1
00:00:04,380 --> 00:00:09,460
‫All right, so now that we've gone through secrets and the features, and how it works and all that,

2
00:00:09,470 --> 00:00:11,170
‫let's actually look at some practicals.

3
00:00:11,170 --> 00:00:15,760
‫So, what I have here is, I've got our 3-node swarm set up like before.

4
00:00:15,760 --> 00:00:17,320
‫I'm in a secrets

5
00:00:17,410 --> 00:00:20,300
‫sample 1 directory that you'll see in the repo.

6
00:00:20,440 --> 00:00:28,240
‫And, all I’ve got in there is one text file. And in that text file is just a simple username, not even actually

7
00:00:28,240 --> 00:00:29,150
‫a password.

8
00:00:30,020 --> 00:00:34,420
‫There's two ways we can actually create a secret inside of Swarm.

9
00:00:34,430 --> 00:00:40,030
‫And one of them is to give it a file, and another one is to pass a value at the command line.

10
00:00:40,040 --> 00:00:48,560
‫So, let's use the file first. docker secret create. And then I need to give it a name in the secret database.

11
00:00:48,650 --> 00:00:51,060
‫And I'll call it psql user.

12
00:00:51,070 --> 00:00:54,780
‫It doesn't have to be the same name as the file, obviously. But I'm just going to call it that.

13
00:00:55,070 --> 00:01:03,050
‫And then... It spits back the ID, like it does for other objects. And lets create another one. Let’s actually

14
00:01:03,050 --> 00:01:04,350
‫put the password in.

15
00:01:04,550 --> 00:01:10,740
‫And this time we're actually going to echo it from the command line.

16
00:01:11,480 --> 00:01:17,220
‫If you see what I'm doing, I'm actually typing out a password in the command line with echo, and echoing

17
00:01:17,220 --> 00:01:19,500
‫it in into the creation command.

18
00:01:19,830 --> 00:01:25,740
‫And notice the dash on the end, because that's telling the command to read from the standard input. Which

19
00:01:25,740 --> 00:01:27,800
‫is what we're giving it with the echo command.

20
00:01:27,840 --> 00:01:30,240
‫Now, I should say that both of these have drawbacks.

21
00:01:30,240 --> 00:01:34,890
‫The first one, you're actually storing the password on the hard drive of the server on the host.

22
00:01:34,890 --> 00:01:36,590
‫And we really wouldn't want to do that.

23
00:01:36,630 --> 00:01:42,510
‫So, maybe you would be using the remote API from that local command line on your machine. And then pass

24
00:01:42,510 --> 00:01:44,230
‫in the files that way.

25
00:01:44,280 --> 00:01:49,070
‫And, in the second one, it's actually going into the history of our Bash file for our root user.

26
00:01:49,170 --> 00:01:53,430
‫So then technically, if someone were able to get into root, they could actually get this password out.

27
00:01:53,430 --> 00:01:57,750
‫When you're dealing with your own production systems, you'll need to look at various ways to get around

28
00:01:57,750 --> 00:02:00,030
‫these two potential security concerns.

29
00:02:00,030 --> 00:02:07,140
‫So, what we have here is...now, if I do a docker secrets ls, you can see that I have both of them in there.

30
00:02:07,320 --> 00:02:13,220
‫Now, I can actually inspect them, but I'm not going to ever see the passwords or the actual secret.

31
00:02:13,230 --> 00:02:16,050
‫So, let me just do the user.

32
00:02:16,050 --> 00:02:20,370
‫It's not going to give us the information, right. Because if it was this easy to get the information it

33
00:02:20,370 --> 00:02:21,750
‫wouldn't really be that secret.

34
00:02:21,750 --> 00:02:22,540
‫Right?

35
00:02:22,560 --> 00:02:28,080
‫So, the goal here, is that once you put the secret in the system, it's stored in the database. And the only

36
00:02:28,080 --> 00:02:33,150
‫thing that's going to have access to the decrypted secrets are going to be the containers and services

37
00:02:33,150 --> 00:02:34,640
‫we assign it to.

38
00:02:34,650 --> 00:02:35,700
‫So let's do that now.

39
00:02:35,790 --> 00:02:37,500
‫I'm going to create a service manually.

40
00:02:40,020 --> 00:02:50,080
‫docker service create. I’ll call it psql. And we're going to map the secret to it. Basically, we're telling this

41
00:02:50,080 --> 00:02:53,850
‫create command take this secret called this particular name...

42
00:02:53,860 --> 00:03:00,610
‫I can also use the ID of the secret... and assign it to this service, so that all containers in this service

43
00:03:00,940 --> 00:03:02,780
‫will see this secret.

44
00:03:03,370 --> 00:03:03,670
‫All right.

45
00:03:03,670 --> 00:03:07,670
‫And then put the user in there, and then I’ve got to do it again for password.

46
00:03:08,090 --> 00:03:08,370
‫Okay.

47
00:03:08,380 --> 00:03:14,790
‫So this maps the secrets to the service, so that they show up as files inside the container.

48
00:03:14,980 --> 00:03:18,730
‫But it doesn't tell the postgres database that we're creating from this image

49
00:03:18,730 --> 00:03:20,760
‫how to use those secrets.

