Document secrets

[mdlinville]

Describe the proposed changes

Add docs for using secrets, addresses #529.

Unreleased project version

Engine 1.13

Related issue

#529

Related issue or PR in another project

see #529

Please take a look

@ehazlett @thaJeztah @mrjana @stevvooe and please add anyone else who should review.

[stevvooe]

Why not secrets?

[mdlinville]

oh, I suppose.... I just don't think secrets means anything to anyone. :)

[diogomonica]

Agreed. Let's use sensitive data.

[cyli]

Non-blocking: it looks like in the rest of the documentation there is a parenthetical "(secrets)" after "manage sensitive strings" - should that also be included here so folks can more easily find it in the TOC if they're specifically looking for the word "secrets"?

[stevvooe]

I just don't think secrets means anything to anyone. :)

This is literally the name of the feature. If it doesn't yet have meaning, we need to make it have meaning.

But, it is literally the industry standard word:

https://spring.io/blog/2016/06/24/managing-secrets-with-vault
http://kubernetes.io/docs/user-guide/secrets/
moby/moby#13490
http://techblog.mdsol.com/2015/10/30/Using-Secrets-Safely-in-Docker-Builds.html
https://square.github.io/keywhiz/
https://eng.lyft.com/announcing-confidant-an-open-source-secret-management-service-from-lyft-1e256fe628a3#.c72aeukpn

[stevvooe]

the secrets may be stored unecrypted in those nodes' RAFT logs.

I'm not sure that we opaquely store secret data in older versions.

@diogomonica @cyli ?

[diogomonica]

If we're in a situation where there is a 1.12 manager in a 1.13 cluster, and someone adds a secret, the 1.12 manager will write the secrets unencrypted to disk.

The upgrade path should be: upgrade all the managers to 1.13, and then start using secrets.

[diogomonica]

We should probably add something about how to securely upgrade from a 1.12, or a note that to use secrets securely, make sure that all of the manager nodes are running 1.13

[stevvooe]

@diogomonica While RAFT messages may be written to disk opaquely, I'm not sure that a manager with 1.12 snapshot structure definition will actually do this. None of our types have opaque field preservation, as far as I can tell. Looks like this was removed in proto3, as described in protocolbuffers/protobuf#272.

The upgrade path should be: upgrade all the managers to 1.13, and then start using secrets.

I agree and this language is sufficient to protect users against leaks, even if not precisely accurate. We may want to make this stronger and warn users to make sure the entire cluster is on 1.13 before performing cluster mutations.

The only data loss scenario @aaronlehmann and I could work out was if a 1.12 engine was elected leader in a mixed-version cluster. We may be able to downweight older engines in the master election process to minimize this possibility.

The other scenarios for data loss considered are 1.12 proxying to 1.13 leader, but this is a non-issue, since the JSON API prevents opaque field transfer.

[aaronlehmann]

The only data loss scenario @aaronlehmann and I could work out was if a 1.12 engine was elected leader in a mixed-version cluster.

Or if that engine is upgraded to 1.13 and later becomes the leader. It will be missing the data.

[cyli]

@diogomonica While RAFT messages may be written to disk opaquely, I'm not sure that a manager with 1.12 snapshot structure definition will actually do this. None of our types have opaque field preservation, as far as I can tell. Looks like this was removed in proto3, as described in protocolbuffers/protobuf#272.

It might be written as a WAL.
Update: tested this manually - it is not written to the snapshot, but it is written to the WAL.

[stevvooe]

@ehazlett /run/secrets runs afoul of FHS standards. Do we link to /var/run to /run?

From https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard:

In FHS 3.0, /var/run is replaced by /run; a system should either continue to provide a /var/run directory, or provide a symbolic link from /var/run to /run, for backwards compatibility.[10]

I think we just need to make sure that /run is not a fork of /var/run. Accessing /var/run/secrets or /run/secrets should be equivalent, recommending the later.

[ehazlett]

Yes /var/run is linked to /run

[stevvooe]

A few nits, but, otherwise, a great doc!

[diogomonica]

Looks good overall.

We're missing examples and a description of the advanced syntax for secrets, and more importantly, an example of how to rotate a secret.

[diogomonica]

the use of strings is weird. what about sensitive data everywhere?

[mdlinville]

Could you store sensitive data that isn't a string?

[diogomonica]

String has a very specific meaning for developers and programmers. I think we want to avoid using that term. The term blob would technically be more adequate, but I think sensitive data reads a lot better.

[diogomonica]

string -> a blob of data

[diogomonica]

Definitely not a credit card number. Lets remove that.

[diogomonica]

starting with?

[diogomonica]

and you want to securely distribute the credentials to your application containers

[diogomonica]

We should probably add something about how to securely upgrade from a 1.12, or a note that to use secrets securely, make sure that all of the manager nodes are running 1.13

[diogomonica]

add: and are completely removed from the node's memory.

