version":"3.0.0+baf67c9c","runtime":"go1.15.6","cpu":2,"proc":2}
nakama         | {"level":"info","ts":"2021-01-20T13:08:50.555Z","caller":"main.go:106","msg":"Data directory","path":"/nakama/data"}
nakama         | {"level":"info","ts":"2021-01-20T13:08:50.556Z","caller":"main.go:117","msg":"Database connections","dsns":["root@cockroachdb:26257"]}
nakama         | {"level":"fatal","ts":"2021-01-20T13:08:50.559Z","caller":"main.go:257","msg":"Error pinging database","error":"ERROR: node is running secure mode, SSL connection required (SQLSTATE 08P01)"}
1 Like
2

@DaveOak Per your docker-compose.yml file you’ve passed the new database connection string to the nakama migrate up command, but not the nakama startup itself.

/nakama/nakama migrate up --database.address "root@cockroachdb:26257?sslrootcert=/certs/ca.crt&sslcert=/certs/node.crt&sslkey=/certs/node.key&sslmode=require" &&
exec /nakama/nakama --config /nakama/data/config.yml

The entrypoint is actually a small shell snippet that runs migrations first, then starts the server. This is to ensure a one-step startup by checking if the database schema is in sync before the server starts. However it also means that the 2 commands each have their own arguments.

The migration step ran fine, so I assume your updated DB connection string is good. Update the config.yml file you pass to Nakama, or just change your entrypoint lines above to this:

/nakama/nakama migrate up --database.address "root@cockroachdb:26257?sslrootcert=/certs/ca.crt&sslcert=/certs/node.crt&sslkey=/certs/node.key&sslmode=require" &&
exec /nakama/nakama --config /nakama/data/config.yml --database.address "root@cockroachdb:26257?sslrootcert=/certs/ca.crt&sslcert=/certs/node.crt&sslkey=/certs/node.key&sslmode=require"

Edit: also worth noting it’s not that important to run the DB in secure mode when running in docker-compose like this. You should only ever expose Nakama, so the DB will never be reachable from the outside at all.

2 Likes
3

Hi @zyro, thanks for the reply - I thought I had deleted this post as I realised my mistake. I have updated my config.yml and it works fine, thanks.

Your final note is very useful, thanks again.

4

I was also looking to secure cockroach because of the message on startup:

  • WARNING: ALL SECURITY CONTROLS HAVE BEEN DISABLED!
  • This mode is intended for non-production testing only.
  • In this mode:
    • Your cluster is open to any client that can access any of your IP addresses.
    • Intruders with access to your machine or network can observe client-server traffic.
    • Intruders can log in without password and read or write any data in the cluster.
    • Intruders can consume all your server’s resources and cause unavailability.

I was wondering whether this is actually the case, so confirming it’s not is a time saver for me.