50
00:03:20,770 --> 00:03:25,440
‫So, usually, we need to do something with the configuration of the image.

51
00:03:25,480 --> 00:03:30,790
‫And in this case, the official images from Docker Hub have settled on a standard where you use environment

52
00:03:30,790 --> 00:03:37,270
‫variables. But, instead of passing in maybe something like postgres password, that would be hard to use

53
00:03:37,270 --> 00:03:37,990
‫with a file.

54
00:03:37,990 --> 00:03:42,250
‫We'd have to actually, like, cat out the file into the environment variable and that's a little bit of

55
00:03:42,250 --> 00:03:43,070
‫a pain.

56
00:03:43,090 --> 00:03:52,690
‫So, they have the standard where, if you specify a file...and this would be the path...so it would be run secrets,

57
00:03:52,720 --> 00:03:57,360
‫and then the name, right? So psql pass, the name of the secret.

58
00:03:57,460 --> 00:04:04,480
‫If I do that, that's actually in the startup of the image that will look for this environment variable

59
00:04:04,480 --> 00:04:05,280
‫being filled out.

60
00:04:05,290 --> 00:04:11,080
‫And if it is, it will then pull that file in, and store it in the environment variable. The actual contents

61
00:04:11,080 --> 00:04:11,980
‫of that file.

62
00:04:12,000 --> 00:04:15,670
‫This is this is a really easy way to consume these secrets that are in the files.

63
00:04:15,670 --> 00:04:19,630
‫But it does mean that the images you use need to have this standard in place.

64
00:04:19,660 --> 00:04:21,770
‫We can also do the same thing for the user.

65
00:04:21,860 --> 00:04:22,340
‫...

66
00:04:30,570 --> 00:04:33,600
‫Hopefully, this makes sense to you. When I create the service

67
00:04:33,610 --> 00:04:39,070
‫it's going to do the typical thing it does when it issues a scheduling request for a new container.

68
00:04:39,080 --> 00:04:43,010
‫It's going to create one Postgres database and it's going to pass it

69
00:04:43,030 --> 00:04:46,450
‫the environment variables for the locations of those two secrets.

70
00:04:46,450 --> 00:04:51,890
‫And then it's going to map, in a tempfs, it's actually going to map in what look like files.

71
00:04:51,910 --> 00:04:55,610
‫But again, it's really just a RAM file system or a tmpfs.

72
00:04:55,870 --> 00:04:58,140
‫Let's go see what we can see in there.

73
00:04:58,420 --> 00:05:04,580
‫So, I do a docker service ps psql, and that should tell us what node it's running on.

74
00:05:04,580 --> 00:05:06,190
‫Okay, it's running on this node.

75
00:05:06,310 --> 00:05:09,470
‫Let's do an exec to see what we can see inside the container.

76
00:05:09,480 --> 00:05:13,330
‫docker exec -it.

77
00:05:13,540 --> 00:05:19,100
‫And then the specific container name for that service, and then bash.

78
00:05:19,110 --> 00:05:19,830
‫All right.

79
00:05:19,830 --> 00:05:27,000
‫Now we should be able to do an ls on run secrets, and you'll see we get the two files there.

80
00:05:27,060 --> 00:05:35,460
‫And if I do a cat on psql user, we see the value. It worked.

81
00:05:35,740 --> 00:05:42,530
‫And if we look at the logs of that psql, we actually know it works. Because if it didn’t...if it

82
00:05:42,530 --> 00:05:48,320
‫didn't have those files, the actual database would keep recreating itself, and not be able to work because

83
00:05:48,320 --> 00:05:52,900
‫it didn't have a password and a user name to create the database.

84
00:05:52,910 --> 00:05:59,600
‫If you did docker service ps again, what you would see if it wasn't working correctly in a database

85
00:05:59,600 --> 00:06:04,310
‫scenario, is the database would actually be failing. And it would keep restarting and you would see new

86
00:06:04,310 --> 00:06:05,840
‫containers being created here.

87
00:06:05,900 --> 00:06:11,660
‫So now that we've actually assigned it to there, we can actually use a docker service update to remove

88
00:06:11,660 --> 00:06:15,860
‫the secret. So, docker service update --secret-rm.

89
00:06:15,950 --> 00:06:22,850
‫There's also secret-add. But if I removed one of these secrets what would actually happen is, it

90
00:06:22,850 --> 00:06:29,780
‫would redeploy the container. Because secrets are a part of the immutable design of services.

91
00:06:29,780 --> 00:06:34,490
‫If anything in the container has to change for the service, the service will not go in and change something

92
00:06:34,520 --> 00:06:38,510
‫inside the container. It will actually stop the container and redeploy a new one.

93
00:06:38,510 --> 00:06:44,000
‫Obviously, that's not ideal for databases. So we're going to have to come up with a different plan for

94
00:06:44,000 --> 00:06:46,430
‫how we would update database passwords.

95
00:06:46,430 --> 00:06:48,310
‫And that's something we can talk about later.

96
00:06:48,350 --> 00:06:53,080
‫For now, I just want you to know that you can remove them and add additional ones to an existing service.

97
00:06:53,090 --> 00:06:55,450
‫It's just going to recreate the container when you do it.