From 1297401a94915bc58bd4ba3213718bdd30006fd9 Mon Sep 17 00:00:00 2001 From: Alexander Tobi Fashakin Date: Mon, 18 Mar 2024 12:20:07 +0100 Subject: [PATCH 1/3] Add blog post for openziti --- ...18-run-ferretdb-securely-using-openziti.md | 169 ++++++++++++++++++ website/static/img/blog/ferretdb-openziti.jpg | 3 + 2 files changed, 172 insertions(+) create mode 100644 website/blog/2024-03-18-run-ferretdb-securely-using-openziti.md create mode 100644 website/static/img/blog/ferretdb-openziti.jpg diff --git a/website/blog/2024-03-18-run-ferretdb-securely-using-openziti.md b/website/blog/2024-03-18-run-ferretdb-securely-using-openziti.md new file mode 100644 index 000000000000..68391d85061d --- /dev/null +++ b/website/blog/2024-03-18-run-ferretdb-securely-using-openziti.md @@ -0,0 +1,169 @@ +--- +slug: run-ferretdb-securely-using-openziti +title: 'Run FerretDB Securely Using OpenZiti' +authors: [alex] +description: > + This guide will walk you through setting up FerretDB securely using OpenZiti. +image: /img/blog/ferretdb-openziti.jpg +tags: [tutorial, community, postgresql tools, open source] +--- + +![Run FerretDB ](/img/blog/ferretdb-openziti.jpg) + +Securing your database is more critical than ever. +[FerretDB](https://www.ferretdb.com/), a truly open source document database with [PostgreSQL](https://www.postgresql.org/) as the backend, offers an excellent solution for developers looking for MongoDB-like experiences with the robustness of PostgreSQL. + + + +[OpenZiti](https://openziti.io/) is an open-source networking solution that offers zero-trust networking priciples directly to your application. + +With OpenZiti, you can secure your FerretDB instances and connections, providing a zero-trust networking layer on top of it. + +This guide will walk you through setting up FerretDB securely using OpenZiti. + +## Prerequisites + +Before we dive into the setup, ensure you have [Docker](https://www.docker.com/) installed on your system. + +## Guide on setting up FerretDB with OpenZiti + +### Setting Up the Environment + +The [cheatsheet guide provided by OpenZiti](https://github.com/openziti/ziti-sdk-jvm/blob/main/samples/jdbc-postgres/cheatsheet.md) outlines steps for creating Ziti services, enrolling identities, and configuring policies for secure, zero-trust access to your database. + +Run the following commands in your terminal: + +```sh +curl -s https://get.openziti.io/dock/simplified-docker-compose.yml > docker-compose.yml +curl -s https://get.openziti.io/dock/.env > .env +``` + +These commands will fetch the Docker Compose file and the default environment file required for OpenZiti setup. + +Next, modify the docker compose file and add Postgres with a known user/password and FerretDB should connect to the Postgres database using the `FERRETDB_POSTGRES_URI`, as shown below. + +```yaml +postgres-db: + image: postgres + #ports: + # - 5432:5432 + networks: + - ziti + volumes: + - ./data/db:/var/lib/postgresql/data + environment: + - POSTGRES_DB=ferretdb + - POSTGRES_USER=postgres + - POSTGRES_PASSWORD=postgres + +ferretdb: + image: ghcr.io/ferretdb/ferretdb + restart: on-failure + networks: + - ziti + environment: + - FERRETDB_POSTGRESQL_URL=postgres://postgres-db/ferretdb +``` + +This setup provides a secure, isolated network for your FerretDB instance and Postgres database, ensuring that your database is not exposed to the internet. + +### Docker Compose Configuration + +The Docker Compose file outlines the setup for running FerretDB with OpenZiti, including services for the Ziti Controller, Edge Router, Ziti Console, PostgreSQL database, and FerretDB itself. + +Let's break down the key components: + +- Ziti Controller: Manages the Ziti network, identities, and policies. +- Ziti Edge Router: Handles encrypted traffic between Ziti clients and services. +- Ziti Console: Provides a web interface