Introducing Docker Secrets Management | Better HN

92 comments

52 comments · 10 top-level

diogomonicapt9y ago· 26 in thread

I think with this release things have come full circle for me. I was part of the team that 5 years ago built Keywhiz at Square, starting the whole "secrets should be files exposed as an in-memory filesystem" thing.

Building it a second time was interesting. One of the biggest reasons why Keywhiz didn't go anywhere was the fact that it is incredibly hard to setup, and requires you to bring your own PKI. This time we didn't make that mistake and integrated directly into Swarm, which is the right place for it to live, and turns setting up your own PKI into a one-liner.

Anyway, AMA.

Disclosure: I work on the Docker Security team

mikegerwitz9y ago

The docs explicitly state "You cannot remove a secret that a running service is using". I'm not comfortable with sensitive secrets remaining plaintext in memory after the running service possibly does not need it anymore (e.g. maybe the service only needs it on startup). It seems like you could rotate the key with something else, but that doesn't seem ideal. Or can the container itself remove the secret "file"?

Consequently, because it's mounted as a filesytem, what if the service is compromised and vulnerable to arbitrary code execution, directory traversal, etc? The secret could then be leaked.

Am I misinterpreting something? How would others here handle this?

Edit: To clarify: rotating a secret will cause the service to restart. So I guess by "doesn't seem ideal", I mean it doesn't seem like an option.

You can update a service to not use a secret once it's not needed. Of course this will restart the task(s) I think. Definitely worth thinking about. Maybe a single-read secret or something.

If a service is compromised, you should always assume the secret is compromised.

So I guess the best-practice approach would be to chown/chmod/rm the file after reading its contents (assuming it'll be restored when you restart the container).

So far my approach was defining environment variables in the various docker-compoose files (in a separate deployment git repo), but this looks like a really nice alternative.

Do you have plans to update the library images to give us a choice between using ENV and secrets (for DB server passwords and the like)?

On an aside: I've gotten the Docker Datacenter announcement mail today. I only took the time to skim its contents quickly and at first thought this was a DDC-only thing. Glad to hear it isn't, keep up the awesome work.

edit: clarified my docker-compose usage

diogomonicapt9y ago

Thanks!

- Exposing secrets as in-memory files has a lot of advantages over ENV variables (harder to leak).

- We already started updating a few images (MySQL, for example), so they can use Docker secrets.

- Definitely not DDC only, but note that RBAC over secrets is a feature of the commercial product.

koolba9y ago

Are the values loaded on the fly each time they're read or is the /run/secrets mount statically defined when the container starts up?

If it's static, follow up to that would be, how are changes propagated to already running instances?

Is there a way to restrict access to reading said secrets once the container is running? Say you're running possibly malicious code that has access to the local filesystem (ex: CI test runner) is there a way to restrict a process from reading those files? Can we simply delete them (i.e. "burn after reading") or are they fully virtual?

sly0109y ago

> Is there a way to restrict access to reading said secrets once the container is running?

I don't know anything about docker, but the best way I found to do this in linux in general was aa_changehat() [0]. You write an apparmor profile for startup and a sub-profile for the running app/service. After setup, you call aa_changehat() to switch the current process to use the subprofile. You then throw away your magic token, so there is no way to switch back.

You don't even have to link to libapparmor, under the hood aa_changehat() just writes some string somewhere in /proc, so you can replicate that. Note, I haven't actually done this, but working on it right now.

[0] http://manpages.ubuntu.com/manpages/wily/man2/aa_change_hat....

eicnix9y ago

From what I understand there are no secruity mechanisms other than authentication to the cluster. How do you prevent somebody that got access to the cluster to just read all your secrets?

Can I plug in my own secret store?

diogomonicapt9y ago

- We're working on external store support. First implementation will probably be w/ Vault, but we would love for this to come from the community.

