A very short one this week, solely around the new secret management feature from Docker.

Docker secrets

On one side Docker is splitting up some of its core functionalities to make it easier to integrate with other projects, but on the other it’s also integrating more features into its own systems. The latest example here is Docker secrets.

A main concern with Docker has always been the management of passwords and other data that shouldn’t be made public. There are a number of existing solutions for this, with etcd being the one I’m most familiar with as it’s used in Kubernetes. As Docker wants to offer a complete solution it’s therefore not a big surprise they wanted their own secret management.

So they’ve built one and, without having tried it, it looks pretty nice. In short, it works through swarm. You define your secrets in the swarm and these then become available in the containers on an in-memory volume at /run/secrets/secret-name. You also define that you want to include a certain secret when you start the container using the --secret flag.

As it’s built into the swarm manager, it’s a bit different from using a separate system like etcd. There are advantages and disadvantages to this. Obviously in some ways it will be easier to use, as you don’t need to spin up an etcd cluster for example, but on the other it will make your solution less portable again. And obviously if you’ve already got an etcd solution running, it might not be worth it to rewrite what you already have.