Question

Are One-Click Install Apps "safe to use"?

Hello,

I usually spin up new Droplets for services, provision them with a script/manual actions to tighten security, and then manually install applications.

Today, for the first time really, I’ve been looking at the One-Click Install App library and realised this could cut some time out of the provisioning process.

However, while there is information around using the library, I can’t find any firm details or advice regarding security.

A few questions, if anyone can help:

  • Are One-Click Install App images “safe to use” by default?
  • What are the default security settings for these images?
  • Anything in particular to be aware of when using them?
  • Is there any official advice/best practices for provisioning/security, after creating a Droplet from an image?
  • What’s the intended use for these images? Are they meant to be used for production use, without necessarily requiring user modification of the base distribution image, or should they be reserved for quick development/experimentation?

Thank you in advance for any responses.

Show comments

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Ryan Quinn
DigitalOcean Employee
DigitalOcean Employee badge
August 17, 2018
Accepted Answer

Hi. I am the Software Engineer here at DO who maintains our one-click images.

Are One-Click Install App images “safe to use” by default?

Our one-clicks vary in their production readiness. One-clicks that provide a turn-key service (like WordPress) usually include a pre-configured firewall and WordPress also includes fail2ban with the WordPress plugin. Other images like Ruby on Rails or Docker provide the key components needed to get started with the language or platform they provide.

What are the default security settings for these images?

One-clicks are intended to provide a fairly standard installation, similar to what you would get if you followed one of our tutorials on setting up the stack. Where services are exposed publicly on launch firewalls or other addons may be included.

Anything in particular to be aware of when using them?

Yes. When you launch a one-click, most of them include a custom MOTD that is displayed when you log in via SSH or the console. This will include any specifics related to that particular one click that you should be aware of such as the location of generated passwords (such as for MySQL), file locations and additional software that has been installed. We will soon be updating these to a more standardized format.

Is there any official advice/best practices for provisioning/security, after creating a Droplet from an image?

Nothing that is specific to one-clicks but this guide covers recommended first steps on Ubuntu 16.04 which our one-clicks are currently all based on. A similar tutorial is available for 18.04 once our one-clicks migrate to the newer Ubuntu LTS release later this year.

What’s the intended use for these images? Are they meant to be used for production use, without necessarily requiring user modification of the base distribution image, or should they be reserved for quick development/experimentation?

One-clicks are generally intended to be a short-cut, providing pre-installed versions of popular software stacks. Originally most of these images simply provided the installation of the packages provided by the upstream distribution but over time basic security precautions have been added. We recommend using one-clicks as a starting point. If you are creating a lot of droplets for production use I would recommend doing one of the following if you find that additional security measures or packages are wanted for the image you are using:

  • Provide commands do do additional setup in a user-data script passed when you create the droplet. These commands will be run on the first boot.

  • Alternately you could spin up a droplet from a one-click image, customize it as needed and create a snapshot image to use for additional droplets.

For good security it is usually recommended to go with providing absolute minimum access wherever possible. A “least privledges” philosophy. By blocking any access not needed and restricting access to the bare minimum you can help ensure a secure system.

One-clicks, while taking security in mind do not follow this philosophy in their creation. One-clicks are focused on standardization with common practice and ease of use and access is secured when it is considered a direct risk.

More generally I would say that on any system you plan to administer to ensure you verify the security in place and adjust as needed to meet your needs or further restrict access.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more