- If you have access to the managers, you have access to all the secrets (and access to administer the whole cluster), but normal swarm nodes only have access to the secrets required to run services that will be scheduled on them. Also this are erased as soon as the service is deleted or rescheduled on some other node.

sarnowski9y ago

That is the same trust boundary as in Kubernetes currently: https://kubernetes.io/docs/user-guide/secrets/

It is the most important step that you can package containers without having to know the production secrets and to have a "standard" was to retrieve them.

No one, without production access, has a way to obtain them.

What about non swarm containers? Like straight docker and docker-compose?

odc9y ago

docker-compose 1.11.0 will be released soon with support for secrets, probably using the same system.

secrets only work with Swarm services. New compose (1.11) uses a new format version ( v3.1) that allows you to add secrets for services and deploy using docker client ( no need for docker-compose). I don't think there's any plans atm to support secrets for non-swarm containers :(

himanshuy9y ago

Is Docker PCI compliant? My application deals with a lot of PII data. There was a lot of concern in my team over SOC-2 and PCI compliance when I suggested using Docker. We also talked to one of the solution architects from Amazon and he wasn't sure if Docker is ready for PII data.

sarnowski9y ago

A single software piece can't be PCI compliant but only how you use it.

You have to argue that Docker uses the Linux isolation mechanisms that make those containers virtual machines in the sense and spirit of PCI.

Treating containers as VMs makes some other requirements even easier like the request to have a minimal system and to only have one function per server - thats how you want containers to work anyway.

(Btw PCI has nothing to do with PII.)

Diederich9y ago

> solution architects from Amazon and he wasn't sure if Docker is ready for PII data.

I'm curious if you can relate what his reasoning was?

Docker is, among other things, a wrapper around a bunch of Linux kernel functions, the likes of which have been used for many, many years by companies like Google to facilitate all kinds of useful isolation.

diogomonicapt9y ago

You can make a PCI compliant installation w/ Docker yes.

m_mueller9y ago

This is a bit off-topic, but I'll hope for the second "A" in AMA: I still have a bit trouble figuring out how docker envisions URL routing to work. Currently we use a simple setup with Hipache that forwards to our hosts running containers und multiple ports. This would work for failover and scaling as well, however at the point where DBs come into play it gets troublesome because hipache just routes in a round-robin manner instead of keeping routes persistent for each client IP (so you could end up showing them different replicas that are not in sync yet).

Anyways, my issue is: Does Swarm integrate a solution for URL routing and if so, does it tackle the persistency problem?

In the commercial product(DDC) there is something called HTTP Routing Mesh that basically adds URL routing to backend services using the underlying routing mesh in Swarm. It supports both HTTP and HTTPS ( w/SNI). It adds RBAC too to make sure only permitted services can be exposed externally. More details here:

https://success.docker.com/Datacenter/Apply/Docker_Reference...

Hope this helps!

sandGorgon9y ago

is anyone running this stuff in production yet ? not just secrets.. but the whole Docker Swarm with the v3 compose file format thing ?

We have been testing out production clusters with Swarm 1.13 and I think its neat. But what do I know - I'm not a cloud hosting specialist. And the lack of success stories out there is making us nervous.

kossae9y ago

I can honestly say the only thing we found the full Docker line up (Containers, Swarm, Machine, etc.) good for large scale dev or staging/testing stuff. There are definitely uses for each of these tools, or other combinations, that have been successful for other people. It seems like Docker has a lot to focus on keeping up with the superior orchestration platforms that are out now. This in turn means quickly outdated (or missing) docs, inconsistent behavior of certain features, and other little "gotchas".

Depending on the size of your team, I would recommend Kontena (www.kontena.io) or Kubernetes (https://kubernetes.io/). While I haven't used the latter, a group of two devs is re-architecting our entire system to use Docker and Kontena. Nearing the end, the whole process seemed incredibly fast to iterate. While K8s seems far more proven in real production environments, it seemed much more daunting to us with more features than we needed for our use case.

tdhz779y ago

Can you explain to me the benefits of this like I'm 5 years old? Thanks, and sorry I have technical debt.

