we recently started to employ Swarm Secrets to manage passwords required by containers. The Secrets documentation emphasizes that all secrets are stored in encrypted form and that secrets are mounted on an in-memory file system inside the container and never persisted to disk.
When you deploy, Docker mounts a file under
/run/secrets/<secret_name>in the services. These files are never persisted in disk, but are managed in memory.
However, we found that passwords are still present in clear text on Swarm hosts under
/var/lib/docker/containers/<id>/mounts/secrets/. Which appears to contradict the statement quoted above. Is this to be expected or did we screw up our setup somehow?
Thanks in advance!
$ docker version Client: Version: 18.09.0 API version: 1.39 Go version: go1.10.4 Git commit: 4d60db4 Built: Wed Nov 7 00:48:22 2018 OS/Arch: linux/amd64 Experimental: false Server: Docker Engine - Community Engine: Version: 18.09.0 API version: 1.39 (minimum version 1.12) Go version: go1.10.4 Git commit: 4d60db4 Built: Wed Nov 7 00:19:08 2018 OS/Arch: linux/amd64 Experimental: false