Docker Engine 1.13.1 went GA last week and introduced one of the most awaited feature called Secrets Management . With a mission to introduce a container native solution that strengthens the Trusted Delivery component of container security, new Secrets API is rightly integrated into Docker 1.13.1 Orchestration engine.The new secrets-management capabilities are also included in Docker Datacenter as part of the Docker 1.13.1 release.
What are secrets all about?
Why do we need Docker secrets?
There has been numerous concerns over environmental variables which are being used to pass configuration & settings to the containers.Environmental variables are easily leaked when debugging and exposed into many places including child processes, hosting secrets on a server etc.
Consider a Docker compose file for WordPress application:
As shown above, environmental variables are insecure in nature because they are accessible by any process in the container, preserved in intermediate layers of an image, easily accessible through docker inspect and lastly, it can get shared with any container linked to the container. To overcome this, one can use secrets to manage any sensitive data which a container needs at runtime aand there is no need to store in the image . A given secret is only accessible to those services which have been granted explicit access to it, and only while those service tasks are running.
How does it actually work?
Docker secrets is currently supported for Swarm mode only starting Docker Engine 1.13.1. If you are using Docker 1.12.x you might need to upgrade to the latest 1.13.x release to use this feature. To understand how secret works under Docker Swarm mode, you can follow the below process flow:
Docker Compose v3.1 File Format now supports Secrets
Docker compose file format v3.1 is available and requires Docker Engine 1.13.0+. It introduced support for secrets for the first time which means that now you can use secrets inside your docker-compose file.
Let us test-drive Compose v3.1 file format to see how secrets can be implemented using the newer
docker stack deploy utility as shown below:
Ensure that you have the latest Docker 1.13.1 running on your Swarm Mode cluster:
I will leverage 4-node Swarm Mode cluster to test the secret API:
Let us first create a secret using
docker secret create utility as shown:
$date | md5sum | docker secret create collab_mysqlpasswd -
ollab# date | md5sum | docker secret create collab_mysqlrootpasswd -
collab# date | md5sum | docker secret create collab_wordpressdbpasswd -
Listing the secret using the below command:
Create a docker-compose.yml file with the below entry:
PLEASE NOTE: No Compose binaries are required to run the below command. All you require is Compose v3.1 file format for this to work.
You can copy the whole code from here
Let us now use
docker stack deploy to build up the services containing secrets:
$docker stack deploy --compose-file=./docker-compose.yml collab
Updating service collab_mysql (id: yn9fqojgmtmzukqnn3tfa6wlk)
Updating service collab_web (id: xw7kx49sqrkaqriikm5lsbqmj)
Verify the services are up and running:
Let us verify if secret got stored under every container:
root@master101:/collab# docker exec -it 35f cat /run/secrets/mysqlpasswd
As shown above, one can use
docker exec to connect to the container and read the contents of the secret data file, which defaults to being readable by all and has the same name as the name of the secret.
- Docker secrets are only available to swarm services, not to standalone containers. To use this feature, consider adapting your container to run as a service with a scale of 1.
- No Compose binaries are required to run
docker stack deploy. All you require is Compose v3.1 file format for this to work.
- Raft data is encrypted in Docker 1.13 and higher.
- It is recommended to update all of your manager nodes to Docker 1.13 to prevent secrets from being written to plain-text Raft logs.