for managing the Ziti network. + +FerretDB connects to PostgreSQL and is configured to run within the same Ziti network. + +### Initialize Docker Environment + +Using the project name 'pg' for Postgres, start the Docker Compose environment: + +```sh +docker compose -p pg up +``` + +This command sets up several services, including `ziti-controller`, `ziti-edge-router`, `ziti-console`, `postgres-db`, and `ferretdb`, as specified in the Docker Compose YAML. + +Run `docker ps` to show that Postgres and FerretDB are not exposed (`5432`/`27017`): + +### Testing your network connection + +To verify the security and functionality of your setup, follow these steps to test network connectivity between the Ziti components and ensure they're correctly configured. + +To begin, access the running Ziti Controller container using the following command: + +```sh +docker exec -it pg-ziti-controller-1 bash +``` + +This should take you into the Ziti CLI. +Authenticate using the `zitiLogin` alias: + +```sh +zitiLogin +``` + +Test edge routers online: + +Verify that all edge routers are online and properly registered with the Ziti Controller: + +```sh +ziti edge list edge-routers +``` + +You should see your ziti-edge-router listed and marked as ONLINE. + +Test edge router identities: + +Each edge router should have an associated identity within the Ziti network. +Check these identities: + +```sh +ziti edge list identities +``` + +This command lists all registered identities, including those for your routers. + +Test network connectivity: + +Let's ensure the Ziti Controller and a Ziti Edge Router can communicate over the network. + +Use ping from within the controller container to verify connectivity to the `ziti-edge-router`: + +```sh +$ ping ziti-edge-router -c 1 +PING ziti-edge-router (172.26.0.6): 56 data bytes +64 bytes from 172.26.0.6: icmp_seq=0 ttl=64 time=0.562 ms +--- ziti-edge-router ping statistics --- +1 packets transmitted, 1 packets received, 0% packet loss +round-trip min/avg/max/stddev = 0.562/0.562/0.562/0.000 ms +``` + +These tests ensure that your Docker network settings allow for proper communication paths between the Ziti Controller and the Ziti Edge Router, ensuring that your FerretDB setup with OpenZiti operates more efficiently and securely. + +### Connecting to FerretDB + +Once your services are up and running, you can connect to FerretDB using the MongoDB shell (`mongosh`) over the secure network established by OpenZiti. + +```sh +docker run -it --rm --network pg_ziti mongo mongosh "mongodb://postgres:postgres@pg-ferretdb-1:27017/ferretdb?authMechanism=PLAIN" +``` + +This should spin up a temporary MongoDB container to use `mongosh` to connect to your FerretDB instance. + +## Securing Your FerretDB Setup with OpenZiti + +OpenZiti secures FerretDB by establishing a zero-trust network, and minimizing the attack surface. +It encrypts data end-to-end, prevents eavesdropping and tampering, closes all inbound firewall ports, and ensures seamless connectivity without exposing FerretDB to the internet. + +Now that you understand how to secure FerretDB with OpenZiti, be sure to try it out in your project and let us know how it goes. +And if you have any questions, please [reach out to us on any of our channels](https://docs.ferretdb.io/#community). + +[Learn more about FerretDB](https://docs.ferretdb.io/). + +[Learn more about OpenZiti](https://openziti.io/docs/learn/introduction/). diff --git a/website/static/img/blog/ferretdb-openziti.jpg b/website/static/img/blog/ferretdb-openziti.jpg new file mode 100644 index 000000000000..90d32624fdc9 --- /dev/null +++ b/website/static/img/blog/ferretdb-openziti.jpg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:72caef426fdd9d2b1759aba808b430ac79704aaff6b3870e2109d8a1e880538e +size 55257 From 9eb3db8f08090c1c18d03757d5121b62967e3d52 Mon Sep 17 00:00:00 