[diogomonica]

I like store sensitive data instead of sensitive strings

[diogomonica]

We should probably document why we don't support environment variables in the first place. They are less secure than files.

See: moby/moby#9176 (comment)

[diogomonica]

We need an example for rotation of a secret (add a new secret, remove the old one, and ensure the new secret has the same target as the old one.

We should probably also give advanced examples on how to change the permissions of the secret file, and the use of source=bla,target=bla,uid=1000,gid=1000,mode=0700

[thaJeztah]

Hm, for fun I tried adding a binary as secret, and that works 😄

$ docker run --name hola hello-world

$ docker cp hola:/hello .
$ cat hello | docker secret create hello
r4gmhiw6fmiorqfk5reqbyryr

$ docker service create --name foo --secret source=hello,target=hello,mode=0755 nginx:alpine


$ docker exec $(docker ps -n1 -q --filter label=com.docker.swarm.service.name=foo) /run/secrets/hello

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker Hub account:
 https://hub.docker.com

For more examples and ideas, visit:
 https://docs.docker.com/engine/userguide/

Should we document what size limits there are to secrets? (I don't think we put a size limit on there, but given that secrets are in memory, using many / big data there could have consequences perhaps?)

[ehazlett]

Yes there is a size limit of 500 KB (https://github.com/docker/swarmkit/blob/master/manager/controlapi/secret.go#L22) per secret. We should document this.

[mdlinville]

@diogomonica @ehazlett @stevvooe @cyli @toli PTAL. I think the topic is starting to shape up nicely. I addressed the feedback so far, and added a section on rotating secrets. Still waiting on an update to the official mysql image so that I can use that in the example instead of mysql/mysql-server.

[mdlinville]

cc/ @johndmulhausen @hansfrederickbrown

[stevvooe]

LGTM

[mdlinville]

Added info about binary content and 500kb limit.

[cyli]

WORDPRESS_DB_PASSWORD_FILE (correctly set in the example down below)

[cyli]

Non-blocking: do you mean if you docker start the stopped container?

[mdlinville]

No, I was trying to cover the case where a node is running more than one task, each of which may have access to the same secret. When one of the containers stops, it doesn't have access to the secret anymore. If none of a node's task containers need access to a given secret anymore, I think the secret is flushed from the node as well, unless the node is acting as a backup master. Right? Is there a better way to put this?

[cyli]

I think your new change is great - I was wondering if you were specifically trying to call out doing a commit in a running container so it'd be available later, or restarting a container, or otherwise checking the contents of the stopped container on disk, etc.

[cyli]

The example below uses the wordpress:latest image now (this comment refers to mistysj/wordpress). :) Thanks for getting the official image updated!

[cyli]

"create a new secret with..."

[mdlinville]

Done

[mdlinville]

Addressed @cyli feedback, tried to reword the area about when secrets get removed from a node's memory. PTAL at that section again and give me suggestions how I can improve it.

[diogomonica]

Again, this is looking better and better. We need

• Another document that talks about lock/unlock/rotation that we link from this document when we talk about encryption
• An easier example for secrets, for example (in one swarm manager cluster):

# docker secret create secret_data.txt
# docker service create --name redis --secret=secret_data.txt redis:alpine 
# docker ps
# docker exec -it redis cat /run/secrets/secret_data.txt

I think this would show exactly how this works faster than the MySQL example.

[diogomonica]

maybe we replace "accessible within those containers" to "accessible to those services"?

Other than that, beautiful.

[mdlinville]

done

[diogomonica]

database credentials

[mdlinville]

I really did mean the database name, separately from the credentials (username and password). For instance, you can specify that as a file with the new wordpress image enhancements.

[mdlinville]

Reworded a bit.

[diogomonica]

We should probably link here to another document talking about unlock and unlock-key, and how the key used for encryption is stored and how it can be managed/rotated/etc.

[mdlinville]

Waiting for #694 to be merged.

[diogomonica]

let's use mysq_password_v2 instead of 2016

[diogomonica]

and requires sensitive data, such as...

[diogomonica]

I would do since it's easy for environment variables to be unintentionally leaked

[mdlinville]

Done

[cyli]

@mstanleyjones This looks great, thank you! I just wasn't sure if you were trying to emphasize something in particular, and this removes that confusion. Appreciate all your hard work on this! Other than @diogomonica's suggestion for lock and unlock, this all LGTM!

[ehazlett]

Should this be secrets.md@example-use-secrets-with-a-service?

[thaJeztah]

probably @ -> # as well?

[mdlinville]

Fixed.

[ehazlett]

one minor comment otherwise LGTM -- nice work!

