diff --git a/docs/index.html b/docs/index.html index 4bfffe07..d806a571 100644 --- a/docs/index.html +++ b/docs/index.html @@ -3247,12 +3247,26 @@ Error: grpc: failed to unmarshal the received message proto: wrong wireType = 0 - Assign [one of the four most commonly used passwords](https://www.youtube.com/watch?v=0Jx8Eay5fWQ) to a secret called `hackme`: ```bash - echo love | docker secret create hackme + echo love | docker secret create hackme - ``` -- Assign some random alphanumeric characters to another secret: +] + +If the secret is in a file, you can simply pass the path to the file. + +(The special path `-` indicates to read from the standard input.) + +--- + +## Creating better secrets + +- Picking lousy passwords always leads to security breaches + +.exercise[ + +- Let's craft a better password, and assign it to another secret: ```bash - base64 /dev/urandom | head -c16 | docker secret create arewesecureyet + base64 /dev/urandom | head -c16 | docker secret create arewesecureyet - ``` ] @@ -3313,17 +3327,58 @@ We use a global service to make sure that there will be an instance on the local (This will redeploy the service; it won't add the secret on the fly) -- Secrets can be mapped to different names +- You can remove a secret with `docker service update --secret-rm` -- The following example exposes a secret in `/run/secrets/password`; -
then changes the content of that file to be another secret: +- Secrets can be mapped to different names by expressing them with a micro-format: ```bash - docker service create --secret hackme:password ... - docker service update ... --secret-add arewesecureyet:password + docker service create --secret source=secretname,target=filename ``` --- +## Changing our insecure password + +- We want to replace our `hackme` secret with a better one + +.exercise[ + +- Remove the insecure `hackme` secret: + ```bash + docker service update dummyservice --secret-rm hackme + ``` + +- Add our better secret instead: + ```bash + docker service update dummyservice \ + --secret-add source=arewesecureyet,target=hackme + ``` + +] + +Wait for the service to be fully updated with e.g. `watch docker service ps dummyservice`. + +--- + +## Checking that our password is now stronger + +- We will use the power of `docker exec`! + +.exercise[ + +- Get the ID of the new container: + ```bash + CID=$(docker ps -q --filter label=com.docker.swarm.service.name=dummyservice) + ``` + +- Check the contents of the secret files: + ```bash + docker exec $CID grep -r . /run/secrets + ``` + +] + +--- + ## Secrets in practice - Can be (ab)used to hold whole configuration files if needed @@ -3333,7 +3388,13 @@ We use a global service to make sure that there will be an instance on the local (N can be a serial, a timestamp...) ```bash - docker service create --secret foo.N:foo ... + docker service create --secret source=foo.N,target=foo ... + ``` + +- You can update (remove+add) a secret in a single command: + + ```bash + docker service update ... --secret-rm foo.M --secret-add source=foo.N,target=foo ``` - For more details and examples, [check the upcoming documentation](https://github.com/docker/docker.github.io/pull/568)