How to Enable Docker Experimental Features and Encrypt Your Login Credentials
If you’re involved in enterprise IT, chances are slim you haven’t either heard of or used containers deployed with the Docker Engine. There’s a good reason for that. The docker engine is powerful, flexible, and required by so many other technologies. On top of that, the Docker Engine is really easy to use. In fact, it’s one of the more straightforward container technologies available.
But did you know that the Docker Engine contains a few experimental features, some of which might be just what you’re looking for to work some serious container magic? That’s right, tucked away (disabled by default), there are features that are not ready for prime time but can still be used (for testing purposes, of course).
It is important that you understand that these features are not ready for production environments, as Docker warns. However, they are features that are being tested with the idea that they might (eventually) make it to the official Docker Engine release.
So if you’re of either the brave or the curious sort, you might want to install Docker Engine on a non-production machine, enable the experimental features, and test them on your own containers.
I’m going to walk you through the process of enabling the experimental features and then highlighting some of the current crop of features. I’ll be demonstrating on a running instance of Ubuntu Server 18.04. The environment you choose doesn’t matter (be it CentOS, Ubuntu, Fedora Server, RHEL, SLES, etc.). What does matter is that you have a working Docker Engine running and a user that belongs to the docker group.
Enabling Experimental Features
Believe it or not, enabling the experimental features on the daemon side of things is actually quite simple. In order to do this, log into your server and issue the command:
sudo nano /etc/docker/daemon.json
This is a new file, so you won’t find anything contained within. Paste the following contents into this file:
|
1 2 3 |
{ "experimental": true } |
Save and close the file.
With that in place, restart the docker engine with the command:
sudo systemctl restart docker
You can now see that the experimental features have been enabled by issuing the command:
docker version
You should see Experimental: true listed (Figure 1).
Figure 1: Experimental features are now enabled for the daemon.
Next, you’ll want to enable the features for the docker client. This is a bit more complicated, as we have to first set up the docker login process to use encrypted passwords (otherwise you’re leaving your authentication credentials in plain text).
In order to secure those passwords, you must first enable a credential storage. Let’s make that happen. Since we’re on a headless Ubuntu Server, we must first install a tool that will generate enough entropy to create the keys. Do this with the command:
sudo apt-get install rng-tools -y
Once that installation completes, generate the entropy with the command:
sudo rngd -r /dev/urandom
Now, install pass with the command:
sudo apt-get install pass -y
Next, generate a gpg key with the command:
gpg --full-generate-key
In order to generate the key, accept the default answers for the questions (Figure 2) and accept them with Y.
Figure 2: Generating a GPG key.
You will then be asked to add your name and email and, finally, create a passphrase for the new key. With the key generated, we can now setup the secure storage of our credentials with the following commands:
- Create a new directory with the command mkdir ~/bin
- Change into that newly created directory with the command cd ~/bin
- Add the directory to your path with the command echo ‘export PATH=$PATH:~/bin’ >> ~/.bashrc
- Download docker-credential-pass with the command wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.3/docker-credential-pass-v0.6.3-amd64.tar.gz
- Untar the downloaded file with the command tar xvzf docker-credential-pass-v0.6.3-amd64.tar.gz
- Give the new file the proper permissions with the command chmod a+x docker-credential-pass
- Copy the executable with the command sudo cp docker-credential-pass /usr/local/bin
- Log out and log back in.
- Create the .docker directory with the command mkdir ~/.docker
Now you must initialize pass. First locate your gpg ID with the command:
gpg --list-secret-keys
You should see a long string of characters associated with your newly-created key. With that string, initialize pass with the command:
pass init STRING
Where STRING is the gpg key ID.
New we must create a password for the credential storage with the command:
pass insert docker-credential-helpers/docker-pass-initialized-check
Before we log into docker, create a configuration file with the command:
sudo nano ~/.docker/config.json
Make sure the file looks like the following:
|
1 2 3 |
{ "experimental": "enabled" } |
Save and close the file.
Finally, login with docker with the command:
docker login
That’s it. Your docker credentials are now saved via encrypted storage and won’t appear in the ~/.docker/config.json file. You can open that file again to see a number of new configuration options have appeared (Figure 3).
Figure 3: The completed config.json file.
Now let’s take a look at some of the current experimental features that are available.
Current Experimental Features
One thing to remember is that experimental features come and go. These features provide early access to functionality that might appear in future releases. Sometimes those features make it into a final release and sometimes they are abandoned. It’s also a bit of a challenge to find out what the current experimental features are.
A quick search of the current Docker documentation reveals the following features are included in the experimental listing (of course, this could change at any time):
- docker assemble is a plugin which provides a language and framework-aware tool to enable users to build an application into an optimized Docker container. With this feature, it is possible to quickly build Docker images without providing configuration information.
- docker deploy is an alias for stack deploy. This feature supports compose file version 3.0 and above.
- docker manifest inspect displays an image manifest or manifest list.
- docker checkpoint create creates a checkpoint from a running container.
- docker buildx is a CLI plugin that extends the docker command with the features (provided by Moby BuildKit) like creating scoped builder instances, building against multiple nodes concurrently, automatic garbage collection, extendable frontend formats, build cache import/export, and more.
It should also be noted that some of the experimental commands are available for the standard docker engine, while others are only available for the docker-ce or docker-ee engines.
And that’s how you can gain access to the Docker Experimental features.