"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "Documentation/op-guide/security.md" between
etcd-3.4.12.tar.gz and etcd-3.4.13.tar.gz

About: etcd is a distributed reliable key-value store for the most critical data of a distributed system (written in "Go").

security.md  (etcd-3.4.12):security.md  (etcd-3.4.13)
skipping to change at line 433 skipping to change at line 433
### With peer certificate authentication I receive "certificate is valid for 127 .0.0.1, not $MY_IP" ### With peer certificate authentication I receive "certificate is valid for 127 .0.0.1, not $MY_IP"
Make sure to sign the certificates with a Subject Name the member's public IP ad dress. The `etcd-ca` tool for example provides an `--ip=` option for its `new-ce rt` command. Make sure to sign the certificates with a Subject Name the member's public IP ad dress. The `etcd-ca` tool for example provides an `--ip=` option for its `new-ce rt` command.
The certificate needs to be signed for the member's FQDN in its Subject Name, us e Subject Alternative Names (short IP SANs) to add the IP address. The `etcd-ca` tool provides `--domain=` option for its `new-cert` command, and openssl can ma ke [it][alt-name] too. The certificate needs to be signed for the member's FQDN in its Subject Name, us e Subject Alternative Names (short IP SANs) to add the IP address. The `etcd-ca` tool provides `--domain=` option for its `new-cert` command, and openssl can ma ke [it][alt-name] too.
### Does etcd encrypt data stored on disk drives? ### Does etcd encrypt data stored on disk drives?
No. etcd doesn't encrypt key/value data stored on disk drives. If a user need to encrypt data stored on etcd, there are some options: No. etcd doesn't encrypt key/value data stored on disk drives. If a user need to encrypt data stored on etcd, there are some options:
* Let client applications encrypt and decrypt the data * Let client applications encrypt and decrypt the data
* Use a feature of underlying storage systems for encrypting stored data like [d m-crypt] * Use a feature of underlying storage systems for encrypting stored data like [d m-crypt]
### I’m seeing a log warning that "directory X exist without recommended permiss
ion -rwx------"
When etcd create certain new directories it sets file permission to 700 to preve
nt unprivileged access as possible. However, if user has already created a direc
tory with own preference, etcd uses the existing directory and logs a warning me
ssage if the permission is different than 700.
[cfssl]: https://github.com/cloudflare/cfssl [cfssl]: https://github.com/cloudflare/cfssl
[tls-setup]: ../../hack/tls-setup [tls-setup]: ../../hack/tls-setup
[tls-guide]: https://github.com/coreos/docs/blob/master/os/generate-self-signed- certificates.md [tls-guide]: https://github.com/coreos/docs/blob/master/os/generate-self-signed- certificates.md
[alt-name]: http://wiki.cacert.org/FAQ/subjectAltName [alt-name]: http://wiki.cacert.org/FAQ/subjectAltName
[auth]: authentication.md [auth]: authentication.md
[dm-crypt]: https://en.wikipedia.org/wiki/Dm-crypt [dm-crypt]: https://en.wikipedia.org/wiki/Dm-crypt
 End of changes. 1 change blocks. 
0 lines changed or deleted 7 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)