[diogomonicapt]

I think with this release things have come full circle for me. I was part of the team that 5 years ago built Keywhiz at Square, starting the whole "secrets should be files exposed as an in-memory filesystem" thing.

Building it a second time was interesting. One of the biggest reasons why Keywhiz didn't go anywhere was the fact that it is incredibly hard to setup, and requires you to bring your own PKI. This time we didn't make that mistake and integrated directly into Swarm, which is the right place for it to live, and turns setting up your own PKI into a one-liner.

Anyway, AMA.

Disclosure: I work on the Docker Security team

[mikegerwitz]

The docs explicitly state "You cannot remove a secret that a running service is using". I'm not comfortable with sensitive secrets remaining plaintext in memory after the running service possibly does not need it anymore (e.g. maybe the service only needs it on startup). It seems like you could rotate the key with something else, but that doesn't seem ideal. Or can the container itself remove the secret "file"?

Consequently, because it's mounted as a filesytem, what if the service is compromised and vulnerable to arbitrary code execution, directory traversal, etc? The secret could then be leaked.

Am I misinterpreting something? How would others here handle this?

Edit: To clarify: rotating a secret will cause the service to restart. So I guess by "doesn't seem ideal", I mean it doesn't seem like an option.

[cpuguy83]

You can update a service to not use a secret once it's not needed. Of course this will restart the task(s) I think. Definitely worth thinking about. Maybe a single-read secret or something.

If a service is compromised, you should always assume the secret is compromised.

[mikegerwitz]

> Maybe a single-read secret or something.

I like this idea. As a benefit, you wouldn't have to rely on developers of individual services to make sure the secret is cleared. This would also have the benefit of causing an error if something else happened to read the secret before the intended service, indicating a possible compromise (or maybe just a misconfiguration).

(I use a similar concept with `xclip -l' to allow reading passwords from the clipboard a single time before it quits.)

[mreithub]

So I guess the best-practice approach would be to chown/chmod/rm the file after reading its contents (assuming it'll be restored when you restart the container).

So far my approach was defining environment variables in the various docker-compoose files (in a separate deployment git repo), but this looks like a really nice alternative.

Do you have plans to update the library images to give us a choice between using ENV and secrets (for DB server passwords and the like)?

On an aside: I've gotten the Docker Datacenter announcement mail today. I only took the time to skim its contents quickly and at first thought this was a DDC-only thing. Glad to hear it isn't, keep up the awesome work.

edit: clarified my docker-compose usage

[diogomonicapt]

Thanks!

- Exposing secrets as in-memory files has a lot of advantages over ENV variables (harder to leak).

- We already started updating a few images (MySQL, for example), so they can use Docker secrets.

- Definitely not DDC only, but note that RBAC over secrets is a feature of the commercial product.

[bluebeard]

Thanks, I'm interested in trying this out.

[koolba]

Are the values loaded on the fly each time they're read or is the /run/secrets mount statically defined when the container starts up?

If it's static, follow up to that would be, how are changes propagated to already running instances?

Is there a way to restrict access to reading said secrets once the container is running? Say you're running possibly malicious code that has access to the local filesystem (ex: CI test runner) is there a way to restrict a process from reading those files? Can we simply delete them (i.e. "burn after reading") or are they fully virtual?

[sly010]

> Is there a way to restrict access to reading said secrets once the container is running?

I don't know anything about docker, but the best way I found to do this in linux in general was aa_changehat() [0]. You write an apparmor profile for startup and a sub-profile for the running app/service. After setup, you call aa_changehat() to switch the current process to use the subprofile. You then throw away your magic token, so there is no way to switch back.

You don't even have to link to libapparmor, under the hood aa_changehat() just writes some string somewhere in /proc, so you can replicate that. Note, I haven't actually done this, but working on it right now.

[0] http://manpages.ubuntu.com/manpages/wily/man2/aa_change_hat....

[eicnix]

From what I understand there are no secruity mechanisms other than authentication to the cluster. How do you prevent somebody that got access to the cluster to just read all your secrets?

Can I plug in my own secret store?

[diogomonicapt]

- We're working on external store support. First implementation will probably be w/ Vault, but we would love for this to come from the community.

- If you have access to the managers, you have access to all the secrets (and access to administer the whole cluster), but normal swarm nodes only have access to the secrets required to run services that will be scheduled on them. Also this are erased as soon as the service is deleted or rescheduled on some other node.

[sarnowski]

That is the same trust boundary as in Kubernetes currently: https://kubernetes.io/docs/user-guide/secrets/

It is the most important step that you can package containers without having to know the production secrets and to have a "standard" was to retrieve them.

No one, without production access, has a way to obtain them.

[cpuguy83]

Note exactly the same (for now):

> Currently, anyone with root on any node can read any secret from the apiserver, by impersonating the kubelet

> If multiple replicas of etcd are run, then the secrets will be shared between them. By default, etcd does not secure peer-to-peer communication with SSL/TLS, though this can be configured.

