Welcome!

Blog Feed Post

Docker Security: Using Docker Secrets with Swarm

This post shows how to use Docker Secrets in Docker Swarm mode. For our example we’ll show how to use Docker Secrets to encrypt and safely store tokens used by Sematext Docker Agent for shipping Docker metrics and logs.

Containerized applications often require access to sensitive data like SSL keys, login credentials or access tokens. Containers are commonly configured via environment variables, docker-compose or configuration files stored on unencrypted volumes. While nice and simple, this approach has a major security hole – a simple “docker inspect” command would expose passwords or tokens configured in clear text via environment variables.

Docker engine 1.13 introduced the management of secrets for Docker Swarm mode. Docker manages secrets as a blob in the internal Raft store. This means secrets get the same high availability guarantees that the the rest of the Swarm management data gets. Secrets are encrypted using NACL’s Salsa20Poly1305 with a 256-bit key. Volumes with secrets can be mounted at runtime with the new docker service create --secret <secret-name> option.
Containers can access /run/secrets/<secret-name> to access the file.

It turns out this new feature helps not only with encryption and distribution of sensitive files, but can also be used as a switch between different configurations, e.g. to apply different configurations for staging or production, just by changing the --secret <secret-name> parameter.

https://sematext.com/wp-content/uploads/2017/03/image00-1-300x133.png 300w, https://sematext.com/wp-content/uploads/2017/03/image00-1-768x342.png 768w, https://sematext.com/wp-content/uploads/2017/03/image00-1-1024x455.png 1024w" sizes="(max-width: 1140px) 100vw, 1140px" />
Docker Secrets Management

Source: https://blog.docker.com/2017/02/docker-secrets-management/

As Docker Ecosystem Partner we are committed to supporting new Docker features in Sematext Docker Agent (SDA) for container monitoring and log management. We introduced support for Docker Secrets in version 1.31.19 released in March 2017, which means that your Sematext Docker Agent configuration could be managed via Docker secrets command.



Let’s see how to deploy Sematext Docker to monitor a Swarm cluster using the new secrets feature in 3 simple steps.

Step 1: Create a configuration file for Sematext Docker Agenty

The configuration file content could include all options, normally passed via -e (Environment) parameter to docker run or docker service create commands.
The example includes just the SPM token and the Logsene token to enable monitoring and logging for all containers. Lets save these tokens to a “sematext-agent.conf” file (which you can remove later if you no longer need it):

# sematext-agent.conf - spm-agent-docker configuration
SPM_TOKEN=YOUR_SPM_TOKEN_HERE
LOGSENE_TOKEN=YOUR_LOGSENE_TOKEN_HERE

Note: The Logsene token is the most sensitive bit of information here because it allow writing and reading of logs. Logsene lets you create write-only tokens and we recommend using them for log shipping.

Step 2: Create the secret with the “docker secrete create” command

The first argument is the name of the secret, the second argument is the file name with our secrets:
docker secret create sematext-agent sematext-agent.conf

The docker secret commands accepts stdin as well:
cat sematext-agent.conf | docker secret create sematext-agent -

The docker secret create command creates the encrypted blob which will be available in /run/secrets/sematext-agent at container runtime.

Step 3: Create a Swarm service for Sematext Docker Agent using the secret

Here is the full command to deploy the agent to all Swarm nodes as global service using the “sematext-agent” secret we just created:

$ docker service create --mode global --name sematext-agent-docker \
--mount type=bind,src=/var/run/docker.sock,dst=/var/run/docker.sock \
--secret sematext-agent \
sematext/sematext-agent-docker

Check the deployment status of the service with the docker service pscommand:

$ docker service ps sematext-agent-docker

After pulling the image Sematext Docker Agent will start, using the configuration from secrets.

