Support per task environment variables in swarm

[F21]

We are interested in using Hashicorp's Vault for storing and giving access to secrets (API keys, access to databases, etc).

Vault provides a method called a wrapped token where a process will communicate with vault to retrieve a temporary token. This token is then passed to each task. Each task then exchanges this token for a more permanent token and performs leasing and renewing secrets with vault independently.

In our case, we would like to have our process generate a list of these temporary tokens and then use the swarm api to create a service while including these tokens. Each container would then just get 1 token as an environment variable.

[jhorwit2]

Just fyi with vault, you can use the pull or coprocess style authentication models to achieve this with docker/swarm currently.

[cpuguy83]

Surely storing these tokens in environment variables cannot be considered secure?

[jhorwit2]

@cpuguy83 When you compare it to the alternative way of storing your configuration file as a layer in the image it is more secure. Now you don't need secrets in your git/containers, then using vault you can use the temp tokens introduced at runtime (env vars) to get the secrets. If someone gets physical access to your running container you are out of luck if it's in memory or disk ;).

There was a talk at the conference the other week on using run -e to introduce secrets securely. Can't seem to find the talk though (guess they aren't posted yet)

[cpuguy83]

@jhorwit2 I invite you to read about the Maginot Line.

[F21]

@cpuguy83 With vault, the coprocess or service first asks vaults to generate a one-use token with a short expiry (such as 10 seconds). This token is passed into the container and the container exchanges this token with vault for a "real" token that can be renewed.

In effect, no one but the container would know the value of the real token. Of course, if the container is compromised, you'd have greater problems to worry about than the token.

[mcassaniti]

I also have a use case for per-task variables, but not for Hashicorp Vault. I want to do the following:

• Set the hostname of a container based on the task number and service name. For example, I might set the hostname to service-instance_number
• Select a volume to attach to the container based on the service name, and perhaps also based on the instance number.

My definition of an instance number is the number after the period (.) in the task name. This issue could be tackled by allowing substitution variables within the service create and service update commands. Can I suggest:

• %s: Service name
• %i: Instance number
• %I: Instance ID

I could then do something like the following (as an untested example):

docker service create --name smtp --hostname %s-%i --env MAILNAME=%s.example.com --publish 25:25 --replicas 3 --mount volume=%s,target=/etc/exim namshi/smtp


I've used fleet under CoreOS which has allowed me to make these substitutions when running docker as a systemd unit. Of course the above example will fail because service mode doesn't (yet) accept hostname as an option.

@diogomonica @ehazlett