[cyli]

Oops, sorry I missed this earlier. The ID is not the digest - the ID is opaque.

[cyli]

Also, many apologies for springing this on you at the last minute, but moby/moby#28727 (comment) removes displaying sizes and digests at all when you inspect. Could you delete the last column in this sample output? (the size column?)

[mdlinville]

Addressed latest feedback. Thanks @cyli !

[mdlinville]

Modified the instructions in the mysql lab now that docker-library/mysql#237 is merged and the mysql image has been updated!

[cyli]

"environment" mispelling :)

[cyli]

Also, non-blocking nitpick - this reads to me like the environment variable reads values from a file? Whereas it's the script within the image which reads the file pointed at from the environment variable. I'm not sure the best way to say this in a clear way, but maybe something like "additional environment variables, which lets mysql read secret values from a file..."

That may make the next sentence a bit redundant though.

[cyli]

@mstanleyjones Thank you! I have a minor spelling/phrasing nitpick, but everything looks great! 👍 LGTM!

[cyli]

@thaJeztah Also, 👍 on the separate wordpress and mysql users!

[thaJeztah]

wow your shell-fu is WAY better than mine!

"Learn by example" - I looked into some of @tianon's scripts to see how it's done 👑

Also, in the revised example, should we mention that the service update to mysql causes the container to restart and thus would cause a disruption in the wordpress service?

Probably good to mention.

My goals were, first of all, to avoid having password in plain text on-disk. I know a lot of work has gone into the secrets feature to avoid just that, and ending up with writing to plain text files in the documentation didn't feel "right".

At first, I wanted to avoid the docker exec as a whole, and spin up a mysql container to use as client (which is the "neat" way to do it). Unfortunately, we don't have secrets yet on docker run, so that didn't work.

As a follow up to this PR, we should do some thinking about how to actually use the secrets in various situations. For example, the WordPress image still sets the secrets through environment variables, so a stray phpinfo() page (yup expect those to be in a lot of setups) will happily show the password;

Preventing that needs changes to the configuration files of images, so we may want some examples for that.

[cyli]

My goals were, first of all, to avoid having password in plain text on-disk. I know a lot of work has gone into the secrets feature to avoid just that, and ending up with writing to plain text files in the documentation didn't feel "right".

Yep, don't disagree, although in theory it's on your local machine, so less terrible. It can also be stored in a password manager such as the lastpass CLI, which would also let you pipe it into secrets, but wasn't sure if that'd be too much for an example.

At first, I wanted to avoid the docker exec as a whole, and spin up a mysql container to use as client (which is the "neat" way to do it). Unfortunately, we don't have secrets yet on docker run, so that didn't work.

Can we use a service with --restart-condition=none?

docker service create \
  --name=mysql_password_rotation \
  --network=wpnet \
  --secret=mysql_password \
  --secret=mysql_password_v2 \
  --restart-condition=none \
  mysql \
  bash -c 'mysqladmin --host=mysql --user=wordpress --password="$(< /run/secrets/mysql_password)" password "$(< /run/secrets/mysql_password_v2)"'

I'm not sure if we're starting to get into weird service esoteric stuff, now, though :)

As a follow up to this PR, we should do some thinking about how to actually use the secrets in various situations. For example, the WordPress image still sets the secrets through environment variables, so a stray phpinfo() page (yup expect those to be in a lot of setups) will happily show the password

Ah good catch. :| I didn't realize it'd be part of the process's environment - I'd only checked mysql's, which didn't seem to be. cc @tianon

[thaJeztah]

I'm not sure if we're starting to get into weird service esoteric stuff, now, though :)

definitely taking it too far. we can revisit once (if) secrets are available for docker run

Ah good catch. :| I didn't realize it'd be part of the process's environment - I'd only checked mysql's, which didn't seem to be.

Was already discussing with him; we could probably unset the env-vars directly after they have been consumed. Help me remind, I can try a pull request (or bake Tianon some cookies for christmas)

[mdlinville]

Pushed some updates. This puts back the mysql service and also uses @thaJeztah magical way to update the password in MySQL. The only thing it doesn't do yet is use a non-root user for the database. Need to figure out how to do that.

[thaJeztah]

Left some hints what needs to be changed to make the wordpress user work

[thaJeztah]

You need two secrets here; one for the root password and one for the wordpress user;

docker service create \
  --name mysql \
  --replicas 1 \
  --network=mysql_private \
  --mount type=volume,source=mydata,destination=/var/lib/mysql \
  --secret=mysql_root_password \
  --secret=mysql_password \
  -e MYSQL_ROOT_PASSWORD_FILE="/run/secrets/mysql_root_password" \
  -e MYSQL_PASSWORD_FILE="/run/secrets/mysql_password" \
  -e MYSQL_DATABASE=wordpress \
  -e MYSQL_USER=wordpress \
  mysql

here;

• MYSQL_ROOT_PASSWORD_FILE sets the path to the secret for the root password
• MYSQL_PASSWORD_FILE sets the path to the secret for the regular user's (wordpress) password
• MYSQL_DATABASE sets the name of the database to create the first time the service is started
• MYSQL_USER sets the name of the user to create the first time the service is started

[thaJeztah]

Make sure to use the right secret for the right user.

