Docker changed how development, testing and running software are done, and that’s why software engineers and companies should develop new habits and follow best practices. On the other hand, orchestration technologies like Docker Swarm, K8S or Mesos are also changing depending on the industry demands. Security management, including secret management in Docker Swarm, is one of the things that have evolved as a reaction to these changes.
When working with Docker and orchestration tools, following security best practices is important. Software is becoming more distributed and with the rise of new development models, e.g. Micro-services Architecture, communication between software components is adopting new patterns like message-based communication.
In a production environment, containers running different services may exchange some critical information. When deploying a software to different environments, it is evident that storing critical information like production passwords in the development environment is not a good practice. There are multiple scenarios where we can notice the need of a standardized interface for accessing secrets.
Datacenter Operating System, Kubernetes and other orchestration technologies have their own integrated secrets management solutions. we are going to discover Docker native secret management.
How Docker Swarm Work ?
Docker users can use Docker Secrets in a Swarm cluster. Managers in Docker Swarm act as an authoritative delegation to coordinate secrets management.
Secrets could be passwords, keys, certificates, sensitive environment data or any other custom data that a developer wants to protect e.g a database name, the administrator username, etc.
Docker Secrets is only available in the Swarm mode, so standalone containers can not use this feature. Swarm Mode allows you to centrally manage sensitive data and messages by encrypting and transmitting them in a secure way and only to containers that need to access to it.
When a user adds a new secret to a Swarm cluster, this secret is sent to a manager using a TLS connection.
TLS is a cryptographic protocol that provides communications security over a network by providing communication encryption, privacy and data integrity.
In order to make all managers up to date with a new secret, when one manager node receives the secret, it saves it to a Raft store with a 256-bit key.
Docker Swarm, it’s undeniable that Swarm is one of the most successfully clustering solutions for containers and of course Docker.
Swarm is now rock-solid both in terms of feature and quality. Combined with the power of libnetwork, Swarm delivers a Software-Defined Network Docker clustering system that is easy to setup and use. It’s the only clustering system that allows us to control a pool of Linux and Windows container engines at the same time. Enterprise adoption of Swarm is, IMHO, far easier than other clustering solutions. It’s simple and it just works.
What’s container orchestration?
Containers basically packages services into one unit which you can deploy anywhere you like — local machine, test environment or production systems. In a production environment, you cannot pile up containers on one machine, because it’ll run out of capacity. You need multiple machines to be running in a cluster and deploy these containers to them. Now the question is, If I have multiple nodes / machines running in my cluster. Where do I deploy my container to? You would tell the orchestration software to deploy a container and it takes care of the rest.
Orchestration software generally takes care of :
- Which is the best machine should I deploy this container to? Best machine can mean — the machine that’s most free of resources right now. It can also mean container with more memory, if you’re deploying a memory intensive service — for example, Redis.
- If machine fails, It should automatically deploy the containers which were deployed on that machine to a new machine.
- If a new machine is added to a cluster. Balance the containers to new machines without disrupting the service.
- If a container fails, auto restart it.
- …and more.
Now that you’ve understood why you need container orchestration. Let’s look at two most popular choices out there and see how they compare with each other.
Swarm is the native clustering engine by and for Docker. Any tools, services or software that works with containers with Docker run equally well in Docker Swarm. Here are few pros and cons about Docker Swarm.
- Ease of use. “Just works??? user-experience,
- Zero single-point-of-failure architecture,
- Secure by default with automatically generated certificates,
- Backwards compatibility with existing components.
- Open Source
- Early in development / launch cycle. We do not recommend using Docker Swarm for business critical applications. It will be more mature with time.
- Simple with limited features.