docker / docker-py

Managing Secrets during Production

Securing sensitive information is crucial when deploying applications in production. Below is a detailed guide on how to handle secrets with Docker, particularly when using docker-py, the Python client for Docker.

Dockerfile Configuration

When building images that will run in production, it is essential to avoid hardcoding secrets within the Dockerfile. The following Dockerfile setup helps prevent exposure of sensitive information:

# syntax=docker/dockerfile:1

ARG PYTHON_VERSION=3.12
FROM python:${PYTHON_VERSION}

WORKDIR /src
COPY . .

ARG VERSION=0.0.0.dev0
RUN --mount=type=cache,target=/cache/pip \
    PIP_CACHE_DIR=/cache/pip \
    SETUPTOOLS_SCM_PRETEND_VERSION=${VERSION} \
    pip install .[ssh]

Avoiding Secrets in the Dockerfile

  1. Use Build Arguments: Pass secrets as build arguments instead of hardcoding them. This way, they aren’t stored in the final image.

  2. Environment Variables: When deploying, consider using environment variables for sensitive information. Avoid adding environment variables directly within the Dockerfile.

Example of Using Docker Secrets

If you are deploying to a swarm, use Docker’s built-in secrets management. Here’s how you can create secrets and use them in your Docker services:

  1. Creating a Secret:
echo "my_secret_value" | docker secret create my_secret -
  1. Using the Secret in a Service:

When you define a service in Docker, specify the secret:

version: '3.1'

services:
  my_service:
    image: my_image
    secrets:
      - my_secret

secrets:
  my_secret:
    external: true
  1. Accessing the Secret in Your Application:

By default, Docker mounts the secret in /run/secrets/{secret_name}. In your application code, read the secret as follows:

with open('/run/secrets/my_secret', 'r') as secret_file:
    secret_value = secret_file.read().strip()

Using Docker Compose with Secrets

To manage secrets in Docker Compose configurations, you may define secrets directly within your Compose file:

version: '3.8'

services:
  app:
    image: my_app_image
    secrets:
      - my_secret

secrets:
  my_secret:
    file: secret.txt

Summary of Best Practices for Handling Secrets

  • Avoid Hardcoding: Never hardcode secrets or sensitive information in code or configuration files.

  • Utilize Docker Secrets: Take advantage of Docker’s native secrets management when using Docker Swarm.

  • Environment Variables: Securely manage sensitive data through environment variables at runtime.

  • Access Control: Ensure only authorized services can access the secrets.

By adopting these best practices and utilizing Docker’s features thoughtfully, secret management in production can be both secure and efficient.

Source: (Docker Documentation)