[smarterclayton]

Agree, it would be better if the nodes could not trivially request other secrets. But you can request new containers placed on any node and a root escape that works on one node almost certainly works on the rest.

We usually recommend subdividing the node acls by namespace when running disjoint node sets (where tenant A can't schedule onto tenant B's nodes). More fiddly than it has to be in Kubernetes today.

[piva00]

We are currently facing the same problem and came to the same conclusion, we are subdividing our node pools by namespace (and using namespacing for multi-tenancy) but it "feels" very convoluted and a smell that there's a feature missing in Kubernetes itself to handle this more graciously.

[smarterclayton]

The node placement admission controller was definitely intended for that. In combination with a simple controller for allocating namespaces to sets of nodes.

The real solution is of course to limit what nodes can see - I won't say it's trivial, but it's an O(1) check based on the pods scheduled on that node.

[cpuguy83]

I think in this case you'd already be compromised if you have to worry about a user being able to essentially maliciously place a container. Really a job for RBAC and not the scheduler itself.

[smarterclayton]

I'm referring mostly to users who are legitimately able to run workloads on a non-zero percentage of the cluster. It's fairly hard to defend against a user with the ability to schedule even a limited amount of workloads, because good scheduling usually spreads (in which case you can compromise more machines and then take them out of service briefly) or packs (in which case you get put on nice target rich environments).

That's partially why we (openshift) just don't allow containers to run as root by default - it sucks for new users (most images assume root) but it dramatically lowers the risk of compromise across the board in any scenario with multi-tenancy. Agree that with isolated nodes per tenant you wouldn't have this issue, which is a more straightforward RBAC story.

[mihular]

What about non swarm containers? Like straight docker and docker-compose?

[odc]

docker-compose 1.11.0 will be released soon with support for secrets, probably using the same system.

[diogomonicapt]

Exactly. The new version of compose supports defining docker secrets inside of the compose file.

[mihular]

But the question is whether secrets can be used outside swarm. It doesn't look so at first glance.

[nicolaka]

secrets only work with Swarm services. New compose (1.11) uses a new format version ( v3.1) that allows you to add secrets for services and deploy using docker client ( no need for docker-compose). I don't think there's any plans atm to support secrets for non-swarm containers :(

[himanshuy]

Is Docker PCI compliant? My application deals with a lot of PII data. There was a lot of concern in my team over SOC-2 and PCI compliance when I suggested using Docker. We also talked to one of the solution architects from Amazon and he wasn't sure if Docker is ready for PII data.

[sarnowski]

A single software piece can't be PCI compliant but only how you use it.

You have to argue that Docker uses the Linux isolation mechanisms that make those containers virtual machines in the sense and spirit of PCI.

Treating containers as VMs makes some other requirements even easier like the request to have a minimal system and to only have one function per server - thats how you want containers to work anyway.

(Btw PCI has nothing to do with PII.)

[Diederich]

> solution architects from Amazon and he wasn't sure if Docker is ready for PII data.

I'm curious if you can relate what his reasoning was?

Docker is, among other things, a wrapper around a bunch of Linux kernel functions, the likes of which have been used for many, many years by companies like Google to facilitate all kinds of useful isolation.

[paulddraper]

I think it's pretty well agreed that multi-tenant Docker isn't a good security solution.

Use it for for operational isolation, not for critical security isolation.

[Diederich]

That's what I've heard as well, and I agree with that assessment, given that the requirement is to separate untrusted code execution.

At the same time, going back to the initial quote:

> solution architects from Amazon and he wasn't sure if Docker is ready for PII data

A lot of companies are using containers to execute code that manages all kinds of regulated data right now, ya?

The security limitations of Linux namespaces and friends are mostly related to the execution of untrusted code.

[diogomonicapt]

You can make a PCI compliant installation w/ Docker yes.

[m_mueller]

This is a bit off-topic, but I'll hope for the second "A" in AMA: I still have a bit trouble figuring out how docker envisions URL routing to work. Currently we use a simple setup with Hipache that forwards to our hosts running containers und multiple ports. This would work for failover and scaling as well, however at the point where DBs come into play it gets troublesome because hipache just routes in a round-robin manner instead of keeping routes persistent for each client IP (so you could end up showing them different replicas that are not in sync yet).

Anyways, my issue is: Does Swarm integrate a solution for URL routing and if so, does it tackle the persistency problem?

[nicolaka]

In the commercial product(DDC) there is something called HTTP Routing Mesh that basically adds URL routing to backend services using the underlying routing mesh in Swarm. It supports both HTTP and HTTPS ( w/SNI). It adds RBAC too to make sure only permitted services can be exposed externally. More details here:

https://success.docker.com/Datacenter/Apply/Docker_Reference...

Hope this helps!

[sandGorgon]

is anyone running this stuff in production yet ? not just secrets.. but the whole Docker Swarm with the v3 compose file format thing ?