Since diogomonicapt didn't answer i'll try to give an ELI5 answer ;)

Docker-containers have many advantages, but one of the big drawbacks until now was that it was really hard to pass secrets into them. Imagine you are a simple, stupid Java-container. You handle HTTP-Request and need to access other services like Databases in order to function. In order to connect to the postgres-instance you need to know 3 things: the URL, the database-name and a password. Getting the URL and the database name is easy, just pass them via environment-variables. The tricky thing is how to pass the secret. Environment variables are not encrypted and super easy to read as soon as you have gained access to the container. There were some solutions, but they were complicated. So most just passed them via env-variables. Huge security risk. Very bad.

This solves the problem.

LittleFuckinCat9y ago

Probably they were concerned that users have to store the secrets (certificates, etc...) in the container filesystem - or mount/share the location on the host were the certificate for a specific app is present. Probably there are more ways to do it, but also probably none is end-to-end secure.

With this you can securely store the certificates; takes away the developer's responsibility of taking care of managing and distributing them to their apps, swarm will take care of that in a secure end-to-end fashion.

avaid19969y ago

Looks awesome, congratulations on the release!

neomantra9y ago

This secrets infrastructure is only available at run-time and with Swarm? Are you looking to handle build-time secrets?

diogomonicapt9y ago

Yes: https://github.com/docker/docker/pull/30637

heroprotagonist9y ago· 6 in thread

This is interesting, but in my opinion, it's not quite as universally useful as some of the secret management in other security tools because you have to explicitly manage the secret within your application by reading that in-memory filesystem.

I'd much prefer passing a secret as an environment variable if that can be done securely. It's possible with some tools, but not out of the box with Docker itself.

eg, with one tool, you can do:

# docker run --rm -e PASSWORD={supersecret_password} someimage:latest program

Then '{supersecret_password}' gets replaced in the container at runtime with the value stored in the tool or from an integration with a separate dedicated secret management tool like HashiCorp Vault, and value gets masked external to the container such as when running 'docker inspect' command.

The benefit is that you don't need to modify or maintain a lot of pre-packaged applications that read environment variables instead of looking to the contents of a file on the disk, so it just works out the box.

However, under ordinary circumstances, you may not want to pass secrets as environment variables in docker (or at least be careful about it). A 'docker inspect' command can show any docker user the environment variable and its value, if you don't have a tool to encrypt the contents.

eicnix9y ago

Kubernetes supports this already. You have the choice to either mount the secret into the container file system or set it as a environment variable. https://kubernetes.io/docs/user-guide/secrets/#using-secrets...

tonyhb9y ago

But Kubernetes secrets are stored - and by default transmitted amongst managers - in plain text. And Kube will share secrets with all kubelets, no questions asked. They're not "secrets".

koolba9y ago

How about replacing your entry point with:

    envdir /run/secrets <stuff>

justincormack9y ago

Linux does not hide process environments, you can cat /proc/[pid]/environ to read them. It is not a good way to pass secrets.

heroprotagonist9y ago

True, but people do it anyway and a large number of applications are preconfigured to use them. But to the point, the same tool that hides the secret and encrypts the variable in 'docker inspect' will also show it as encrypted in /proc/[pid]/environ as well.

On mobile so no URLs, etc, but cf. "hidepid" mount option for /proc.

unpythonic9y ago· 2 in thread

This looks amazing. Solving secret distribution across containers will be very useful. Being able to see via `docker secret` exactly which services are using which secrets is an unexpected treat.

I'm a little worried about two aspects of what has been shown. From the article it shows:

    $ docker exec $(docker ps --filter name=redis -q) ls -l /run/secrets
    total 4
    -r--r--r--    1 root     root            17 Dec 13 22:48 my_secret_data

From this we can tell exactly how long the secret is. If the secret service didn't do it for us, I'd like for the secrets to be null-padded to a uniform 2-4K of bytes.

