|By Sematext Blog||
|March 27, 2017 09:14 AM EDT|
This post shows how to use Docker Secrets in Docker Swarm mode. For our example we’ll show how to use Docker Secrets to encrypt and safely store tokens used by Sematext Docker Agent for shipping Docker metrics and logs.
Containerized applications often require access to sensitive data like SSL keys, login credentials or access tokens. Containers are commonly configured via environment variables, docker-compose or configuration files stored on unencrypted volumes. While nice and simple, this approach has a major security hole – a simple “docker inspect” command would expose passwords or tokens configured in clear text via environment variables.
Docker engine 1.13 introduced the management of secrets for Docker Swarm mode. Docker manages secrets as a blob in the internal Raft store. This means secrets get the same high availability guarantees that the the rest of the Swarm management data gets. Secrets are encrypted using NACL’s Salsa20Poly1305 with a 256-bit key. Volumes with secrets can be mounted at runtime with the new
docker service create --secret <secret-name> option.
Containers can access /run/secrets/<secret-name> to access the file.
It turns out this new feature helps not only with encryption and distribution of sensitive files, but can also be used as a switch between different configurations, e.g. to apply different configurations for staging or production, just by changing the
--secret <secret-name> parameter.
https://sematext.com/wp-content/uploads/2017/03/image00-1-300x133.png 300w, https://sematext.com/wp-content/uploads/2017/03/image00-1-768x342.png 768w, https://sematext.com/wp-content/uploads/2017/03/image00-1-1024x455.png 1024w" sizes="(max-width: 1140px) 100vw, 1140px" />
Docker Secrets Management
As Docker Ecosystem Partner we are committed to supporting new Docker features in Sematext Docker Agent (SDA) for container monitoring and log management. We introduced support for Docker Secrets in version 1.31.19 released in March 2017, which means that your Sematext Docker Agent configuration could be managed via Docker secrets command.
Want to easily correlate your Docker metrics & logs?
Get started in under 15 min with 1 “docker run …”. As simple as that!
Let’s see how to deploy Sematext Docker to monitor a Swarm cluster using the new secrets feature in 3 simple steps.
Step 1: Create a configuration file for Sematext Docker Agenty
The configuration file content could include all options, normally passed via -e (Environment) parameter to
docker run or
docker service create commands.
The example includes just the SPM token and the Logsene token to enable monitoring and logging for all containers. Lets save these tokens to a “sematext-agent.conf” file (which you can remove later if you no longer need it):
# sematext-agent.conf - spm-agent-docker configuration SPM_TOKEN=YOUR_SPM_TOKEN_HERE LOGSENE_TOKEN=YOUR_LOGSENE_TOKEN_HERE
Note: The Logsene token is the most sensitive bit of information here because it allow writing and reading of logs. Logsene lets you create write-only tokens and we recommend using them for log shipping.
Step 2: Create the secret with the “docker secrete create” command
The first argument is the name of the secret, the second argument is the file name with our secrets:
docker secret create sematext-agent sematext-agent.conf
The docker secret commands accepts stdin as well:
cat sematext-agent.conf | docker secret create sematext-agent -
The docker secret create command creates the encrypted blob which will be available in
/run/secrets/sematext-agent at container runtime.
Step 3: Create a Swarm service for Sematext Docker Agent using the secret
Here is the full command to deploy the agent to all Swarm nodes as global service using the “sematext-agent” secret we just created:
$ docker service create --mode global --name sematext-agent-docker \ --mount type=bind,src=/var/run/docker.sock,dst=/var/run/docker.sock \ --secret sematext-agent \ sematext/sematext-agent-docker
Check the deployment status of the service with the
docker service pscommand:
$ docker service ps sematext-agent-docker
After pulling the image Sematext Docker Agent will start, using the configuration from secrets.
Please note the above command works because
/run/secrets/sematext-agent is the default path, where Sematext Docker Agent expects the configuration file. To run SDA with different configurations using secret names different from “sematext-agent” you have to specify the source and target properties in –secret parameter in the
docker service create command:
$ docker create secret my-sda-config sematext-agent.conf $ docker service create --mode global --name sematext-agent-docker \ --mount type=bind,src=/var/run/docker.sock,dst=/var/run/docker.sock \ --secret source=my-sda-config,target=sematext-agent \ sematext/sematext-agent-docker
You are at 1 “docker run …” away from correlating your Docker metrics & logs.
Start in less than 15 minutes.
We hope this short post helped explain how to keep secrets with Docker Secret and how improve the security of your Docker monitoring and logging deployments with Sematext Docker Agent.
SYS-CON Events announced today that CollabNet, a global leader in enterprise software development, release automation and DevOps solutions, will be a Bronze Sponsor of SYS-CON's 20th International Cloud Expo®, taking place from June 6-8, 2017, at the Javits Center in New York City, NY. CollabNet offers a broad range of solutions with the mission of helping modern organizations deliver quality software at speed. The company’s latest innovation, the DevOps Lifecycle Manager (DLM), supports Value S...
