一、实现功能
docker secret可以减少用户名和密码的明显显示,从而可以减少暴露密码的可能性,保证系统安全可靠。所以,docker secret可以安全存储这个密码,同时分配给特定service,使之可以有权限访问该密码的权限。
二、定义
1. secret包含内容
(1)SSH
(2)用户名和密码
(3)TLS认证
(4)不想其他人看到的内容
2. swarm架构
3. secret management
(1)secret management存在swarm manager节点的Raft database中
(2)Secret可以分配给特定service,使只有这个service可以看到这个secret。
(3)在container内部,secret看起来是个文件,但是实际存储在内存中
三、操作
1.方法一:通过文件的方式创建secret
(1) 创建password文件内容是admin123321
(2)创建secret
[vagrant@swarm-manager secret-example]$ docker secret create my-pw password
nqef5lnfh13bbv5760qm7airt
(3)删除原始文件
[vagrant@swarm-manager secret-example]$ mv password password.bak
(4)查看swarm-manager节点上面有哪些secret
[vagrant@swarm-manager secret-example]$ docker secret ls
ID NAME DRIVER CREATED UPDATED
nqef5lnfh13bbv5760qm7airt my-pw About a minute ago About a minute ago
2. 通过命令创建secret
(1)通过echo输入创建
[vagrant@swarm-manager secret-example]$ echo "admin2" | docker secret create my-pw2 -
vqba8gjsz0qszwgf50xjxnzjt
(2) 查看
docker secret ls
3.删除secret
[vagrant@swarm-manager secret-example]$ echo "admin2" | docker secret create my-pw2 -
vqba8gjsz0qszwgf50xjxnzjt
4.在busybox服务上使用secret密码
(1)创建busybox服务
[vagrant@swarm-manager secret-example]$ docker service create --name client --secret my-pw busybox sh -c "while true;do sleep 3600; done"
zlp2n7tlgfr0tk7ylpuj51m1n
overall progress: 1 out of 1 tasks
1/1: running
verify: Service converged
(2)查看
[vagrant@swarm-manager secret-example]$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
zlp2n7tlgfr0 client replicated 1/1 busybox:latest
(3)进入busybox
-》查看service开启在那一台服务器上面
[vagrant@swarm-manager secret-example]$ docker service ps client
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
k6fr8eb1puss client.1 busybox:latest swarm-worker2 Running Running 56 seconds ago
-》进入worker2,开启服务
[vagrant@swarm-worker2 etc]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5c714523df99 busybox:latest "sh -c 'while true;d…" About a minute ago Up About a minute client.1.k6fr8eb1pusshb8q0vvft422o
[vagrant@swarm-worker2 etc]$ docker exec -it 5c714 sh
/ #
-》查看password
/ # cd /run/secrets/
/run/secrets # ls
my-pw
/run/secrets # cat my-pw
admin123321
/run/secrets #
5.在创建mysql服务时使用secret
(1)部署mysql服务
[vagrant@swarm-manager secret-example]$ docker service create --name db --secret my-pw -e MYSQL_ROOT_PASSWORD_FILE=/run/secrets/my-pw hub.c.163.com/library/mysql:5.7
ufmzh7ao8d85jgibfvijdu519
overall progress: 1 out of 1 tasks
1/1: running
verify: Service converged
(2)查看
[vagrant@swarm-manager secret-example]$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
zlp2n7tlgfr0 client replicated 1/1 busybox:latest
ufmzh7ao8d85 db replicated 1/1 hub.c.163.com/library/mysql:5.7
(3)查看服务具体分布
[vagrant@swarm-manager secret-example]$ docker service ps db
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
pks09gwcl95n db.1 hub.c.163.com/library/mysql:5.7 swarm-manager Running Running about a minute ago
(4)进入mysql内部
[vagrant@swarm-manager secret-example]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fbf85e74e13f hub.c.163.com/library/mysql:5.7 "docker-entrypoint.s…" About a minute ago Up About a minute 3306/tcp db.1.pks09gwcl95nsuxc9bv3qv75r
[vagrant@swarm-manager secret-example]$ docker exec -it fbf8 sh
#
(5)查看密码
# cd /run/secrets
# ls
my-pw
# cat my-pw
admin123321
(6)然后登陆mysql
# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
4 rows in set (0.01 sec)