DZone
Security Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Security Zone > Docker Security: Using Docker Secrets With Swarm

Docker Security: Using Docker Secrets With Swarm

In this post we take a look at how to setup and configure Docker Secrets while in Docker Swarm mode. Read on for details!

Stefan Thies user avatar by
Stefan Thies
·
Mar. 29, 17 · Security Zone · Tutorial
Like (10)
Save
Tweet
10.16K Views

Join the DZone community and get the full member experience.

Join For Free

This post shows how to use Docker Secrets in Docker Swarm mode. For our example, we’ll show how to use Docker Secrets to encrypt and safely store tokens used by a Sematext Docker Agent for shipping Docker metrics and logs.

Containerized applications often require access to sensitive data like SSL keys, login credentials or access tokens. Containers are commonly configured via environment variables, docker-compose or configuration files stored on unencrypted volumes. While nice and simple, this approach has a major security hole – a simple “docker inspect” command would expose passwords or tokens configured in clear text via environment variables.

Docker engine 1.13 introduced the management of secrets for Docker Swarm mode. Docker manages secrets as a blob in the internal Raft store. This means secrets get the same high availability guarantees that the rest of the Swarm management data gets. Secrets are encrypted using NACL’s Salsa20Poly1305 with a 256-bit key. Volumes with secrets can be mounted at runtime with the new docker service create --secret <secret-name> option.
Containers can access /run/secrets/<secret-name> to access the file.

It turns out this new feature helps not only with encryption and distribution of sensitive files, but can also be used as a switch between different configurations, e.g. to apply different configurations to staging or production, just by changing the --secret <secret-name> parameter.

The configuration file content could include all options, normally passed via -e (Environment) parameter to docker run or docker service create commands. The example includes just the SPM token and the Logsene token to enable monitoring and logging for all containers. Let's save these tokens to a “sematext-agent.conf” file (which you can remove later if you no longer need it):

# sematext-agent.conf - spm-agent-docker configuration
SPM_TOKEN=YOUR_SPM_TOKEN_HERE
LOGSENE_TOKEN=YOUR_LOGSENE_TOKEN_HERE

Note: The Logsene token is the most sensitive bit of information here because it allows writing and reading of logs. Logsene lets you create write-only tokens and we recommend using them for log shipping.

Step 2: Create the Secret With the “Docker Secret Create” Command

The first argument is the name of the secret, the second argument is the file name with our secrets:
docker secret create sematext-agent sematext-agent.conf

The docker secret commands accept stdin as well:
cat sematext-agent.conf | docker secret create sematext-agent -

The docker secret create command creates the encrypted blob which will be available in /run/secrets/sematext-agent at container runtime.

Step 3: Create a Swarm Service for Sematext Docker Agent Using the Secret

Here is the full command to deploy the agent to all Swarm nodes as global service using the “sematext-agent” secret we just created:

$ docker service create --mode global --name sematext-agent-docker \
--mount type=bind,src=/var/run/docker.sock,dst=/var/run/docker.sock \
--secret sematext-agent \
sematext/sematext-agent-docker

Check the deployment status of the service with the docker service pscommand:

$ docker service ps sematext-agent-docker

After pulling the image Sematext Docker Agent will start, using the configuration from secrets.

Please note the above command works because /run/secrets/sematext-agent is the default path, where the Sematext Docker Agent expects the configuration file. To run SDA with different configurations using secret names different from “sematext-agent” you have to specify the source and target properties in the –secret parameter in the docker service create command:

$ docker create secret my-sda-config sematext-agent.conf 
$ docker service create --mode global --name sematext-agent-docker \
--mount type=bind,src=/var/run/docker.sock,dst=/var/run/docker.sock \
--secret source=my-sda-config,target=sematext-agent \
sematext/sematext-agent-docker


We hope this short post helped explain how to keep secrets with Docker Secret and how to improve the security of your Docker monitoring and logging deployments with Sematext Docker Agent.

If have any question get in touch with us via comments, live chat,  @sematext on Twitter or check out Sematext Docker Agent on Github.

Docker (software) security Command (computing)

Published at DZone with permission of Stefan Thies, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Kubernetes Service Types Explained In-Detail
  • Are All Kubernetes Ingresses the Same?
  • Purpose-Driven Microservice Design
  • What's the Difference Between Static Class vs. Singleton Patterns in C#?

Comments

Security Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo