Within the realm of containers, secrets are assets such as SSH keys, SSL certificates and passwords that are used to connect to services such as cloud accounts, APIs and other containers. Secrets can be used to manage this sensitive data required by containers at runtime. The problem is that you do not want to store those secrets within the image or in your source, because that can lead to serious security issues.
Imagine, if you will, some nefarious user hacks into your Docker Swarm and then views those passwords or certificates to gain access to your accounts. That will not do.
To avoid such a scenario, you should consider using secrets. Instead of those passwords being stored within containers and images, you create the secret with Docker, which is encrypted, and then you can pass the secret to your containers, so they are never seen as plain text. With this system, it’s harder for cybercriminals to use those secrets against you.
I’m going to show you how to create a secret with Docker and then how to use it to deploy a Docker service.
SEE: Hiring kit: Back-end Developer (TechRepublic Premium)
What you’ll need
To make this work, you will need a running instance of Docker. It doesn’t matter if that’s a single instance running on Linux, macOS or Windows, or a full Docker Swarm cluster. That’s all you need. Let’s share some secrets.
How to create a secret
The first thing we’ll do is create our secret. We’ll use the printf command and pipe the output of that to the docker command to create a secret called
my_test_secret. To do this, log into your Docker controller and issue the command:
printf "This is my super secret secret" | docker secret create my_test_secret -
You can verify if the secret was successfully created by listing all of your current secrets with the command:
docker secret ls
You should see a listing like this:
ttx3h2zarswj4wxgum5heobfx my_test_secret 4 seconds ago 4 seconds ago
How to create a service that uses the secret
What we’ll do now is create a Redis service that has full access to the secret. The nice thing about this is that the actual container won’t save the secret internally, but can use it via the docker secrets mechanism.
To deploy that service, using the
my_test_secret secret, the command looks something like this:
docker service create --name redis --secret my_test_secret redis:alpine
Verify the service is running with the command:
docker service ps redis
You should see a listing that looks like this:
0z6v0js2hu5q redis.1 redis:alpine dockernode1 Running Running 34 seconds ago
Verify the service has access to the secret with the command:
docker container exec $(docker ps --filter name=redis -q) ls -l /run/secrets
You should see something like this in the output:
-r--r--r-- 1 root root 17 May 24 13:16 my_test_secret
Finally, you can view the contents of the secret with the command:
docker container exec $(docker ps --filter name=redis -q) cat /run/secrets/my_test_secret
The output should look something like this:
This is my super secret secret
Now, if you commit the container, the secret is no longer available. Do that with the command:
docker commit $(docker ps --filter name=redis -q) committed_redis
Verify the secret is no longer available with the command:
docker run --rm -it committed_redis cat /run/secrets/my_test_secret
You should see in the output, something like this:
cat: can't open '/run/secrets/my_test_secret': No such file or directory
failed to resize tty, using default size
You can then remove access to the secret with the command:
docker service update --secret-rm my_test_secret redis
And that, my friends, is how you create a secret in Docker and use it within a service.
How to learn more about Docker
If you want to learn more about Docker, don’t miss these resources in the TechRepublic Academy:
- Hacking and Securing Docker Containers
- The Linux & Docker Coding Bundle
- The Docker and Kubernetes Certification Training Bundle
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.