Docker secrets, which designated to create for storing the sensitive information like username, password, SSL certificates, and any secure files. Docker Secret is created and used widely in Docker Swarm and then extended to docker compose from v3. If anytime, you were worried about securing your sensitive data, Docker secret will be the one of the solutions for you.
Just imagine, we never want to store a configuration file with all of our passwords on our GitHub/any repository even in public or private. In this guide we will walk you through various aspects of setting up a using Docker secrets.
Before we head into steps, here is some introduction how it is used on docker swarm services. First, we create & add a secret to the swarm, and then we give our services access to the secrets they require. When the service is created (or updated), the secret is then mounted onto the container in the /run/secrets directory. Now your application has access to the secrets it requires.
Creating Secret
Just assume with your swarm already running or for test, please run “docker swarm init”, this initiate your docker swarm on the node. Now, you can use the docker secret create command to add a new secret to the swarm.
Here is a basic example:
echo "mypassword" | docker secret create mypass -
Now let’s use the “docker secret ls” command to confirm that our secret was added:
docker secret ls
should output something like this:
ID NAME CREATED UPDATED
rkxav7s9rvnc9d7ct6dhkrsyn mypass 3 minutes ago 3 minutes ago
Lets see what else we can do in Docker secret, before we heads to adding secret to service.
Inspect Docker Secret
You can use inspect command on Docker secret also, same as other docker commands
docker secret inspect secret_name
our case it will be “mypass”
Remove Docker Secret
You can remove the docker secret using following command
docker secret rm secret_name
Lets add secret to Service
Now that you’ve added the secret to the swarm, you need to give the service access. This can be accomplished when the service is created or updated.
Here’s an example of how to add a secret when the service is created:
docker service create --secret mypass --name secret alpine ping foxutech.com
In this example, I’m adding the mypass secret we created in the previous step to a service running the alpine image.
If we’ve already got a service running and we want to add (or change) a secret, you can use the –secret-add option.
docker service update --secret-add mypass existing_service_name
How this works in realtime
There are a few different ways to use this in realtime, and based on the needs of your application you can choose the way that works best for you.
A secret per password
In the example above, I showed how you would store a single password in a secret. This might be appropriate if you’re not managing too many secrets. In this case, you would manually create each secret and add them each to the appropriate service when it is created or updated.
There are some things to consider with this method. If you’ve got a lot of secrets, there’s room for manual error and it can be time consuming.
A secret per service
So another possible method might be to store all of the secrets that each service requires in a single file – perhaps a json file called “service.json”. Now you’re adding a single secret file per service, and all the passwords are stored in a file that can be quickly read in by your application.
This provides a much cleaner and quicker way to configure the secrets, plus it simplifies things in the application layer as well. But the obvious downside is that services will often share secrets, so some of your sensitive data might be duplicated.
For more real time example, docker Team has prepared great example, please refer more on following articles.
We will give more real time example about secret on our upcoming Docker Swarm Series.
How Docker Secret can use in Docker Compose:
you can use secrets if you use a compose file. (You don’t need to run a swarm).
I have switched to docker-compose because I wanted to use secrets. Each service maps to a container. And if you ever want to switch to running a swarm instead, you are basically already there.
Note: Secrets are not loaded into the container’s environment, they are mounted to /run/secrets/
Here is an example:
File Structure:
|
|--- docker-compose.yml
|--- mysecret.txt
docker-compose.yml contains
version: “3.6”
services:
my_service:
image: ubuntu:18.04
entrypoint: “cat /run/secrets/mysecret”
secrets:
– mysecret
secrets:
mysecret:
file: ./mysecret.txt
mysecret.txt contains:
this is my secret text
Run this command from the root to see that the container does have access to your secret, (Docker must be running and docker-compose installed):
docker-compose up --build myservice
You should see your container output your secret as following,
Creating network "secret_default" with the default driver
Pulling myservice (centos:7)...
7: Pulling from library/centos
524b0c1e57f8: Pull complete
Digest: sha256:e9ce0b76f29f942502facd849f3e468232492b259b9d9f076f71b392293f1582
Status: Downloaded newer image for centos:7
Creating secret_myservice_1 ... done
Attaching to secret_myservice_1
myservice_1 | this is my secret text
secret_myservice_1 exited with code 0