[thaJeztah]

You need to add WORDPRESS_DB_USER here, to set the name to use for connecting to the MySQL database;

-e WORDPRESS_DB_USER=wordpress \

[thaJeztah]

Add a volume here, so that the WordPress data is preserved when updating the service;

--mount type=volume,source=wpdata,destination=/var/www/html \

[mdlinville]

What WordPress data is that? I thought it stored everything in the MySQL database....

[thaJeztah]

The WordPress installation (theme, uploads, configuration, etc)

[thaJeztah]

this will be docker service rm mysql, or combine with the previous one (docker service rm wordpress mysql)

also, the named volumes can be cleaned up afterwards

[mdlinville]

OK, the latest update uses a separate wordpress database, user, and secret. I still need to set the the MySQL root password, but it's not used after MySQL starts up.

This is getting very close to being ready to go, IMHO. I guess the only outstanding concern is the WordPress environment variable, right @thaJeztah ?

[mdlinville]

BTW I don't need to use WORDPRESS_DB_USER because it defaults to wordpress.

[thaJeztah]

I guess the only outstanding concern is the WordPress environment variable

That's something to be addressed in the official WordPress image; I haven't had time to look into that yet, but it's orthogonal to this PR

BTW I don't need to use WORDPRESS_DB_USER because it defaults to wordpress.

Oh, yes, it probably defaults to that; doesn't hurt to be explicit, but I'm also fine to skip setting it

[thaJeztah]

Some last bits and nits, but I think we're almost there

[thaJeztah]

small nit; remove (digest) here; the ID of secrets have no relation to the content of the secrets (otherwise they may potentially "leak" the content).

[thaJeztah]

nit: missing "more" before "than"

[thaJeztah]

nit: "when the image starts" -> "when the container starts"

[thaJeztah]

👍

[thaJeztah]

remove "and store it in file in the ..." part, as it's no longer needed

[thaJeztah]

This is something we need to fix; doing --secret-rm and --secret-add should be possible in a single update

[thaJeztah]

It's better to use the built-in filter functionality here (and -q to only show the ID;

docker ps -q --filter name=mysql

[thaJeztah]

typo accsss

[mdlinville]

Fixed latest problems found by @thaJeztah and also got a review from my friend @bskaggs as well. He spotted things I could no longer see, I've been looking at this too long!

[thaJeztah]

need to add wpdata here as well now

[thaJeztah]

LGTM, left one quick nit, and possibly someone else may want to have a final look, because i'm now probably blind as well 😄

[mdlinville]

@thaJeztah nit fixed, and a few more picky formatting tweaks. I think this is ready to merge but I'd like input from @cyli @diogomonica @NathanMcCauley

[cyli]

Non-blocking: since we had the example above of docker exec $(docker ps --filter name=redis -q) cat /run/secrets/my_secret_data, can we use that same command here instead of <container_id>?

[cyli]

Non-blocking: Since all of these examples (redis, nginx, and wordpress) presume a single-Engine swarm, should that part of this note be moved to the top of the examples section? (Similarly for the wordpress example)

[cyli]

Maybe something like "This example does not require a custom image; it copies the site.conf into place and runs the container all in one step"?

[cyli]

Non-blocking: Should we just say "Raft logs" here, since above we mention that secrets are stored in the raft logs? It's true that they are written to the WAL (and snapshot, later on), but that might be too much raft detail for this document, particularly since we never say what WAL stands for.

[cyli]

Should we mention that this first password is for the wordpress user for mysql? Or at least a non-root user?

[cyli]

Nonblocking nitpick: should this be "may"? If it's something simple like an API key the service just access, just changing the service spec should be fine. Alternately, this is likely always the case with databases, so maybe we can call out DBs specifically here?

[cyli]

We don't change the root password at all in this example, right? Could we clarify this example to say that we don't need to adjust the service's access to the MySQL root password, since it's not being modified?

[cyli]

"mysqladmin CLI", as opposed to "mysql CLI"

[mdlinville]

Addressed @cyli feedback, and also pushed a second commit which updates the syntax of the -f flag to docker create, as per moby/moby#29889.

[cyli]

LGTM!

[thaJeztah]

still LGTM

we can update the syntax once moby/moby#29955 was decided on.

Thanks again, @mstanleyjones !