Please note the above command works because /run/secrets/sematext-agent is the default path, where Sematext Docker Agent expects the configuration file. To run SDA with different configurations using secret names different from “sematext-agent” you have to specify the source and target properties in –secret parameter in the docker service create command:

$ docker create secret my-sda-config sematext-agent.conf 
$ docker service create --mode global --name sematext-agent-docker \
--mount type=bind,src=/var/run/docker.sock,dst=/var/run/docker.sock \
--secret source=my-sda-config,target=sematext-agent \
sematext/sematext-agent-docker


We hope this short post helped explain how to keep secrets with Docker Secret and how improve the security of your Docker monitoring and logging deployments with Sematext Docker Agent.

If have any question get in touch with us via comments, live chat,  @sematext on Twitter or check out Sematext Docker Agent on Github.

Read the original blog entry...

More Stories By Sematext Blog

Sematext is a globally distributed organization that builds innovative Cloud and On Premises solutions for performance monitoring, alerting and anomaly detection (SPM), log management and analytics (Logsene), and search analytics (SSA). We also provide Search and Big Data consulting services and offer 24/7 production support for Solr and Elasticsearch.

Latest Stories
"I think DevOps is now a rambunctious teenager – it’s starting to get a mind of its own, wanting to get its own things but it still needs some adult supervision," explained Thomas Hooker, VP of marketing at CollabNet, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We are still a relatively small software house and we are focusing on certain industries like FinTech, med tech, energy and utilities. We help our customers with their digital transformation," noted Piotr Stawinski, Founder and CEO of EARP Integration, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"DX encompasses the continuing technology revolution, and is addressing society's most important issues throughout the entire $78 trillion 21st-century global economy," said Roger Strukhoff, Conference Chair. "DX World Expo has organized these issues along 10 tracks with more than 150 of the world's top speakers coming to Istanbul to help change the world."
"We've been engaging with a lot of customers including Panasonic, we've been involved with Cisco and now we're working with the U.S. government - the Department of Homeland Security," explained Peter Jung, Chief Product Officer at Pulzze Systems, in this SYS-CON.tv interview at @ThingsExpo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We're here to tell the world about our cloud-scale infrastructure that we have at Juniper combined with the world-class security that we put into the cloud," explained Lisa Guess, VP of Systems Engineering at Juniper Networks, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I will be talking about ChatOps and ChatOps as a way to solve some problems in the DevOps space," explained Himanshu Chhetri, CTO of Addteq, in this SYS-CON.tv interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We are focused on SAP running in the clouds, to make this super easy because we believe in the tremendous value of those powerful worlds - SAP and the cloud," explained Frank Stienhans, CTO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with...
The financial services market is one of the most data-driven industries in the world, yet it’s bogged down by legacy CPU technologies that simply can’t keep up with the task of querying and visualizing billions of records. In his session at 20th Cloud Expo, Karthik Lalithraj, a Principal Solutions Architect at Kinetica, discussed how the advent of advanced in-database analytics on the GPU makes it possible to run sophisticated data science workloads on the same database that is housing the rich...
SYS-CON Events announced today that Massive Networks will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Massive Networks mission is simple. To help your business operate seamlessly with fast, reliable, and secure internet and network solutions. Improve your customer's experience with outstanding connections to your cloud.
"We are an IT services solution provider and we sell software to support those solutions. Our focus and key areas are around security, enterprise monitoring, and continuous delivery optimization," noted John Balsavage, President of A&I Solutions, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution and join Akvelon expert and IoT industry leader, Sergey Grebnov, in his session at @ThingsExpo, for an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
"We want to show that our solution is far less expensive with a much better total cost of ownership so we announced several key features. One is called geo-distributed erasure coding, another is support for KVM and we introduced a new capability called Multi-Part," explained Tim Desai, Senior Product Marketing Manager at Hitachi Data Systems, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
There is a huge demand for responsive, real-time mobile and web experiences, but current architectural patterns do not easily accommodate applications that respond to events in real time. Common solutions using message queues or HTTP long-polling quickly lead to resiliency, scalability and development velocity challenges. In his session at 21st Cloud Expo, Ryland Degnan, a Senior Software Engineer on the Netflix Edge Platform team, will discuss how by leveraging a reactive stream-based protocol,...
DevOps at Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to w...