Why do I need to be in Swarm mode to use Docker secrets?

Question

I am playing around with a single container docker image. I would like to store my db password as a secret without using compose (having probs with that and Gradle for now). I thought I could still use secrets even without compose but when I try I get...

$ echo "helloSecret" | docker secret create helloS -

Error response from daemon: This node is not a swarm manager. Use "docker swarm init" or "docker swarm join" to connect this node to swarm and try again.

Why do I need to use swarm mode just to use secrets? Why can't I use them without a cluster?

Answer 1

You need to run swarm mode for secrets because that's how docker implemented secrets. The value of secrets is that workers never write the secret to disk, the secret is on a need-to-know basis (other workers do not receive the secret until a task is scheduled there), and on managers encrypt that secret on disk. The storage of the secret on the manager uses the raft database.

You can easily deploy a single node swarm cluster with the command docker swarm init. From there, docker-compose up gets changed to docker stack deploy -c docker-compose.yml $stack_name.

---

Secrets and configs in swarm mode provide a replacement for mounting single file volumes into containers for configuration. So without swarm mode on a single node, you can always make the following definition:

version: '2'
services:
  app:
    image: myapp:latest
    volumes:
    - ./secrets:/run/secrets:ro

---

Or you can separate the secrets from your app slightly by loading those secrets into a named volume. For that, you could do something like:

tar -cC ./secrets . | docker run -i -v secrets:/secrets busybox tar -xC /secrets

And then mount that named volume:

version: '2'
volumes:
  secrets:
    external: true
services:
  app:
    image: myapp:latest
    volumes:
    - secrets:/run/secrets:ro