Apr. 26, 2017 09:00 PM EDT Reads: 939
Apr. 26, 2017 08:45 PM EDT Reads: 472
Join IBM November 2 at 19th Cloud Expo at the Santa Clara Convention Center in Santa Clara, CA, and learn how to go beyond multi-speed it to bring agility to traditional enterprise applications. Technology innovation is the driving force behind modern business and enterprises must respond by increasing the speed and efficiency of software delivery. The challenge is that existing enterprise applications are expensive to develop and difficult to modernize. This often results in what Gartner calls ...
Apr. 26, 2017 08:45 PM EDT Reads: 3,221
Translating agile methodology into real-world best practices within the modern software factory has driven widespread DevOps adoption, yet much work remains to expand workflows and tooling across the enterprise. As models evolve from pockets of experimentation into wholescale organizational reinvention, practitioners find themselves challenged to incorporate the culture and architecture necessary to support DevOps at scale. In his session at @DevOpsSummit at 20th Cloud Expo, Anand Akela, Senior...
Apr. 26, 2017 08:15 PM EDT Reads: 1,847
@GonzalezCarmen has been ranked the Number One Influencer and @ThingsExpo has been named the Number One Brand in the “M2M 2016: Top 100 Influencers and Brands” by Analytic. Onalytica analyzed tweets over the last 6 months mentioning the keywords M2M OR “Machine to Machine.” They then identified the top 100 most influential brands and individuals leading the discussion on Twitter.
Apr. 26, 2017 08:15 PM EDT Reads: 1,161
The 20th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held June 6-8, 2017, at the Javits Center in New York City, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal ...
Apr. 26, 2017 08:00 PM EDT Reads: 1,188
The age of Digital Disruption is evolving into the next era – Digital Cohesion, an age in which applications securely self-assemble and deliver predictive services that continuously adapt to user behavior. Information from devices, sensors and applications around us will drive services seamlessly across mobile and fixed devices/infrastructure. This evolution is happening now in software defined services and secure networking. Four key drivers – Performance, Economics, Interoperability and Trust ...
Apr. 26, 2017 07:45 PM EDT Reads: 651
Apr. 26, 2017 07:15 PM EDT Reads: 9,091
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound e...
Apr. 26, 2017 06:30 PM EDT Reads: 2,259
SYS-CON Events announced today that Twistlock, the leading provider of cloud container security solutions, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Twistlock is the industry's first enterprise security suite for container security. Twistlock's technology addresses risks on the host and within the application of the container, enabling enterprises to consistently enforce security policies, monitor...
Apr. 26, 2017 06:30 PM EDT Reads: 3,711
Multiple data types are pouring into IoT deployments. Data is coming in small packages as well as enormous files and data streams of many sizes. Widespread use of mobile devices adds to the total. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will look at the tools and environments that are being put to use in IoT deployments, as well as the team skills a modern enterprise IT shop needs to keep things running, get a handle on all this data, and deli...
Apr. 26, 2017 06:15 PM EDT Reads: 2,419
Automation is enabling enterprises to design, deploy, and manage more complex, hybrid cloud environments. Yet the people who manage these environments must be trained in and understanding these environments better than ever before. A new era of analytics and cognitive computing is adding intelligence, but also more complexity, to these cloud environments. How smart is your cloud? How smart should it be? In this power panel at 20th Cloud Expo, moderated by Conference Chair Roger Strukhoff, pane...
Apr. 26, 2017 06:15 PM EDT Reads: 2,225
With billions of sensors deployed worldwide, the amount of machine-generated data will soon exceed what our networks can handle. But consumers and businesses will expect seamless experiences and real-time responsiveness. What does this mean for IoT devices and the infrastructure that supports them? More of the data will need to be handled at - or closer to - the devices themselves.
Apr. 26, 2017 06:15 PM EDT Reads: 803
Building a cross-cloud operational model can be a daunting task. Per-cloud silos are not the answer, but neither is a fully generic abstraction plane that strips out capabilities unique to a particular provider. In his session at 20th Cloud Expo, Chris Wolf, VP & Chief Technology Officer, Global Field & Industry at VMware, will discuss how successful organizations approach cloud operations and management, with insights into where operations should be centralized and when it’s best to decentraliz...
Apr. 26, 2017 05:45 PM EDT Reads: 684
In recent years, containers have taken the world by storm. Companies of all sizes and industries have realized the massive benefits of containers, such as unprecedented mobility, higher hardware utilization, and increased flexibility and agility; however, many containers today are non-persistent. Containers without persistence miss out on many benefits, and in many cases simply pass the responsibility of persistence onto other infrastructure, adding additional complexity.
Apr. 26, 2017 05:45 PM EDT Reads: 2,259