You want to update a secret api_key used by a running Docker service webapp. Which sequence of commands correctly updates the secret without downtime?
hard📝 Workflow Q15 of 15
Docker - Security
You want to update a secret api_key used by a running Docker service webapp. Which sequence of commands correctly updates the secret without downtime?
AEdit the secret file inside the running container
BDirectly overwrite the existing secret with <code>docker secret update</code>
CStop the service, delete the secret, create new secret with same name, then start service
DCreate new secret with a different name, update service to use new secret, then remove old secret
Step-by-Step Solution
Solution:
Step 1: Understand Docker secret immutability
Docker secrets cannot be updated directly; they are immutable once created.
Step 2: Update secret safely
The recommended way is to create a new secret with a new name, update the service to use this new secret, then remove the old secret to avoid downtime.
Step 3: Analyze options
Create new secret with a different name, update service to use new secret, then remove old secret follows this process. Directly overwrite the existing secret with docker secret update is invalid because docker secret update does not exist. Stop the service, delete the secret, create new secret with same name, then start service causes downtime. Edit the secret file inside the running container is impossible because secrets are mounted read-only.
Final Answer:
Create new secret with a different name, update service to use new secret, then remove old secret -> Option D
Quick Check:
Secrets immutable = create new and update service [OK]
Quick Trick:Create new secret and update service to avoid downtime [OK]
Common Mistakes:
Trying to overwrite existing secret
Stopping service causing downtime
Editing secrets inside container
Master "Security" in Docker
9 interactive learning modes - each teaches the same concept differently