I'm also a bit worried that the default protection on the file has it set to world-readable. Since it appears that secret distribution is independent of the container setup itself, there doesn't appear to be any way of setting ownership and permissions on this file. That is, if one were able to chmod/chown the file in the Dockerfile, running a `docker service update --secret-rm` and `docker service update --secret-add` would reset such 'fixes'.

A great start, and I can't wait to start using it.

cyli9y ago

You can specify the UID, GID, and mode of the secret from within the container: https://docs.docker.com/engine/reference/commandline/service..., and pass the same configuration to the service update command as well.

unpythonic9y ago

Oh, that's great to know. That coupled with filling out the size to an uninteresting length with nulls (or another delimiter) covers my concerns. For example:

    $ echo "my secret" | dd bs=512 conv=sync | docker secret create my_secret_data -

justincormack9y ago· 2 in thread

Comparison of this with other secretes management frameworks here https://medium.com/on-docker/secrets-and-lie-abilities-the-s...

tonyhb9y ago

wrote this as a comment when that article was posted to YC:

tl;dr: author looks at secret management services and reviews them

KeyWhiz: Provides everything you need but with complex PKI management, meaning setup and maintenance is a pain. Secure.

Vault: A+ would test again. Awesome rotation policies, on-demand secret generation via backends, master key sharing. Legit and secure, everything you need but has to be configured on top of your cluster.

Docker: Super easy to use, and it's built in. 10/10 would use again. Keys encrypted at rest, keys encrypted over the wire, and shared with only nodes who need them. Secure all round

Kube: Totally insecure. Plaintext at rest, plaintext over the network, shared everywhere. Basically a plaintext POC

Leon9y ago

Vault is really wonderful to work with, and its integration with consul makes it phenomenally powerful.

simplehuman9y ago· 2 in thread

This is really nice. What is the equivalent in the kubernetes world?

eicnix9y ago

Kubernetes supported secrets for nearly 2 years: https://kubernetes.io/docs/user-guide/secrets/

They currently debate over pluggable secret stores: https://github.com/kubernetes/kubernetes/issues/10439

You can use Hashicorp Vault as a third party resource to store your secrets: https://github.com/Boostport/kubernetes-vault

Kubernetes also supports RBAC to control access to secrets: https://kubernetes.io/docs/admin/authorization/

tonyhb9y ago

Secrets as in passwords and keys stored at rest in plain text. So not really secrets.

tlrobinson9y ago· 2 in thread

It would be neat if you could inject secrets as environment variables. Something like:

    --secret="my_secret:MY_SECRET"

Obviously you could have a script that does

    MY_SECRET=$(cat /run/secrets/my_secret) ./whatever

but a lot of existing containers can be configured via environment variables.

diogomonicapt9y ago

We explicitly chose not to support secrets as ENV variables, since they are prone to being leaked (child processes inhering parent's env; easy to leak ps -e; bug reports usually include ENV of the application; core dumps include ENV of the application, etc etc)

tlrobinson9y ago

Makes sense, but how do child processes not have access to the secrets files?

daveguy9y ago· 1 in thread

Not sure if anyone from docker is watching, but the images are cut off at the side on mobile.

ManoMarks9y ago

Yes, someone from Docker is watching :-). I've alerted the blog team. Thanks for letting us know.

lyschoening9y ago· 1 in thread

Will we be able to use this on Docker Cloud soon?

justincormack9y ago

I believe it is coming soon yes.

doublerebel9y ago

Comparing this to Vault (with which I have been very satisfied):

The article mentions a single master key for cluster encryption. Are there any plans to split this as in Shamir's Secret Sharing?

How do secrets and secret authorizations renew and expire?

Any plans for limited-use tokens/secrets?

mnm19y ago

Is there a way to manage secrets during the build process itself without specifying them on the command line / docker compose files?

j / k navigate · click thread line to collapse