Keeping Secrets with Docker Swarm

Step 1 - Initialise Swarm Mode

By default, Docker works as an isolated single-node. All containers are only deployed onto the engine. Swarm Mode turns it into a multi-host cluster-aware engine.

Task: Initialise Swarm Mode

To use the secrets functionality, Docker has to be in "Swarm Mode". This is enabled via docker swarm init

Step 2 - Cluster Based Secret

Create Secret

The following command will first create a random 64 character token, that will be stored in a file for testing purposes. The token file is used to create a secret called deep_thought_answer_secure.

< /dev/urandom tr -dc A-Za-z0-9 | head -c64 > tokenfile
docker secret create deep_thought_answer_secure tokenfile

Creating a secret can also be done using stdin, for example echo "the_answer_is_42" | docker secret create lesssecure -. Note, this approach would leave the value the_answer_is_42 in the users bash history file.

All the secrets names can be viewed using docker secret ls. This will not expose the underlying secret value.

Using Secrets

This secret can be used when deploying services via Swarm. For example, deploy gives the Redis service access to the secret.

docker service create --name="redis" --secret="deep_thought_answer_secure" redis

The secret appears as a file within the secrets directory.

docker exec $(docker ps --filter name=redis -q) ls -l /run/secrets

This can be read as a regular file from disk.

docker exec $(docker ps --filter name=redis -q) cat /run/secrets/deep_thought_answer_secure

Step 3 - Create Docker Stack with Compose

The secrets functionality is also available using Docker Compose Stacks. In the example below, the viewer service has access to our Swarm Secret _deep_thoughtanswer. It's being mounted and made available called _deep_thoughtanswer.

Task: Create Docker Compose Stack

Copy the Docker Compose snippet to the file.

version: '3.1'
services:
    viewer:
        image: 'alpine'
        command: 'cat /run/secrets/deep_thought_answer_secure'
        secrets:
            - deep_thought_answer_secure

secrets:
    deep_thought_answer_secure:
        external: true

In the next step, the Compose Stack will be deployed.

Step 4 - Deploy and Access Secret with Compose

Docker Compose Stack's are deployed using the Docker CLI. As part of the deployment, the stack will be configured with access to the secret.

Task

Deploy the task using the following command:

docker stack deploy -c docker-compose.yml secrets1

View the output with:

docker logs $(docker ps -aqn1 -f status=exited)

If the commands errors with "docker logs" requires exactly 1 argument(s). it means the container has not yet started and returned the secret.

Step 5 - File Based Secret

An alternate way of creating secrets is via files. In this case, we have a secret.crt file that needs to be accessed from the container.

Task

First, create the sample .crt file: echo "my-super-secure-cert" > secret.crt

Secondly, update the docker-compose Stack to use the file based secret.

version: '3.1'
services:
    test:
        image: 'alpine'
        command: 'cat /run/secrets/secretcert'
        secrets:
            - secretcert

secrets:
    secretcert:
        file: ./secret.crt

Step 6 - Deploy and Access Secret with Compose

Task

As before, deploy the Docker Compose Stack.

docker stack deploy -c docker-compose.yml secrets2

The command below will get the log file of the last container to have exited for the newly created service.

docker logs $(docker ps -aqn1 -f name=secrets2 -f status=exited)

cd <directory>	Change directory
ls	List directory
echo 'contents' > <file>	Write contents to a file
cat <file>	Output contents of file

i	In Command Mode	Change into Insert Mode, you can now insert and edit text in the file
esc	In Insert Mode	Change into Command Mode, you can now execute commands
:wq	In Command Mode	Save and Exit

Welcome!

Congratulations!

You've completed the scenario!

Scenario Rating

Steps