Professional Documents
Culture Documents
Lab Meta
Difficulty: Intermediate
Time: Approximately 15 minutes
In this lab you’ll learn how to create and manage secrets with Docker.
In this lab the terms service task and container are used interchangeably. In
all examples in the lab a service tasks is a container that is running as part of a
service.
Prerequisites
You will need all of the following to complete this lab:
Perform the following command from a manager node in your Swarm. This
lab will assume that you are using node1 in your lab.
1. Create a new text file containing the text you wish to use as your
secret.
node1$ ls -l
total 4
-rw-r--r-- 1 root root 10 Mar 21 18:40 sec.txt
1. Use the docker secret create command to create a new secret using the
file created in the previous step.
The return code of the command is the ID of the newly created secret.
If you created the secret from a remote Docker client, it would be sent to a
manager node in the Swarm over a mutual TLS Connection. Once the secret is
received on the manager node it is securely stored in the Swarm’s Raft store
using the Swarm’s native encryption.
You can now delete the sec.txt file used to create the secret.
Before going any further it’s important to note that once a secret is created it
is securely stored in the Swarm’s encrypted Raft store. This means that you
cannot view it in plain text using the docker secret command.
Perform all of the following commands from a Swarm manager. The lab
assumes you will be using node1 in your lab.
Notice that the docker secret inspect command does not display the
unencrypted contents of the secret.
You can use the docker secret rm command to delete secrets. To delete
the sec1 secret you would use the command docker secret rm sec1. Do not
delete the sec1 secret as you will use it in the next section.
Perform the following commands from a manager node in the Swarm and be
sure to remember that the outputs of the commands might be different in
your lab. E.g. service tasks in your lab might be scheduled on different nodes
to those shown in the examples below.
This command creates a new service called sec-test. The service has a single
task (container), is given access to the sec1 secret and is based on
the redis:alpine image.
1. Obtain the name of any of the tasks in the sec-test service (if you’ve
been following along there will only be one task running in the
service).
//Log on to the node running the service task (node1 in this example, but
might be different in your lab) and run a docker ps command.
You will use the CONTAINER ID from the output above in the next step.
NOTE: The two commands above start out by listing all the tasks in the sec-
test service. Part of the output of the first command shows the NODE that each
task is running on - in the example above this was a single task running
on node1. The next command (docker ps) lists all running containers
on node1 and filters the results to show just the containers where the name
starts with sec-test - this means that only containers (tasks) that are part of
the sec-test service are displayed.
1. Use the docker exec command to get a shell prompt on to the sec-
test service task. Be sure to substitute the Container ID in the
command below with a the container ID form your environment (see
output of previous step).
node1$ ls -l /run/secrets
total 4
-r--r--r-- 1 root root 10 Mar 21 19:37 sec1
Secrets are only shared to service tasks/containers that are granted access to
them, and the secrets are shared with the service task via the TLS connections
that already exists between nodes in the Swarm. Once a node has a secret it
mounts it as a regular file into an in-memory filesystem inside the authorized
service task (container). This file is mounted at /run/secrets with the same
name as the secret. In the example above, the sec1 secret is mounted as a file
called sec1.
Step 5: Clean-up
In this step you will remove all secrets and services,as well as clean up any
other artifacts created in this lab.
This command will remove all services on your Docker host. Only
perform this step if you know you know you do not need any of the
services running on your system.
$ docker service rm $(docker service ls -q)
<Snip>
2. Remove all secrets on the host.
This command will remove all secrets on your Docker host. Only
perform this step if you know you will not use these secrets again.
$ docker secret rm $(docker secret ls -q)
<Snip>
3. If you haven;t already done so, delete the file that you used as the
source of the secret data in Step 1. The lab assumed this was node1 in
your lab.
4. $ rm sec.txt