2001 From: Alexander Tobi Fashakin Date: Fri, 22 Mar 2024 12:13:58 +0100 Subject: [PATCH 2/3] openziti-blog --- ...18-run-ferretdb-securely-using-openziti.md | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/website/blog/2024-03-18-run-ferretdb-securely-using-openziti.md b/website/blog/2024-03-18-run-ferretdb-securely-using-openziti.md index 68391d85061d..5a8efe6e8d44 100644 --- a/website/blog/2024-03-18-run-ferretdb-securely-using-openziti.md +++ b/website/blog/2024-03-18-run-ferretdb-securely-using-openziti.md @@ -45,8 +45,6 @@ Next, modify the docker compose file and add Postgres with a known user/password ```yaml postgres-db: image: postgres - #ports: - # - 5432:5432 networks: - ziti volumes: @@ -63,6 +61,11 @@ ferretdb: - ziti environment: - FERRETDB_POSTGRESQL_URL=postgres://postgres-db/ferretdb + +mongo: + image: mongo + networks: + - ziti ``` This setup provides a secure, isolated network for your FerretDB instance and Postgres database, ensuring that your database is not exposed to the internet. @@ -78,18 +81,19 @@ Let's break down the key components: - Ziti Console: Provides a web interface for managing the Ziti network. FerretDB connects to PostgreSQL and is configured to run within the same Ziti network. +`mongo` service will be used to connect to FerretDB. ### Initialize Docker Environment -Using the project name 'pg' for Postgres, start the Docker Compose environment: +Start the Docker Compose environment: ```sh -docker compose -p pg up +docker compose up ``` This command sets up several services, including `ziti-controller`, `ziti-edge-router`, `ziti-console`, `postgres-db`, and `ferretdb`, as specified in the Docker Compose YAML. -Run `docker ps` to show that Postgres and FerretDB are not exposed (`5432`/`27017`): +Run `docker compose ps` to show that Postgres and FerretDB are not exposed (`5432`/`27017`): ### Testing your network connection @@ -98,7 +102,7 @@ To verify the security and functionality of your setup, follow these steps to te To begin, access the running Ziti Controller container using the following command: ```sh -docker exec -it pg-ziti-controller-1 bash +docker compose exec ziti-controller bash ``` This should take you into the Ziti CLI. @@ -116,7 +120,7 @@ Verify that all edge routers are online and properly registered with the Ziti Co ziti edge list edge-routers ``` -You should see your ziti-edge-router listed and marked as ONLINE. +You should see your `ziti-edge-router` listed and marked as ONLINE. Test edge router identities: @@ -151,7 +155,7 @@ These tests ensure that your Docker network settings allow for proper communicat Once your services are up and running, you can connect to FerretDB using the MongoDB shell (`mongosh`) over the secure network established by OpenZiti. ```sh -docker run -it --rm --network pg_ziti mongo mongosh "mongodb://postgres:postgres@pg-ferretdb-1:27017/ferretdb?authMechanism=PLAIN" +docker compose run mongo mongosh "mongodb://postgres:postgres@ferretdb:27017/ferretdb?authMechanism=PLAIN" ``` This should spin up a temporary MongoDB container to use `mongosh` to connect to your FerretDB instance. From 969c4fec99bad2a254738eb4f0aeb70690c096b2 Mon Sep 17 00:00:00 2001 From: Alexander Tobi Fashakin Date: Fri, 22 Mar 2024 12:15:15 +0100 Subject: [PATCH 3/3] Update date --- ...ziti.md => 2024-03-22-run-ferretdb-securely-using-openziti.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename website/blog/{2024-03-18-run-ferretdb-securely-using-openziti.md => 2024-03-22-run-ferretdb-securely-using-openziti.md} (100%) diff --git a/website/blog/2024-03-18-run-ferretdb-securely-using-openziti.md b/website/blog/2024-03-22-run-ferretdb-securely-using-openziti.md similarity index 100% rename from website/blog/2024-03-18-run-ferretdb-securely-using-openziti.md rename to website/blog/2024-03-22-run-ferretdb-securely-using-openziti.md