1
00:00:04,160 --> 00:00:04,600
‫All right,

2
00:00:04,630 --> 00:00:10,780
‫So a new feature in 1.13.1 was full support for secrets.

3
00:00:10,840 --> 00:00:18,430
‫If I had to create a tag line of what this is, it's basically the 'easiest secure solution for storing

4
00:00:18,430 --> 00:00:19,610
‫secrets in Swarm.'

5
00:00:19,750 --> 00:00:22,220
‫I say it's the easiest because it's built into Swarm,

6
00:00:22,240 --> 00:00:27,040
‫it comes out-of-the-box, and there's nothing you need to do to use it. As long as you've initialized your swarm

7
00:00:27,040 --> 00:00:29,070
‫and your on version 1.13 or newer,

8
00:00:29,080 --> 00:00:34,690
‫you've got secrets. I say it's secure because it was designed from the ground up to be encrypted on

9
00:00:34,690 --> 00:00:39,750
‫disk to be encrypted in transit and to only be available to the places it needs to be.

10
00:00:39,820 --> 00:00:41,090
‫And that's really what we need.

11
00:00:41,320 --> 00:00:48,610
‫So what is a secret? A secret, in this case, is classifying anything that you don't want on the front page

12
00:00:48,610 --> 00:00:52,860
‫of a newspaper. If it got on the front page and you had to go change it,

13
00:00:52,870 --> 00:00:54,130
‫that's a secret.

14
00:00:54,280 --> 00:00:56,140
‫It's a user name or password,

15
00:00:56,140 --> 00:00:58,870
‫it's a TLS certificate or the keys to that,

16
00:00:58,870 --> 00:01:00,470
‫it's an SSH key,

17
00:01:00,520 --> 00:01:08,230
‫it's a Twitter API key, it's an Amazon key, it's anything that you need to allow connectivity between

18
00:01:08,230 --> 00:01:11,940
‫stuff is probably a secret and you should be protecting it.

19
00:01:11,950 --> 00:01:15,900
‫Until now we haven't had a lot of great options for Swarm.

20
00:01:16,070 --> 00:01:21,190
‫There's definitely lots of options out there like Vault and other great tools for storing secrets, but

21
00:01:21,190 --> 00:01:25,480
‫they weren't built in and they required a separate infrastructure set-up just so that you could even

22
00:01:25,480 --> 00:01:26,690
‫start using them.

23
00:01:26,950 --> 00:01:32,940
‫So, we can store in here anything that's a string or a binary up to .5MB in size.

24
00:01:33,130 --> 00:01:37,420
‫And the coolest part about this is it doesn't actually require your app to be rewritten in order to

25
00:01:37,420 --> 00:01:38,080
‫use it.

26
00:01:38,170 --> 00:01:43,170
‫You don't have to have your app talk to a web service somewhere else in order to get these.

27
00:01:43,180 --> 00:01:44,480
‫So let's see how it works.

28
00:01:45,760 --> 00:01:53,350
‫As of 1.13.0 the Swarm Raft database is encrypted on disk by default. If you install Docker

29
00:01:53,380 --> 00:01:55,990
‫and do a swarm init like we've done before,

30
00:01:56,020 --> 00:01:57,690
‫that's an encrypted database.

31
00:01:57,790 --> 00:02:02,800
‫And when it shuts down the service, it's encrypted with the keys stored securely.

32
00:02:03,130 --> 00:02:07,570
‫It's only stored on the disk of the manager nodes and they're the only ones that have the keys to unlock

33
00:02:07,570 --> 00:02:09,370
‫it or decrypt it.

34
00:02:09,370 --> 00:02:15,310
‫This is already existing in Swarm, but basically the way that the keys get down to the containers is

35
00:02:15,310 --> 00:02:21,220
‫through the control plane or the encrypted TLS network communications between the Managers and

36
00:02:21,220 --> 00:02:28,090
‫the Workers. And, that connection was already secure, it already used TLS and mutual PKI authentication,

37
00:02:28,090 --> 00:02:34,540
‫so it was a great way to use that existing channel for bringing these secrets down to our containers.

