21 Days of Docker-Day 18 -Docker Security
3 min readOct 25, 2019
Welcome to Day 18 of 21 Days of Docker. The topic for today is Docker Security. Today my focus is on three topics
- Security scanning using Docker Trusted Registry
- Managing secret in Swarm
- Docker Content Trust
Security scanning using Docker Trusted Registry
Docker Trusted Registry comes along with Docker Enterprise Edition and I really like this feature called DTR scanning. Before going there what is Docker Trusted Registry?
Docker Trusted Registry is an on-premises registry that allows
enterprises to store and manage their Docker images on-premise.
DTR run a security scan on your image, you can view the results.
Managing secret in Swarm
- In terms of Docker Swarm services, a secret is a blob of data, such as a password, SSH private key, SSL certificate, or another piece of data that should not be transmitted over a network or stored unencrypted in a Dockerfile or in your application’s source code.
- In Docker 1.13 and higher, you can use Docker secrets to centrally manage this data and securely transmit it to only those containers that need access to it.
- Secrets are encrypted during transit and at rest in a Docker swarm.
- A given secret is only accessible to those services which have been granted explicit access to it, and only while those service tasks are running.
- Step1: Create a file
$ cat mysecret
username: admin
pass: admin123- Step2: Create a secret from a file or we can even do it from STDIN.
$ docker secret create mysupersecret mysecret
uzvrfy96205o541pql1xgym4s- Step3: List the secrets
$ docker secret ls
ID NAME DRIVER CREATED UPDATED
uzvrfy96205o541pql1xgym4s mysupersecret 13 seconds ago 13 seconds ago- Step4: Secret is encrypted, so even if we try to inspect, we can’t see the secret
$ docker secret inspect uzvrfy96205o541pql1xgym4s
[
{
"ID": "uzvrfy96205o541pql1xgym4s",
"Version": {
"Index": 41
},
"CreatedAt": "2019-10-25T17:22:01.841559963Z",
"UpdatedAt": "2019-10-25T17:22:01.841559963Z",
"Spec": {
"Name": "mysupersecret",
"Labels": {}
}
}
]- Now let’s create a container using this secret
$ docker service create --name mynginx1 --secret mysupersecret nginx
ueugjjkuhbbvrrszya1zb5gxs
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Service converged- Let’s login to the container
$ docker exec -it 48a4c7e74a8e bash
root@48a4c7e74a8e:/# cd /run
root@48a4c7e74a8e:/run# ls
lock nginx.pid secrets utmp
# cd secrets/- As you can see container has access to the secret file
# cat mysupersecret
username: admin
pass: admin123To read the complete post
Please follow me with my Journey
- Website:http://100daysofdevops.com/
- Twitter:@100daysofdevops OR @lakhera2015
- Facebook:https://www.facebook.com/groups/795382630808645/
- Medium:https://medium.com/@devopslearning
- GitHub:https://github.com/100daysofdevops/21_Days_of_Docker
This time to make learning more interactive, I am adding
- Slack
- Meetup
Please feel free to join this group.
Slack:
Meetup Group
If you are in the bay area, please join this meetup group https://www.meetup.com/100daysofdevops/
