Skip to main content

FREQUENTLY ASKED QUESTIONS

GuardRails Data Transmission Policy

A GuardRails installation connects to a Replicated-hosted endpoint periodically to perform various tasks including checking for updates and syncing the installed license properties. During this time, some data is transmitted from an installed instance to the Replicated API.

This data is limited to:

  • The IP address of the primary Replicated instance.
  • The ID of the installation.
  • The state of the installation (running, stopped, etc).
  • The current version of the installation.
  • The current version of the Replicated components.
  • This data is required to provide the expected update and license services. No additional data is collected and transmitted by default from the instance to external servers.

Domains Required by GuardRails

Below is a list of domains that GuardRails will communicate with in non-airgap mode. All connections are made over TLS.

  • get.replicated.com
  • api.replicated.com
  • registry.replicated.com
  • registry-data.replicated.com
  • quay.io

The link to a repository hosting the IPs for all domains that Replicated controls, can be found here.

It is recommended to allow all outbound connections to port 443.

Passwords

All passwords persisted by Replicated are stored as bcrypt hashes with a cost parameter of 10, with the exception of configuration item passwords which must be stored in a reversible manner. In this case, Replicated uses AES-GCM encryption with a per-installation 192-bit encryption key generated at install time. This encryption key is stored solely on the disk of the system on which it was generated.

Managing Hard-Disk Space

There are 3 areas that have to be managed:

  1. Docker images not being deleted: Could be done with a cronjob for docker image prune.
  2. Docker container logs not being logrotated: Especially when an increased log level is configured, it's important to ensure that log-rotation is configured.
  3. Embedded Database is configured: GuardRails can run with an embedded db, which is not recommended for production use.

Finally, it is suggested to have a proper partitioning to avoid root partition to fill up. It's recommended to keep a data partition that is separate to the root volume.

Last updated on by Stefan Streichsbier