We have been testing out production clusters with Swarm 1.13 and I think its neat. But what do I know - I'm not a cloud hosting specialist. And the lack of success stories out there is making us nervous.

[kossae]

I can honestly say the only thing we found the full Docker line up (Containers, Swarm, Machine, etc.) good for large scale dev or staging/testing stuff. There are definitely uses for each of these tools, or other combinations, that have been successful for other people. It seems like Docker has a lot to focus on keeping up with the superior orchestration platforms that are out now. This in turn means quickly outdated (or missing) docs, inconsistent behavior of certain features, and other little "gotchas".

Depending on the size of your team, I would recommend Kontena (www.kontena.io) or Kubernetes (https://kubernetes.io/). While I haven't used the latter, a group of two devs is re-architecting our entire system to use Docker and Kontena. Nearing the end, the whole process seemed incredibly fast to iterate. While K8s seems far more proven in real production environments, it seemed much more daunting to us with more features than we needed for our use case.

[raesene9]

I'd recommend people read the "Risks" section of Kubernetes Docs on secrets before using it... https://kubernetes.io/docs/user-guide/secrets/#risks.

secrets stored in plain text and (by default) transmitted in plain text between etcd services, does not fill me with confidence on their security.

[cpitman]

Both of these are easy to fix. Configure etcd with peer certificates for clustering and a cert for client-server connections (https://coreos.com/etcd/docs/latest/v2/security.html). If you need encryption at rest, encrypt the filesystem.

If setting up a secure cluster is daunting, then use a distribution that handles it for you. OpenShift (https://www.openshift.org/) is built on kubernetes, and it's install is secure by default.

Disclaimer: I work for Red Hat, and spend lots of time on OpenShift consulting.

[sandGorgon]

kubernetes is NOT easy to setup in a secure way. I am part of several k8s SIG and we have been discussing these issues for a while now. e. g. https://github.com/kubernetes/kubernetes/issues/27343

there are tons of these niggling issues that are cropping up.

the complexity of using k8s goes up exponentially every day. I have bo doubt it is a great piece of tech.. but at this point, it seems tailor made for consulting.

[benth]

There's still rooted node / kubelet access control to worry about, which does not look to be a problem with Docker. (https://github.com/kubernetes/kubernetes/issues/40476)

[smarterclayton]

A rooted node has access to everything that lands on that node, and anyone who can reproducibly escape to root on a node from a container can do so on any node they can schedule on.

It's definitely something we'll fix in Kubernetes, but rooting workloads is the primary problem, and secondary acl defense in depth is good but won't block most attacks for long.

[raesene6]

The thing is with security, default matter. Many people will not change default settings (especially in complex products like Kubernetes), that's why I suggested that people thinking about using Kubernetes should read and be aware of those risks.

On OpenShift I'd be very interested to see a list of the secure defaults that have been chosen, is there a list of the changes from base Docker/Kubernetes policies available anywhere?

[tdhz77]

Can you explain to me the benefits of this like I'm 5 years old? Thanks, and sorry I have technical debt.

[LeanderK]

Since diogomonicapt didn't answer i'll try to give an ELI5 answer ;)

Docker-containers have many advantages, but one of the big drawbacks until now was that it was really hard to pass secrets into them. Imagine you are a simple, stupid Java-container. You handle HTTP-Request and need to access other services like Databases in order to function. In order to connect to the postgres-instance you need to know 3 things: the URL, the database-name and a password. Getting the URL and the database name is easy, just pass them via environment-variables. The tricky thing is how to pass the secret. Environment variables are not encrypted and super easy to read as soon as you have gained access to the container. There were some solutions, but they were complicated. So most just passed them via env-variables. Huge security risk. Very bad.

This solves the problem.

[vbernat]

If the environment is super easy to read when you have gained access to the container, so is a filesystem... The use of secrets is more to transmit secrets to the container without giving it to people.

[diogomonicapt]

The problem is applications unintentionally leaking the ENV. Think a hoptoad exception that attaches the current ENV to the report that sends up to the remote server.

Or think about you exec'ing imagemagik and now the process running potentially adversarial code also has access to your parent's env.

Or think about an application crashing and doing an unintentional core dump to disk.

[diogomonicapt]

Way better than I could have answered ;)

[LittleFuckinCat]

Probably they were concerned that users have to store the secrets (certificates, etc...) in the container filesystem - or mount/share the location on the host were the certificate for a specific app is present. Probably there are more ways to do it, but also probably none is end-to-end secure.

With this you can securely store the certificates; takes away the developer's responsibility of taking care of managing and distributing them to their apps, swarm will take care of that in a secure end-to-end fashion.

[avaid1996]

Looks awesome, congratulations on the release!

[neomantra]

This secrets infrastructure is only available at run-time and with Swarm? Are you looking to handle build-time secrets?

[diogomonicapt]

Yes: https://github.com/docker/docker/pull/30637

[neomantra]

OMG, so much smoother than what I do now. Thanks for the link.