Docker Security – How to Use Docker Secrets Without a Swarm Cluster

dockerdocker-swarmSecurity

Currently we im a running application on a single docker container, the application needs all sorts of sensitive data to be passed as environments variables,

Im putting those on the run command so they don't end up in the image and then on a repository, however i end up with a very non-secure run command,

Now, i understand that docker secrets exist, however, how can i use them without deploying a cluster? or is there any other way to secure this data?

Best Regards,

Best Answer

You can't... It does not support secrets without Swarm. Unless ''may be'' you ''Swarm'' using only one node.

The other solution would be, I think to use a third party vault software like this one:

https://www.vaultproject.io/

But then, to use the secrets in your containers from Vault, you would need to read the doc.

Hope this bring you to the right path to start.

First let's recall a few definitions

Docker images

Docker images are essentially a union filesystem + metadata. You can inspect the content of docker image union filesystem with the docker export command, and you can inspect a docker image metadata with the docker inspect command.

Data volumes

from the Docker user guide:

A data volume is a specially-designated directory within one or more containers that bypasses the Union File System to provide several useful features for persistent or shared data.

It is important to note here that a given volume (as the directory or file that contains data) is reusable only if it exists at least one docker container using it. Docker images don't have volumes, they only have metadata which eventually tells where volumes would be mounted on the union filesystem. Data volumes aren't either part of docker containers union filesystem, so where are they? under /var/lib/docker/volumes on the docker host (while containers are stored under /var/lib/docker/containers).

Data volume containers

That special type of container has nothing special. They are just stopped containers using a data volume with the sole and unique goal of having at least one container using that data volume. Remember, as soon as the last container (running or stopped) using a given data volume is deleted, that volume will become unreachable through the docker run --volumes-from option.

Working with data volume containers

How to create a data volume container

The image used to create a data volume container has no importance as such a container can remain stopped and still fill its purpose. So to create a data container named datatest_data for a volume in /datafolder you only need to run:

docker run --name datatest_data --volume /datafolder busybox true

Here base is the image name (a conveniently small one) and true is a command we provide just to avoid seeing the docker daemon complain about a missing command. Anyway after you have a stopped container named datatest_data with the sole purpose of allowing you to reach that volume with the --volumes-from option of the docker run command.

How to read from a data volume container

I know two ways of reading a data volume: the first one is through a container. If you cannot have a shell into an existing container to access that data volume, you can run a new container with the --volumes-from option for the sole purpose of reading that data.

For instance:

docker run --rm --volumes-from datatest_data busybox cat /datafolder/data.txt

The other way is to copy the volume from the /var/lib/docker/volumes folder. You can discover the name of the volume in that folder by inspecting the metadata of one of the container using the volume. See this answer for details.

Working with volumes (since Docker 1.9.0)

How to create a volume (since Docker 1.9.0)

Docker 1.9.0 introduced a new command docker volume which allows to create volumes :

docker volume create --name hello

How to read from a volume (since Docker 1.9.0)

Let say you created a volume named hello with docker volume create --name hello, you can mount it in a container with the -v option :

docker run -v hello:/data busybox ls /data

About committing & pushing containers

It should now be clear that since data volumes aren't part of a container (the union filesystem), committing a container to produce a new docker image won't persist any data that would be in a data volume.

Making backups of data volumes

The docker user guide has a nice article about making backups of data volumes.

Good article reagarding volumes: http://container42.com/2014/11/03/docker-indepth-volumes/

Howto use a docker/swarm secret value as an environment variable in “docker service create”

As stated here https://github.com/docker-library/docs/blob/master/postgres/README.md you may use swarm secrets in postgres service when if you add _FILE suffix like:

docker service create \
    --name postgres \
    --mode global \
    --constraint "node.labels.postgres==master" \
    --network my-network \
    --secret "postgres-password" \
    --env POSTGRES_USER="postgres" \
    --env POSTGRES_PASSWORD_FILE="/run/secrets/postgres-password" \
    postgres:10

If you ask about generic solution for any service, it's not possible without creating container or service, which exposes passwords in clear text (say Nginx which reads passwords from files that are secrets)