Docker Secrets
In this blog, we will be learning Docker secrets. Docker secrets offer a secure way to store sensitive information such as usernames, passwords, and even files like self-signed certificates, ssh keys.
Consider the below command -
docker run --name some-mysql -e MYSQL_ROOT_PASSWORD=mypassword -d mysql:tag
It's not a secure way to share the password through the command line or through the environment variable.
Let's dive right in and see how to create secrets.
docker secret create
Creates a secret using standard input or from a file for the secret content.
Syntax
docker secret create [OPTIONS] SECRET [file|-]
Options
--driver , -d: Secret driver
--label , -l: Secret labels
--template-driver: Template driver
Examples
Creating a secret-
# docker secret secretName -
Do not miss the '-' in the last, as it reads the standard input.
The above command will expect an input from you which will be the password. Enter the password and hit ctrl+D to exit -
example:
root@master:~# docker secret create dbpass -
mytestpassword
zkdsviynv8bogg6eu32c4rhh0
root@master:~# docker secret ls
ID NAME DRIVER CREATED UPDATED
zkdsviynv8bogg6eu32c4rhh0 dbpass 16 seconds ago 16 seconds ago
root@master:~#
Let's inspect the above password to check if it is exposing any of the provided secrets -
root@master:~# docker secret inspect dbpass
[
{
"ID": "zkdsviynv8bogg6eu32c4rhh0",
"Version": {
"Index": 340
},
"CreatedAt": "2021-11-21T19:04:28.242077255Z",
"UpdatedAt": "2021-11-21T19:04:28.242077255Z",
"Spec": {
"Name": "dbpass",
"Labels": {}
}
}
]
root@master:~#
This was one of the ways to encrypt the data. You can also provide the password using a stored file. Create a file testpw and add password mytestpwfile in it.
root@master:~# echo "mytestpwfile">testpw
root@master:~# ls
testpw
root@master:~# cat testpw
mytestpwfile
root@master:~#
To create the secret using this file, run the following command-
root@master:~# docker secret create mytestfile testpw
oq4t76x6ird65lg5t25jfeams
root@master:~# docker secret ls
ID NAME DRIVER CREATED UPDATED
zkdsviynv8bogg6eu32c4rhh0 dbpass 20 minutes ago 20 minutes ago
oq4t76x6ird65lg5t25jfeams mytestfile 14 seconds ago 14 seconds ago
root@master:~#
The secret we created can only be used by the service it is being assigned to.
root@master:~# docker service create -d --secret dbpass alpine ping 8.8.8.8
vr9b3nmkt7o5lcki0ogusi4ck
root@master:~# docker service ps vr
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
87s41vxfd7sd agitated_grothendieck.1 alpine:latest worker01 Running Running 8 seconds ago
root@master:~#
The above command makes sure that this service container only will have the right to use the dbpass secret.
Where does the docker save the secrets?
Docker swarm worker nodes save the secrets at the path /run/secrets/
. And this can be verified as follows -
on worker01 node where service's container available
root@worker01:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
69c1447b6e51 alpine:latest "ping 8.8.8.8" 15 seconds ago Up 15 seconds agitated_grothendieck.1.87s41vxfd7sdu0mkms2cdwkch
root@worker01:~# docker container exec -it 69 sh
/ # cd /run/secrets/
/run/secrets # ls
dbpass
/run/secrets # cat dbpass
mytestpassword
/run/secrets #