Introduction to Docker password-related information management
Containers are changing our views on applications and infrastructure. No matter whether the amount of code in the container is large or small, the container architecture will change the way code interacts with hardware-It abstracts it from the infrastructure. For container security, in Docker, container security has three key components. They interact to form essentially safer applications.
A key factor in building safer applications is secure communication with systems and other applications, this usually requires certificates, tokens, passwords, and other types of authentication information creden。-usually called secret information secrets of applications. We are very happy to launch Docker Secrets, a container native solution that enhances container security and delivers Trusted Delivery components reliably, you can directly integrate the Classified Information Distribution Function on the container platform.
With containers, applications are dynamic and can be transplanted across multiple environments. This makes the existing solution for distributing classified information slightly inadequate, because they are all for static environments. Unfortunately, this leads to an increase in poor management of confidential information in applications, this is common in insecure and earthy solutions (such as embedding sensitive information in version control systems such as GitHub or other solutions that are equally bad.
Introduction to Docker password-related information management
Basically, we believe that if there is a standard interface to access confidential information, the application will be safer. Any good solution must also follow security practices. For example, encryption of confidential information during transmission; encryption of confidential data when not used; prevent confidential information from being inadvertently disclosed when the application is used. strictly abide by the minimum permission principle, that is, the application can only access the required confidential information, neither more nor more.
By integrating confidential information into Docker orchestration, we can provide a solution to the management of confidential information under these precise principles.
Provides a high-level view and shows how the Docker swarm mode architecture securely transmits a new type of object-a confidential information object to our container.
Docker Secrets Management
In Docker, confidential information is any data block, such as passwords, SSH keys, TLS creden。, or any other sensitive data. When you add a confidential information to the swarm clusterdocker secret create
By using the Built-in Certificate Authority that is automatically created when the new cluster is booted, Docker sends the key to the swarm Cluster Manager through a mutually authenticated TLS connection.
$ echo"This is a secret"| docker secret create my_secret_data -
Once the Confidential Information arrives at a management node, it is saved to the internal Raft storage area. The storage area uses the 256-bit key generated by the Salsa20 and Poly1305 encryption algorithms in the open-source encryption library of NACL to encrypt the data, so as to ensure that no confidential information data is never written to an unencrypted disk. Write the confidential information to the internal storage, and grant the same high availability as other swarm cluster data.
When the swarm Cluster Manager is started, encrypted Raft logs containing confidential information are decrypted using the unique data key of each node. This key and node TLS certificates used to communicate with the rest of the cluster can be encrypted using a cluster-level encryption key. This key is called an "unlock key" and is also transferred using Raft, which will be used when the manager starts.
When a newly created or running service is authorized to access a secret-related information, one Manager node (only the manager can access all the stored secret-related information) the created TLS connection is used to distribute the connection to nodes running specific services. This means that the node itself cannot request the confidential information and can access the confidential information only when the manager provides it to them-strictly control the services that request the confidential information.
$ docker service create --name="redis"--secret="my_secret_data" redis:alpine
Unencrypted confidential information is mounted to a container, which is located in/run/secrets/<secret_name>
In the memory file system.
$ docker exec $(docker ps--filter name=redis -q)ls-l /run/secrets
total 4
-r--r--r-- 1 root root 17Dec1322:48 my_secret_data
If a service is deleted or rescheduled elsewhere, the Cluster Manager immediately notifies all nodes that no longer need to access the confidential information, these nodes no longer have access to the application's confidential information.
$ docker service update --secret-rm="my_secret_data" redis
$ docker exec-it $(docker ps--filter name=redis -q)cat/run/secrets/my_secret_data
cat: can't open '/run/secrets/my_secret_data': No such file or directory
View the Docker Secret document for more information and examples to learn how to create and manage your confidential information. At the same time, I would like to thank Laurens Van Houtven for working with Docker security and core teams to make this feature a reality.
Use applications more securely with Docker
Docker confidential information is designed to make IT easy for developers and IT operation teams to build and run safer applications. It is the first one designed to ensure the security of confidential information, and is used only when a specific container needs it to perform necessary confidential information operations. From using Docker Compose to define applications and classified data, to the Compose file deployed by IT administrators in Docker Datacenter, confidential information, networks, and volumes are encrypted and securely transmitted with applications.
More learning resources:
- 1.13 Docker Data Center features new features such as Secrets, secure scanning, and Capacity Cache
- Download Docker and start learning
- Try to use secrets in the Docker data center
- Read documents
- Participate in the upcoming online seminar
Via: https://blog.docker.com/2017/02/docker-secrets-management/
Author: Ying Li Translator: HardworkFish Proofreader: imquanquan, wxy
This article was originally compiled by LCTT and launched with the honor of Linux in China