Docker | Luis Cacho

Relaunch docker-compose deployment with a new image

Mon, 02 Aug 2021 00:00:00 +0000

docker-compose pull && docker-compose -f docker-compose.yml up -d

Docker Login the Right Way

Wed, 15 May 2019 00:00:00 +0000

Table of Contents

Hi again!

It is been a while since I wrote something here, as always, there is no much time for a hobby.

I’ve been working for a while with docker, not a production level, but for some applications that I use at work. And since the Docker Hub Data breach I put more atention on the security of my data/credentials, so I investigate a little about and found this official repository https://github.com/docker/docker-credential-helpers/ from Docker where are the supported credential helpers.

Credential Store

Docker keeps our credentials saved on a JSON file located on ~/.docker/config.json, but unfortunatelly credentials are just encrypted on base64, here is an articule/video where there is an explanation for the why it is a bad idea to just use base64 encryption.

The following is a diagram on how a plain text storage works:

Plain Text Storage

Here is an example on how ~/.docker/config.json looks like when is using plain text credentials:

cat ~/.docker/config.json
{
 "auths": {
 "https://index.docker.io/v1/": {
 "auth": "azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo="
 },
 "quay.io": {
 "auth": "azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo="
 }
 },
 "HttpHeaders": {
 "User-Agent": "Docker-Client/18.09.6 (linux)"
 }
}

After a successful docker login command, Docker stores a base64 encoded string from the concatenation of the username, a colon, and the password and associates this string to the registry the user is logging into:

$ echo azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo= | base64 -d -
luiscachog:supersecretpassword

A docker logout command removes the entry from the JSON file for the given registry:

$ docker logout quay.io
Remove login credentials for quay.io

$ cat ~/.docker/config.json
{
 "auths": {
 "https://index.docker.io/v1/": {
 "auth": "azRjaDA6c3VwZXJzZWNyZXRwYXNzd29yZAo="
 }
 },
 "HttpHeaders": {
 "User-Agent": "Docker-Client/18.09.6 (linux)"
 }
}

Docker Credential Helpers

Since docker version 1.11 implements support from an external credential store for registry authentication. That means we can use a native keychain of the OS. Using an external store is more secure than storing on a “plain text” Docker configuration file.

Secure Storage

In order to use a external credential store, we need a program to interact with.

The actual list of “official” Docker Credential Helper is:

docker-credential-osxkeychain: Provides a helper to use the OS X keychain as credentials store.
docker-credential-secretservice: Provides a helper to use the D-Bus secret service as credentials store.
docker-credential-wincred: Provides a helper to use Windows credentials manager as store.
docker-credential-pass: Provides a helper to use pass as credentials store.

docker-credential-secret service

On this post we will explore the docker-credential-secretservice and how to configure it.

We need to download and install the helper. You can find the lastest release on https://github.com/docker/docker-credential-helpers/releases. Download it, extract it and make it executable.

wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.2/docker-credential-secretservice-v0.6.2-amd64.tar.gz
tar -xf docker-credential-secretservice-v0.6.2-amd64.tar.gz
chmod +x docker-credential-secretservice
sudo mv docker-credential-secretservice /usr/local/bin/

Then, we need to specify the credential store in the file ~/.docker/config.json to tell docker to use it. The value must be the one after the prefix docker-credential-. In this case:
```
{
 "credsStore": "secretservice"
}
```
To facilite the configuration and do not make mistakes, you can run:
```
sed -i '0,/{/s/{/{\n\t"credsStore": "secretservice",/' ~/.docker/config.json
```

From now we are uning an external store, so if you are currently logged in, you must run docker logout to remove the credentials from the file and run docker login tostart using the new ones.

Let me know how this works for you.

References:

Docker Credential Helpers repository¹
Docker Credential Store Documentation²
Slides about this topic ³

Set a hugo blog on Kubernetes

Mon, 18 Jun 2018 00:00:00 +0000

Table of Contents

Overview

Since last year I been trying to become an SRE (Site Reliability Engineer), so I been involved with some emerging technologies, like ansible, docker and on this time with kubernetes.

This time, I will try to explain how I containerized my blog using:

Architecture

So, I take some ideas from here and I modify them and adapt the architecture described to my options.

The principal changes that I made are:

My Kubernetes cluster is running on 2 cloud server on Rackspace Public Cloud
The container registry that I’m using is Quay
Rackspace Public Cloud does not support a Kubernetes LoadBalancer service automatically, so I simulate that behavior adding a Cloud Load Balancer manually after the Kubernetes service provide me the port.

Architecture

Containerized

I use Hugo to deploy my blog, I used to do it as mentioned on this previous post (In Spanish).

Now, as a part of containerize the blog it make sense to me to create two stages as described here:

The first stage is a defined build environment containing all required build tools (hugo, pygments) and the source of the website (Git repository).
The second stage is the build artifact (HTML and assets), from the first stage and a webserver to serve the artifact over HTTP.

Dockerfile

Here is the Dockerfile that containerize the blog:

FROM ubuntu:latest as STAGEONE

# install hugo
ENV HUGO_VERSION=0.41
ADD https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_${HUGO_VERSION}_Linux-64bit.tar.gz /tmp/
RUN tar -xf /tmp/hugo_${HUGO_VERSION}_Linux-64bit.tar.gz -C /usr/local/bin/

# install syntax highlighting
RUN apt-get update
RUN apt-get install -y python3-pygments

# build site
COPY source /source
RUN hugo --source=/source/ --destination=/public/

FROM nginx:stable-alpine
RUN apk --update add curl bash
RUN rm /etc/nginx/conf.d/default.conf
COPY modules/nginx.luiscachog.io.conf /etc/nginx/conf.d/luiscachog.io.conf
COPY --from=STAGEONE /public/ /usr/share/nginx/html/
EXPOSE 80 443

MAINTAINER Luis Cacho <luiscachog@gmail.com>

First Stage

Fetch the lastest Ubuntu image and name as STAGEONE
Install the last available hugo version from source.
Install pygments library to use it for highlighting.
Build the site with hugo and the output is set on /public as a build artifact.

Second Stage

Fetch the lastest stable nginx alpine image.
Update the image and install some utilities.
Delete the default nginx configuration file.
Copy the configuration files needed from the repository root directory.
Copy the build artifact /public from the previous stage (STAGEONE)

Docker | Luis Cacho

Relaunch docker-compose deployment with a new image

Docker Login the Right Way

Docker Login the right Way

Credential Store

Docker Credential Helpers

docker-credential-secret service

Set a hugo blog on Kubernetes

Overview

Architecture

Containerized

Dockerfile

First Stage

Second Stage