38
00:02:35,890 --> 00:02:42,060
‫The way we get them around is we actually first put them into the Swarm database using Docker secrets

39
00:02:42,070 --> 00:02:42,960
‫commands.

40
00:02:43,150 --> 00:02:49,960
‫Then we assign them to the services whether we use the service commands themselves or a stack file

41
00:02:50,260 --> 00:02:58,150
‫to tell Swarm who's allowed to use this secret. The key here is that just because there's a container

42
00:02:58,150 --> 00:03:03,610
‫on a host or on a node and you've assigned the key to that service, doesn't mean other containers can

43
00:03:03,610 --> 00:03:04,660
‫get access to it.

44
00:03:04,750 --> 00:03:10,900
‫Since this is built in to the Docker Engine, the Docker Worker keeps that key secure in memory only and

45
00:03:10,960 --> 00:03:13,890
‫only gets down to the containers on that node that needs them.

46
00:03:14,780 --> 00:03:21,440
‫Now, how they're presented in the file system to the container, is it looks like a file on the hard drive

47
00:03:21,440 --> 00:03:23,260
‫to your apps inside the container.

48
00:03:23,450 --> 00:03:29,810
‫But it's not actually that. They're not actually running on disk. They're in memory only using a ramfs

49
00:03:29,990 --> 00:03:37,070
‫file system and you'll get to them underneath the /run/secrets  directory where it'll, by default,

50
00:03:37,070 --> 00:03:39,770
‫be the name you gave the secret as a file.

51
00:03:39,800 --> 00:03:43,940
‫Then when you just access that file you'll see the one secret that's in it.

52
00:03:44,000 --> 00:03:46,410
‫If you think of this as like a key value store,

53
00:03:46,430 --> 00:03:50,930
‫the key is the name of the file and the value is what's in it.

54
00:03:50,930 --> 00:03:56,240
‫We can also set up aliases so we can have multiple names for the same key and we'll see how that comes

55
00:03:56,240 --> 00:03:57,220
‫into play later.

56
00:03:58,130 --> 00:04:03,890
‫For local development, if you're using a stack file that has secret assignments in it, it will actually

57
00:04:03,890 --> 00:04:05,990
‫work in Docker Compose on your local machine.

58
00:04:05,990 --> 00:04:10,440
‫Now again docker-compose, the command line, should never be used in production on a production server.

59
00:04:10,460 --> 00:04:14,570
‫In this case in particular, it's actually faking security.

60
00:04:14,570 --> 00:04:20,870
‫So what's happening is we really want the Docker developer or the Docker user on their machine to be

61
00:04:20,860 --> 00:04:23,260
‫able to use the stack files as much as possible.

62
00:04:23,390 --> 00:04:27,810
‫So the containers that you run on your local machine, will actually see the secrets just like they would

63
00:04:27,810 --> 00:04:28,800
‫in Swarm.

64
00:04:28,850 --> 00:04:32,870
‫But we don't have Swarm on our local machine unless we initialize it there,

65
00:04:32,900 --> 00:04:34,530
‫which most people aren't going to do.

66
00:04:34,640 --> 00:04:38,050
‫And the way we store the secrets is in the Swarm database.

67
00:04:38,060 --> 00:04:44,390
‫So this may be kind of obvious to you but secrets depends on Swarm. It's a Swarm-only thing. If you

68
00:04:44,390 --> 00:04:47,090
‫don't have Swarm you can't use secrets.

69
00:04:47,090 --> 00:04:53,960
‫However, docker-compose command has a workaround where it actually mounts the secrets in a clear text file

70
00:04:54,050 --> 00:04:56,060
‫into the local container.

71
00:04:56,060 --> 00:05:01,170
‫Now that's not secure, but it does allow us to use secrets locally on our machine.

72
00:05:01,190 --> 00:05:05,120
‫It's just not something that you would want to use in production, which is why we have the secure store

73
00:05:05,180 --> 00:05:05,600
‫for Swarm.