DEV Community

Cover image for Docker Secrets in Swarm: Redis use case
Aniello Musella
Aniello Musella

Posted on • Updated on

Docker Secrets in Swarm: Redis use case

In this post I want show how to use Docker Secrets providing a real scenario example using Redis.

What do you need before reading this article?

  • Basic knowledge of Docker technology
  • Basic knowledge of Docker Swarm orchestrator
  • Basic knowledge of Redis
  • Docker installed
  • Access to a Bash shell

What are Docker secrets?

I just quote the definition provided from documentation:

"In terms of Docker Swarm services, a secret is a blob of data, such as a password, SSH private key, SSL certificate, or another piece of data that should not be transmitted over a network or stored unencrypted in a Dockerfile or in your application’s source code. ..."

How to create them?

To create a secret you have to run the following command:

am@animusna:~$echo "myPlainSecret" | docker secret create mysecret
acvs814nso28yn105wqc32o8e
Enter fullscreen mode Exit fullscreen mode

The output of this command is the id (acvs814nso28yn105wqc32o8e) of the secret.

To check if your secret has been created run the following command:

am@animusna:~$docker secret ls
ID                          NAME       DRIVER    CREATED         UPDATED
acvs814nso28yn105wqc32o8e   mysecret             5 seconds ago   5 seconds ago
Enter fullscreen mode Exit fullscreen mode

How to use them?

To use a secret you have to map it during the creation of a service (in this case redis like in the documentation:

am@animusna:~$docker service create --name redis --secret mysecret redis:alpine
Enter fullscreen mode Exit fullscreen mode

When you map secret in a service, Docker creates a file named like the secret name (in this case mysecret) in the folder /run/secrets and to prove that we can run the following command:

am@animusna:~$docker container exec $(docker ps --filter name=redis -q) cat /run/secrets/mysecret
myPlainSecret
Enter fullscreen mode Exit fullscreen mode

where the output will be the plain text of the secret that we have created (myPlainSecret).

Real scenario example: Redis authentication with Docker secret

In case we want protect our Redis server we could use the secret created previously as password to connect to our server.

Let's prepare our docker compose file :

version: "3.1"
secrets:
  mysecret:
    external: true  #external=true means we've created the secret before. 

services:
  redis:
    image: redis 
    secrets:
      - mysecret   #We are declaring we are using this secret in this service. 
    command: bash -c "/startup/up-redis.sh" #The command we use to start our Redis server (we execute a shell script).
    ports:
      - "6379:6379"
    volumes:
      - "/home/am/up-redis.sh:/startup/up-redis.sh" # Mapping in the container our script.
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
Enter fullscreen mode Exit fullscreen mode

Let's prepare the start up script for our server up-redis.sh in a specific path (in my case /home/am/):

#!/bin/sh
#Script to startup Redis Server.

#Reading secret in a temporary variable.
REDIS_PASSWORD=`cat /run/secrets/mysecret`

#Start Redis server
redis-server --appendonly yes --requirepass "$REDIS_PASSWORD"  
Enter fullscreen mode Exit fullscreen mode

In this script we set the password for our server using the option --requirepass recovering the secret from /run/secrets/mysecret and putting it inside the variable REDIS_PASSWORD.

Now that is everything ready we can start service:

am@animusna:~$docker stack deploy --compose-file=docker-compose.yaml myapp_stack
Creating network myapp_stack_default
Creating service myapp_stack_redis
Enter fullscreen mode Exit fullscreen mode

To check if we've set the secret to access to our Redis service let's run the following command:

am@animusna:~$echo -e "AUTH myPlainSecret\nPING" | redis-cli
OK
PONG
Enter fullscreen mode Exit fullscreen mode

where we run in the redis-cli the command AUTH for authenticate with our plain secret myPlainSecret and then the command PING to check if we are authenticated (in our case yes because we get a PONG).

Conclusion

In this article I've shown a possible and easy use of Docker secrets to protect sensitive data like it could be a connection password. The use of secrets are very useful in deployment scenario as much as in development scenario where developers should use their own secrets to configure their development environment. According my experience Docker secrets are useful and easy to manage and it's worth to use them if you choose Docker Swarm as orchestrator for your (micro) services.

Top comments (0)