78

Currently we im a running application on a single docker container, the application needs all sorts of sensitive data to be passed as environments variables,

Im putting those on the run command so they don't end up in the image and then on a repository, however i end up with a very non-secure run command,

Now, i understand that docker secrets exist, however, how can i use them without deploying a cluster? or is there any other way to secure this data?

Best Regards,

Juan Sebastian
  • 1,443

3 Answers3

89

Yes, you can use secrets if you use a compose file. (You don't need to run a swarm).

You use a compose file with docker-compose: there is documentation for "secrets" in a docker-compose.yml file.

I switched to docker-compose because I wanted to use secrets. I am happy I did, it seems much more clean. Each service maps to a container. And if you ever want to switch to running a swarm instead, you are basically already there.

Note: Secrets are not loaded into the container's environment, they are mounted to /run/secrets/

Here is a example:

  1. Project Structure:
|
|---    docker-compose.yml
|---    super_duper_secret.txt
  1. docker-compose.yml contents:
version: "3.6"

services:


my_service:
    image: centos:7
    entrypoint: "cat /run/secrets/my_secret"
    secrets:
      - my_secret


secrets:
  my_secret:
    file: ./super_duper_secret.txt
  1. super_duper_secret.txt contents:
Whatever you want to write for a secret really.
  1. Run this command from the project's root to see that the container does have access to your secret, (Docker must be running and docker-compose installed):
docker-compose up --build my_service

You should see your container output your secret.

user2586441
  • 83
Lindsay-Needs-Sleep
  • 991
13

You can't... It does not support secrets without Swarm. Unless ''may be'' you ''Swarm'' using only one node.

The other solution would be, I think to use a third party vault software like this one:

https://www.vaultproject.io/

But then, to use the secrets in your containers from Vault, you would need to read the doc.

Hope this bring you to the right path to start.

yield
  • 858
3

Yes (but actually No)

No Currently Docker doesn't support config & secrets if you're not in a swarm

But the docker compose specs have configs & secrets compose specs

So How does it works ?

It actually create a docker volume to make you believe the functionality is here, more concretely it's a Bind mount

enter image description here

That's a big difference with swarm if you want to deploy your app remotely!

example

services:
  test:
    image: alpine
    secrets:
      - source: my_secret
secrets:
  my_secret:
    file: $PWD/secret

is relatively identical to this

services:
  test:
    image: alpine
    volumes:
      - $PWD/secret:/run/secrets/my_secret:ro

If you're looking at your volumes with docker inspect <container> if and you're using secret you will see that your secrets are just local bind volumes

Fl_ori4n
  • 131